From 5a526a5f4fbcda4de22d9adc09575e1dd6262827 Mon Sep 17 00:00:00 2001 From: Nate Guagenti Date: Tue, 5 Sep 2017 19:33:20 -0400 Subject: [PATCH 01/88] Update main.bro The HTTP "Origin" header is a useful header for CSRF, Chrome plugins making requests, and other scenarios where referrer may not be present. Reference: https://tools.ietf.org/html/rfc6454#section-7 ---- "In some sense, the origin granularity is a historical artifact of how the security model evolved." Especially useful if origin/referrer is a "file://" ---- https://tools.ietf.org/html/rfc6454#section-4 --- scripts/base/protocols/http/main.bro | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/scripts/base/protocols/http/main.bro b/scripts/base/protocols/http/main.bro index 51a89a33b9..381411436c 100644 --- a/scripts/base/protocols/http/main.bro +++ b/scripts/base/protocols/http/main.bro @@ -46,6 +46,8 @@ export { version: string &log &optional; ## Value of the User-Agent header from the client. user_agent: string &log &optional; + ## Value of the Origin header from the client. + origin: string &log &optional; ## Actual uncompressed content size of the data transferred from ## the client. request_body_len: count &log &default=0; @@ -258,8 +260,8 @@ event http_header(c: connection, is_orig: bool, name: string, value: string) &pr else if ( name == "RANGE" ) c$http$range_request = T; - else if ( name == "USER-AGENT" ) - c$http$user_agent = value; + else if ( name == "ORIGIN" ) + c$http$origin = value; else if ( name in proxy_headers ) { From 4330b7922c236140b9cc66bb2d22d6cbbd8fbda3 Mon Sep 17 00:00:00 2001 From: mauro Date: Mon, 4 Feb 2019 17:05:50 +0100 Subject: [PATCH 02/88] smb3.1.1 additions to negotiate-response command --- aux/broker | 2 +- doc | 2 +- scripts/base/init-bare.bro | 49 +++++++++ src/3rdparty | 2 +- .../protocol/smb/smb2-com-negotiate.pac | 103 ++++++++++++++---- src/analyzer/protocol/smb/smb2-protocol.pac | 42 +++++++ src/analyzer/protocol/smb/types.bif | 7 +- 7 files changed, 180 insertions(+), 27 deletions(-) diff --git a/aux/broker b/aux/broker index bf734622dc..c7b1dfd38e 160000 --- a/aux/broker +++ b/aux/broker @@ -1 +1 @@ -Subproject commit bf734622dceaafaf7a481185efd22bd7cc805f9b +Subproject commit c7b1dfd38ec6c42729f8c462eef6457a8dd948b6 diff --git a/doc b/doc index 5acafa0d34..c0092fab7b 160000 --- a/doc +++ b/doc @@ -1 +1 @@ -Subproject commit 5acafa0d340a6f4096dccbe69b8fb62d7c9ce87f +Subproject commit c0092fab7b28c029eddb6b9b654f6096d8e4456a diff --git a/scripts/base/init-bare.bro b/scripts/base/init-bare.bro index 600a507d4f..0a23ed4e13 100644 --- a/scripts/base/init-bare.bro +++ b/scripts/base/init-bare.bro @@ -3226,6 +3226,49 @@ export { attrs : SMB2::FileAttrs; }; + ## Preauthentication information as defined in SMB v. 3.1.1 + ## + ## For more information, see MS-SMB2:2.3.1.1 + ## + type SMB2::preauth: record { + ## the number of hash algorithms + hash_alg_count : count; + ## the salt length + salt_length : count; + ## an array of hash algorithms (counts) + hash_alg : vector of count; + ## the salt + salt : string; + }; + + ## Encryption information as defined in SMB v. 3.1.1 + ## + ## For more information, see MS-SMB2:2.3.1.2 + ## + type SMB2::encryption: record { + ## the number of ciphers + cipher_count : count; + ## an array of ciphers + ciphers : vector of count; + }; + + ## The context type information as defined in SMB v. 3.1.1 + ## + ## For more information, see MS-SMB2:2.3.1 + ## + type SMB2::context_value: record { + ## specifies the type of context (preauth or encryption) + context_type : count; + ## the length in byte of the data field + data_length : count; + ## the preauthentication information + preauth_info : SMB2::preauth; + ## the encryption information + encryption_info : SMB2::encryption; + }; + + type SMB2::context_values: vector of context_value; + ## The response to an SMB2 *negotiate* request, which is used by tghe client to notify the server ## what dialects of the SMB2 protocol the client understands. ## @@ -3244,6 +3287,11 @@ export { system_time : time; ## The SMB2 server start time. server_start_time : time; + + ## The number of negotiate context values in SMB v. 3.1.1, otherwise reserved to 0 + negotiate_context_count : count; + ## An array of context values in SMB v. 3.1.1 + negotiate_context_values : context_values; }; ## The request sent by the client to request a new authenticated session @@ -3327,6 +3375,7 @@ export { ## The action taken in establishing the open. create_action : count; }; + } module GLOBAL; diff --git a/src/3rdparty b/src/3rdparty index 6e93c5546a..b822eeed58 160000 --- a/src/3rdparty +++ b/src/3rdparty @@ -1 +1 @@ -Subproject commit 6e93c5546a4770d513fb57213d7b29e39e12bf4d +Subproject commit b822eeed58c4a1ee3781f1f8c8a19fd590dc4a04 diff --git a/src/analyzer/protocol/smb/smb2-com-negotiate.pac b/src/analyzer/protocol/smb/smb2-com-negotiate.pac index 39311e4ee3..f03422c212 100644 --- a/src/analyzer/protocol/smb/smb2-com-negotiate.pac +++ b/src/analyzer/protocol/smb/smb2-com-negotiate.pac @@ -1,3 +1,19 @@ +enum smb3_capabilities { + SMB2_GLOBAL_CAP_DFS = 0, + SMB2_GLOBAL_CAP_LEASING = 2, + SMB2_GLOBAL_CAP_LARGE_MTU = 4, + SMB2_GLOBAL_CAP_MULTI_CHANNEL = 8, + SMB2_GLOBAL_CAP_PERSISTENT_HANDLES = 10, + SMB2_GLOBAL_CAP_DIRECTORY_LEASING = 20, + SMB2_GLOBAL_CAP_ENCRYPTION = 40, +}; + +enum smb3_context_type { + SMB2_PREAUTH_INTEGRITY_CAPABILITIES = 0x0001, + SMB2_ENCRYPTION_CAPABILITIES = 0x0002, +}; + + refine connection SMB_Conn += { function proc_smb2_negotiate_request(h: SMB2_Header, val: SMB2_negotiate_request) : bool @@ -25,9 +41,21 @@ refine connection SMB_Conn += { nr->Assign(0, val_mgr->GetCount(${val.dialect_revision})); nr->Assign(1, val_mgr->GetCount(${val.security_mode})); - nr->Assign(2, BuildSMB2GUID(${val.server_guid})), + nr->Assign(2, BuildSMB2GUID(${val.server_guid})); nr->Assign(3, filetime2brotime(${val.system_time})); nr->Assign(4, filetime2brotime(${val.server_start_time})); + nr->Assign(5, val_mgr->GetCount(${val.negotiate_context_count})); + + VectorVal* cv = new VectorVal(BifType::Vector::SMB2::context_values); + int num_context_values = ${val.negotiate_context_count}; + if (num_context_values > 0) // check if there are context_values, i.e. SMB v.3.1.1 + for ( int i = 0; i < num_context_values; ++i ) + { + cv->Assign(i, BuildSMB2ContextVal(${val.smb3_ncl[i]})); + } + + nr->Assign(6, cv); // empty vector if not SMB v.3.1.1 + BifEvent::generate_smb2_negotiate_response(bro_analyzer(), bro_analyzer()->Conn(), BuildSMB2HeaderVal(h), nr); @@ -37,35 +65,64 @@ refine connection SMB_Conn += { %} }; +type SMB3_preauth_integrity_capabilities = record { + hash_alg_count : uint16; + salt_length : uint16; + hash_alg : uint16[hash_alg_count]; + salt : bytestring &length = salt_length; #TODO is a bytestring ok for this field? +}; + +type SMB3_encryption_capabilities = record { + cipher_count : uint16; + ciphers : uint16[cipher_count]; +}; + +type SMB3_negotiate_context_values = record { + context_type : uint16; # specify the type of context + data_length : uint16; # the length of the data field + reserved : uint32; # ignored + data : case context_type of { + SMB2_PREAUTH_INTEGRITY_CAPABILITIES -> preauth_integrity_capabilities : SMB3_preauth_integrity_capabilities; + SMB2_ENCRYPTION_CAPABILITIES -> encryption_capabilities : SMB3_encryption_capabilities; + }; + pad : padding align 4; +}; + type SMB2_negotiate_request(header: SMB2_Header) = record { - structure_size : uint16; # client MUST set this to 36 - dialect_count : uint16; # must be > 0 - security_mode : uint16; # there is a list of required modes - reserved : padding[2]; # must be set to 0 - capabilities : uint32; # must be set to 0 - client_guid : SMB2_guid; # guid if client implements SMB 2.1 dialect, otherwise set to 0 - client_start_time : SMB_timestamp; # must be set to 0 + structure_size : uint16; # client MUST set this to 36 + dialect_count : uint16; # must be > 0 + security_mode : uint16; # there is a list of required modes + reserved : padding[2]; # must be set to 0 + capabilities : uint32; # must be set to 0 if SMB 2.x, otherwise if SMB 3.x one of enum smb2_capabilities + client_guid : SMB2_guid; # guid if client implements SMB 2.1 dialect, otherwise set to 0 + client_start_time : SMB_timestamp; dialects : uint16[dialect_count]; } &byteorder=littleendian, &let { proc : bool = $context.connection.proc_smb2_negotiate_request(header, this); }; type SMB2_negotiate_response(header: SMB2_Header) = record { - structure_size : uint16; - security_mode : uint16; - dialect_revision : uint16; - reserved : padding[2]; - server_guid : SMB2_guid; - capabilities : uint32; - max_transact_size : uint32; - max_read_size : uint32; - max_write_size : uint32; - system_time : SMB_timestamp; - server_start_time : SMB_timestamp; - security_offset : uint16; - security_length : uint16; - pad1 : padding to security_offset - header.head_length; - security_blob : bytestring &length=security_length; + structure_size : uint16; + security_mode : uint16; + dialect_revision : uint16; + negotiate_context_count : uint16; # reserved to 0 if not smb 3.1.1 + server_guid : SMB2_guid; + capabilities : uint32; + max_transact_size : uint32; + max_read_size : uint32; + max_write_size : uint32; + system_time : SMB_timestamp; + server_start_time : SMB_timestamp; + security_offset : uint16; + security_length : uint16; + negotiate_context_offset : uint32; + pad1 : padding to security_offset - header.head_length; + security_blob : bytestring &length=security_length; + pad2 : padding align 8; # optional padding + negotiate_context_list : case dialect_revision of { # check the dialect + 0x0311 -> smb3_ncl: SMB3_negotiate_context_values[negotiate_context_count]; # if it is v. 3.1.1 + default -> unknown : empty; # any other version + }; } &byteorder=littleendian, &let { proc : bool = $context.connection.proc_smb2_negotiate_response(header, this); gssapi_proc : bool = $context.connection.forward_gssapi(security_blob, false); diff --git a/src/analyzer/protocol/smb/smb2-protocol.pac b/src/analyzer/protocol/smb/smb2-protocol.pac index f5095a66d1..7579c09dff 100644 --- a/src/analyzer/protocol/smb/smb2-protocol.pac +++ b/src/analyzer/protocol/smb/smb2-protocol.pac @@ -100,6 +100,48 @@ refine connection SMB_Conn += { std::map smb2_request_tree_id; %} + function BuildSMB2ContextVal(ncv: SMB3_negotiate_context_values): BroVal + %{ + RecordVal* r = new RecordVal(BifType::Record::SMB2::context_value); + + r->Assign(0, val_mgr->GetCount(${ncv.context_type})); + r->Assign(1, val_mgr->GetCount(${ncv.data_length})); + + RecordVal* rpreauth = new RecordVal(BifType::Record::SMB2::preauth); + RecordVal* rencr = new RecordVal(BifType::Record::SMB2::encryption); + if (${ncv.context_type} == 1) // it is a preauth context type + { + rpreauth->Assign(0, val_mgr->GetCount(${ncv.preauth_integrity_capabilities.hash_alg_count})); + rpreauth->Assign(1, val_mgr->GetCount(${ncv.preauth_integrity_capabilities.salt_length})); + + VectorVal* ha = new VectorVal(internal_type("index_vec")->AsVectorType()); + for ( int i = 0; i < (${ncv.preauth_integrity_capabilities.hash_alg_count}); ++i ) + { + ha->Assign(i, val_mgr->GetCount(${ncv.preauth_integrity_capabilities.hash_alg[i]})); + } + + rpreauth->Assign(2, ha); + rpreauth->Assign(3, bytestring_to_val(${ncv.preauth_integrity_capabilities.salt})); + } + else if (${ncv.context_type} == 2) // it is a encryption context type + { + rencr->Assign(0, val_mgr->GetCount(${ncv.encryption_capabilities.cipher_count})); + + VectorVal* c = new VectorVal(internal_type("index_vec")->AsVectorType()); + for ( int i = 0; i < (${ncv.encryption_capabilities.cipher_count}); ++i ) + { + c->Assign(i, val_mgr->GetCount(${ncv.encryption_capabilities.ciphers[i]})); + } + + rencr->Assign(1, c); + } + + r->Assign(2, rpreauth); + r->Assign(3, rencr); + + return r; + %} + function BuildSMB2HeaderVal(hdr: SMB2_Header): BroVal %{ RecordVal* r = new RecordVal(BifType::Record::SMB2::Header); diff --git a/src/analyzer/protocol/smb/types.bif b/src/analyzer/protocol/smb/types.bif index 4714046a62..9a037ddba6 100644 --- a/src/analyzer/protocol/smb/types.bif +++ b/src/analyzer/protocol/smb/types.bif @@ -4,4 +4,9 @@ type SMB1::Header: record; type SMB2::Header: record; type SMB2::GUID: record; -type SMB2::FileAttrs: record; \ No newline at end of file +type SMB2::FileAttrs: record; + +type SMB2::preauth: record; +type SMB2::encryption: record; +type SMB2::context_value: record; +type SMB2::context_values: vector; From 5262237c3b6b8dcfd01851ad05de7a20067fcc18 Mon Sep 17 00:00:00 2001 From: Ryan Denniston Date: Fri, 18 Jan 2019 13:50:22 -0800 Subject: [PATCH 03/88] Add linux netfilter NFLOG capture functionality initial commit modified GetLinkHeaderSize to support link type modified ProcessLayer2 to support NFLOG packets expecting out of the box support from libpcap hacking my way around bpf, bpf is not supported in libpcap (would be easy to implement) but at the moment, throw a warn if applying a filter and short circuit bpf code. want to ensure this works... commenting out error states. Fixed SetFilter to properly detect m_matches_anything, which is used by the DLT_NFLOG type to short circuit bpf filters. Added NFLOG parsing to zeek source, added m_matches_anything flag check for bpf functionality (NFLOG is bpf incompatible, but shouldn't be) --- src/iosource/BPF_Program.cc | 7 ++++++ src/iosource/Packet.cc | 44 +++++++++++++++++++++++++++++++++++++ src/iosource/pcap/Source.cc | 5 +++++ 3 files changed, 56 insertions(+) diff --git a/src/iosource/BPF_Program.cc b/src/iosource/BPF_Program.cc index 451a74bed3..e284720fad 100644 --- a/src/iosource/BPF_Program.cc +++ b/src/iosource/BPF_Program.cc @@ -104,6 +104,13 @@ bool BPF_Program::Compile(int snaplen, int linktype, const char* filter, { FreeCode(); + if ( linktype == DLT_NFLOG ) //hacky way to support nflog but not bpf + { + m_compiled = true; + m_matches_anything = true; + return true; + } + #ifdef LIBPCAP_PCAP_COMPILE_NOPCAP_HAS_ERROR_PARAMETER char my_error[PCAP_ERRBUF_SIZE]; diff --git a/src/iosource/Packet.cc b/src/iosource/Packet.cc index a5c2622ecf..99f1017bdc 100644 --- a/src/iosource/Packet.cc +++ b/src/iosource/Packet.cc @@ -92,6 +92,9 @@ int Packet::GetLinkHeaderSize(int link_type) case DLT_IEEE802_11_RADIO: // 802.11 plus RadioTap return 59; + case DLT_NFLOG: //Linux netlink NETLINK NFLOG socket log messages + return 8; //base l2 header up to TLV values + case DLT_RAW: return 0; } @@ -395,6 +398,47 @@ void Packet::ProcessLayer2() break; } + case DLT_NFLOG: + { + + int protocol = pdata[0]; //https://www.tcpdump.org/linktypes/LINKTYPE_NFLOG.html + if ( protocol == AF_INET ) + l3_proto = L3_IPV4; + else if ( protocol == AF_INET6 ) + l3_proto = L3_IPV6; + //skip header to tlv structs + pdata += 4; + + int tlv_len; + int tlv_type; + + while(1){ + if ( pdata >= end_of_data ) + { + Weird("nflog_no_pcap_payload"); + return; + } + + tlv_len = (pdata[1] << 8 )+ pdata[0]; //lil' endian + tlv_type = (pdata[3] << 8) + pdata[2]; + + //tlv's are in groups of 8 bytes min padding apparently + if (tlv_len < 8){ + tlv_len = 8; + } + //if 9, then raw packet is straight away after. + if (tlv_type == 9){ //type nflog payload + pdata += 4; //skip the tlv type and length to put the payload at the front of the buffer. + break; + }else{ + pdata += tlv_len; + } + + } + break; + + } + default: { // Assume we're pointing at IP. Just figure out which version. diff --git a/src/iosource/pcap/Source.cc b/src/iosource/pcap/Source.cc index 0a0633ece0..ac4e801ae3 100644 --- a/src/iosource/pcap/Source.cc +++ b/src/iosource/pcap/Source.cc @@ -247,6 +247,11 @@ bool PcapSource::SetFilter(int index) return false; } + //if the filter matches anything, return true + if ( code->MatchesAnything() ) + { + return true; + } if ( pcap_setfilter(pd, code->GetProgram()) < 0 ) { PcapError(); From c9cc1a55b95fea3600709c0ed2b50492b32ca5e6 Mon Sep 17 00:00:00 2001 From: mauro Date: Tue, 5 Feb 2019 15:05:51 +0100 Subject: [PATCH 04/88] added test and pcap files for smb 3.1.1 negotiate-response --- .../scripts.base.protocols.smb.smb311/.stdout | 1 + testing/btest/Traces/smb/smb311.pcap | Bin 0 -> 10304 bytes .../scripts/base/protocols/smb/smb311.test | 12 ++++++++++++ 3 files changed, 13 insertions(+) create mode 100644 testing/btest/Baseline/scripts.base.protocols.smb.smb311/.stdout create mode 100644 testing/btest/Traces/smb/smb311.pcap create mode 100644 testing/btest/scripts/base/protocols/smb/smb311.test diff --git a/testing/btest/Baseline/scripts.base.protocols.smb.smb311/.stdout b/testing/btest/Baseline/scripts.base.protocols.smb.smb311/.stdout new file mode 100644 index 0000000000..3808c1d8f0 --- /dev/null +++ b/testing/btest/Baseline/scripts.base.protocols.smb.smb311/.stdout @@ -0,0 +1 @@ +smb2_negotiate_response 192.168.100.168 -> 10.160.67.244:445 [dialect_revision=785, security_mode=3, server_guid=[persistent=5167561042355431755, volatile=7583560952700542861], system_time=1547145849.626981, server_start_time=1540586308.948775, negotiate_context_count=2, negotiate_context_values=[[context_type=1, data_length=38, preauth_info=[hash_alg_count=1, salt_length=32, hash_alg=[1], salt=\x17\xa3\x95(\x0d\x0dt\xecZ\xe5\x0e\x1a\xef\x85\x07]U\x99\x86B\xd0\xeb\xc8\x08\xe0\x0a\xad\x01p\x9a/\xb7], encryption_info=[cipher_count=, ciphers=[]]], [context_type=2, data_length=4, preauth_info=[hash_alg_count=, salt_length=, hash_alg=[], salt=], encryption_info=[cipher_count=1, ciphers=[1]]]]] diff --git a/testing/btest/Traces/smb/smb311.pcap b/testing/btest/Traces/smb/smb311.pcap new file mode 100644 index 0000000000000000000000000000000000000000..b6f4521676c00ea33943e6efbc1afceea60a3941 GIT binary patch literal 10304 zcmchccRbeL|Nmc?J<#Rwycz79y9KLfJ|7OkGJ?nb}eHh_|dV%S^*o;caiSGD6BG z<1!N8b1p@$KEK}o{mykeuh%)Ran9@cyg#1joY(83*twHJ4nYt_(ZftAuwVa~h!9Rh zP4$|=of{lHm(A~(SivGMhamq6{$s~Dcx*Qcyx3{AKga}tA0d)>|0wlJ3 z#E5QAC3X#zVOCK?ND28=)RAUs88So$L1v0N&<*) z>1uT5;&`G zOG0v(1Vv0t5RW-}Jzn&v2nhwK6QSHs6A-YGkRS4vb6=!I5fI>t-Wx>Zee1qXKtaVA}e*`*l8iOCC0?S%0$oH%;MG^lkL3rB!u(q z+-W_bHB7}c?M14i{*Sk0(|8rxCyES|Wt2cJJ}<}wviSruOppy5x*A&o$}s<--Rz<+ zoOT~<*RE>HP+nONV6#y0WP=UhG64C2M(+O328FnTLmLU6gz3N7Fv7?FnKTiOUq$4i znu4OLsuIvCf}A8E`?Pstvj7i4`;>lm1?`iOtHB-xb(sIq-hPZ5PJ5QywO7`IwpHVV z+VhOw)ZP_nBWQf=mwmet83rpPqy!=jw!08hme6QMuFLTj*5pbj&>UQm8T-B2%N z8Qb-u#yON%UIX>wP5DbN{z5=6S3phemp@^Tzw70f2>#2T+x4;vo57`Ddimu@G&mXr zesB*{6Ua>92lp_IfxHX+CcyqAfzPLjfvAkdPKx3A_X$bfq!&|AKfUnFLz&!~JGscy zsNlW-KWG>L9o$6B5etwZ+dGH>*xmwr1W|6}eNNjS-otV|eOf7F@%jcc$SxZ`9!QX# zEVc$40Ln1q#{%Mtafh+MMzcK@%4^WJ>W;2^k#)7X%~K#0RttllKGN$^H2z&qe`!sjLWO>3+6wb(&$3}$?-A#Ft;q1MQaw`)z^aVYQK z-B4>!r8c!@1+?Y`8j1b^=GAMYsm`|FQkpSd7pgsZL&z__ji+DHqVHj(+UOe2k5Gxf z;`dCq_3(>8R~E^qA_U0?Y1*lK7>eybXOvS;oJmT1e%9PbI$-V1iTQSvqB1Mv;Z^_p zxm`>NJ7b*ZUitT4emz6VeF`)GcCOm4uq!@H&m{3)LZf4=mFrp0y$UbGKfQg}M4@p; zlXimKXv22s1E@flATyGlT5Js{!~6%cB8&%a{A%0I?BCsJTMcH&EUt#L$o^baNF=W=J7w&W*_!j>@|>NXWV?QS ziocbSX6}JB@6I;54IA-!n=b#AcMp!Y(RSV%%z$?+!}-QI~s}0 z+|bFRqLJ%lv;{3wUy}URX3>^f3ZHA(&sD_gF6(zc&&Vyzm$JK`U_o6R#myV0krhsA zff-8{5TCQ`W)X?F!XR=|Aw~6?JnNxPEZsBzoA(L*y1()E#PM#$;~fil7XsdER}?mR z4*=ewz(5@DgFL4jMB{VKOH3|jj=1E>p>p_Ol4@^x^LrYW)=TFBYn93b)Y6<+LH*@ln#P^{)F< zg3q?Nv2O9k{1)GKE_K)opbj&Be4|8*dLeJJ6+GUBLwOYkAa9iMChymP_W-C7L2ch+ zK#}mC&2qG?+ZjX0JDL(VJ+$vkV?p_=SWR< z-5aHbG~PkkqMzHkbA#q19Q41E`Bu_bO>$^eo>nZneK_=K60;kP{t02L!qLt$_lWA# zh1Ngb^Ylyv8SZCz*lx6b(Ab}qM`j4^S0q3oD%AS$SWo8x)JgxBbA2Xpy=NEA{VpC) z7$0IU`NWyTW-=A3nAH8XDPjCXDziqyB3()P<8Zafj))ty<)R1zeGFsE6YODv<4Ey9 z9o7)kVa6XvP-+-2oUTN+>#E`a+V*l8(AAF}U=oGzC_bYigg{rXL5&6an%uTeJeV&g zN~AvHcwoniGpgif=rRDAjL zm&V#8!qTc%0r~Oc#N0P+CRC5va2;If&aN=OZ2h|O=3r4!!ul+uUO zgNb%?tNCB-mT(xEZ&lRbb)SlmiXFN~;(4=r&Z=C{KK%V2lYc|XF5B=AU47iK;d{t{ z{x=4SOLbTm3;`>cfq1O562*xojw}QWokx7QXr5-V^;lKn|dh49K85vrVbi zxNAKM|CbicI)=%-1zxDPG;=f5%=y*k>dlxXP2UguvV9u9RzT` zfIa~)lDGtQ$$F(8TLx+{aj!M7|efg|4`JA#u*$v5QTZbECWPPP(26T!O&$3rJfwQgI70O1k_Y3wURmwen13J~6+IKq*kH=4;68 zM4~itB+*P-T5if@_^m_@iS##|{$f)fc^%D2&=(wsRCFi5DGU~Se0G+p(Q0&t!OjRZj-NGmW?E@T;!&)XnVMb=fK8F-wvaZj-21Ft>@ zKJzC=)SRz;j-I!xm)(2rknOuJE;T7l*|?)upD!@%Vl;E99?q|=U*LI6LxieWbF;cF zf3P9^X_uTb$(M8{c`xGIh@KT#%*n@-E!sXVUzku`F*{80<{DUUKzs4oD~&-57k>`5Y)APDm>3US&$$-3^Tq#isbJ#&qlKUb@M;gM80_YV=~ zR)PN5oO|S(?0;Xwrph<`ZB65YW8b))ebrUK{taZm@4zN|{eh7Huy)*7(-8HjMb+)5 z(@1X zC38ec%^^pz7^PBg_~kw+QMfwU{9Rvr>j(!?FfAZdW(pKxFSNy#4tE+px+70CVzFX`{{#5Nn8RHtIjq*;A+;;$_tQCGFd;hQW1dBRT;wI=id^9O%zXWteP>Rl#%Z~Jq1z7*&^&EzElp=47`z(G`y+(A z0DY5pUruYSpi<8!Zy1s=!7*L5yaC$=$}s;C>lGN^{}t<1LugyA%fJVS{ozgCE`awj z&`1D`bw5E`X;I5=zT|G-YphInOtSEJYk>>Foty7%PmU*DV-6U=^u>f(+`}xjI7cK> z65WrQ3!~%j>ef55tduUtw5P*xl~DBC;dTzovr3$!WX_CN+%wdB(s;&~_I|BjkGd64$b}LSe8Z-Z&TTe18oa`Mk>8c#}JDI4(i%7@<#p@0<0FJyEP|mxqmE{o8=98A0(N|E^HB z;J6lChd2$K_|5+Gi;Y-XP=^_Ro<|WC4dFC!1WyA?LwPkcPy_bh6@O!W7hnN25DogM zgZ9T%d^;5}Yu*{=MBmYQy>W#}zW%$9Q2QE+-X9u{MB=tv_N!9Z_|8A(wCUt{*~ec+ zRv_<}l635Gizcg~;A)DE6-!^#)tI*~4(Bg?RZ3WL(y0&enN;o}pYkw&>ZwZ|{jm6& z%wkJ!YE;P`asj;owL)GZ$IqT|OB_qWW%3Lc?9eakFCRI3@eyCtj~(hJ*q6b~Sv)J6 z93Qi&G;F`f@?G?~VJAL!IKSW7o2t01Wa-=DYVp}ZrhS)!tq=tI3dYUv>pz!*#=ouq z9^y2E_r6<0gSNd|1vQgJzNwjFpcxC$xHI(G(BO`#1oSl)3i(<$pJPGkFYq*T9?xe! z%hoTxK8;-bMops2@w!CwwBq9o&$W+ElLd`*R_|9X(m3WyIIU>JNi}h)*vZDE{Uhe8 zlG_lHa-X5PV{g2eo~&keU7B63sLtm4uLsx)6O4<|mPTv=sKfk+F4BuWLtT)0Y}dur zDxixHoGx@WbrA$~Q4DI<&_>$Zbdf=$^cl4tYjlmmBYdlDk!ie+Cb8$RLtQrLN_h2gDZ{LR)8vGUfSF=MX1 z*LEk!{7d(8z0oF4y(i4S@uk(S;a4mV_BoS0EBJSbHjpgv>;8tErjX)>TdP*inNqVB zr^O^rS=Xwwd0l>j+7rQD`BAUC-iW(pkMIDi1J??wfH&TTr>}RPMU>Ut_wk0^_eG08 zNNdmud<+pIZSZ}`y#8TqsphfX!*D;<@*TQD300ae*J>&D2EVpQyGq?Cbljf9K}l}E zNc*W*X(#QB_VXN<2#}c5Ew9475}1t`eU?Zp=fy3a&$;x7V760Mm0jxNP%D{hZctwf zhL?*5nMUJ-Y6t;qIdVAtn0P(3F!{B_?k>*$%I zO{SSNE8J1f&NvDLlD^lx{FK4Gy(nJOlG<(VyS)C`e$Tlsnbfufqvyh}dv?l*=uTOs zrb(+|S*QCxxX&Y;mBGnAvIaZ7o#+pweGhc76qd?=WgSUy+k>UJl|{t+CGi6%_3xPy zPx_V@)n+CN0&)^P`*}Q#&YWwa+vjq(UzknN)urfIp35OiOMd=GU((e4XD+-q<3(#2 z#2QL8GwLjGAM530m~FA=ecMt*R7+%0VMBE?JP1{I-mzq#N=-$q))D2$;Y>V&QYpvo zQb*skG|b~X9wu5FP(|mvt3;;e^UE=_fFE90Zp8V;J#l|CUY@L_-CH)syPPU_{1Vq# z1+551;X#-7m?G*)vk#jfqNuxMJ(Q9D&%MU@YYoP>8Yg7Slp1BGH?##c#)2cfF@8*7 zny@S27|i(N2QpDKjGI>^w~rq>=%Kti-1xEg{^t0R3&xLL(8w#Ou_&caZ#Y%<tDlT%xBPuQ+P^7+kXP4=A{Eb3N6l&%RBFaGf7+%(JQOZf)`Q;jiiw3kahJXdGwm<;$KV_qxBpxKUj%rZHl-d{f8tzQ*w?YP34X z_Tik${KJJ%14H77L+yLQ;->xk@(B)kURNv=d7)WfXs$NOVvy3X|5Zxf9%{!iyD`P9 z|Lh>AqgF4ClmBAiD}=%5(UCLcKX7d-+?sR2@P$ioK6=*HgzW(}nE%jIL(vzUp76d$ z=zw)fy&;^BqQSD`=Q^duXY>paXyg&plZK&wJFi0l_8RHQZ`cpQLS$bKrX3rv)$8$N z$MtN8+ivM;dS@hKomY^}4L5X%jy=bD#f3GBfU)#JNrSaICmr9bZD)|0irisOOdV31 zDRY_d*_;?7X^1j~UA#58({G)YVhKw`BHQ;%AKH7- zUN@i0ILF|~I_(FoU8#dRlJ~!M)IKfV@VR#`=b(N(<+`wn^ijsU`Zvi=%9L9BpN`fn zI+^TBGN@5hv>Q=}R9(BwmWWF73g_`fJkj$I^{<4-)lL*hHZXX2-O=$k+5 zvSH*O)61}Yczs9P;kY;V(P-wA#skM5g=^mZEadN}l@)C1Sg4J0nz8PE^TaE+wN3Rc=$p^s*lEiTV*-(vd6z40JpSFM^S#9Y@s7u_uT z)_baQ!aX#5GS(-%`llaA(O!D3VDs+q!y%onUfK(0iy{q@1@q~e&*in9I!}e9>qrG7 z6i`D@OTWj_9`okE#nD$>9N~T2(G3~OYgB-7)F-nUM@t}%z(}+aN2i`zqwQt1cnzz= zLL5VOWN0dO-yV)lGc!MF3N8U(@NwI%IC^|ILP9$~RMK|04nKQBMq1PL9%)_SYereb zDYm(9Mg=!m;3p9quO#h0b-`DM(bDq}d0nhX{wd>EXd>Qz9)f3g;qh-A-HoNbMkaUE=eW%r3=Sdfz2ujW$qRgzke)qC- zGo$QHizMOAb^Gt%G4uzUvG7$7=0C>C@}dzOU$gD=uHF&Aw;uBS1U^V?jFW+T0AD~G z@q=TM37(KF~CO`T!M4M3+Wat7Sv$IA0LqsOc0Li zPV?E$n1Z+l9xHh>O4~zuv0gYtiY$iN!k$qv}sd`s4;}379`8Rl6opAkc*{n}J z`Hx4Zah-6iJ4IT6$qT#S1ZVCal$Fjx^Cf-bw?tUggqg%?zl$Bt$THg(-(*K|DMa*M z|FYPD#2>fn^k(98D`rxXR?)4xN^hD=*?pgDTbcV`WiJa9n!fewie1yo-LLNPR~;p1 dPEdJH>=;!tSVyiHonF5rNJQHik08(={|8uzrWODI literal 0 HcmV?d00001 diff --git a/testing/btest/scripts/base/protocols/smb/smb311.test b/testing/btest/scripts/base/protocols/smb/smb311.test new file mode 100644 index 0000000000..22f232c14a --- /dev/null +++ b/testing/btest/scripts/base/protocols/smb/smb311.test @@ -0,0 +1,12 @@ +# @TEST-EXEC: bro -b -C -r $TRACES/smb/smb311.pcap %INPUT +# @TEST-EXEC: test ! -f dpd.log +# @TEST-EXEC: test ! -f weird.log +# @TEST-EXEC: btest-diff .stdout + +@load base/protocols/smb + +# Add some tests for SMB3 +event smb2_negotiate_response(c: connection, hdr: SMB2::Header, nr: SMB2::NegotiateResponse) + { + print fmt("smb2_negotiate_response %s -> %s:%d %s", c$id$orig_h, c$id$resp_h, c$id$resp_p, nr); + } From 328ab790252293c168cfcbc41ee37cc6bc60345e Mon Sep 17 00:00:00 2001 From: mauro Date: Wed, 13 Feb 2019 18:03:17 +0100 Subject: [PATCH 05/88] fixing some missing log lines in smb_files.log --- aux/broker | 2 +- doc | 2 +- scripts/base/protocols/smb/files.bro | 2 ++ src/3rdparty | 2 +- 4 files changed, 5 insertions(+), 3 deletions(-) diff --git a/aux/broker b/aux/broker index bf734622dc..c7b1dfd38e 160000 --- a/aux/broker +++ b/aux/broker @@ -1 +1 @@ -Subproject commit bf734622dceaafaf7a481185efd22bd7cc805f9b +Subproject commit c7b1dfd38ec6c42729f8c462eef6457a8dd948b6 diff --git a/doc b/doc index 5acafa0d34..c0092fab7b 160000 --- a/doc +++ b/doc @@ -1 +1 @@ -Subproject commit 5acafa0d340a6f4096dccbe69b8fb62d7c9ce87f +Subproject commit c0092fab7b28c029eddb6b9b654f6096d8e4456a diff --git a/scripts/base/protocols/smb/files.bro b/scripts/base/protocols/smb/files.bro index d01aa815a5..be30f0ea76 100644 --- a/scripts/base/protocols/smb/files.bro +++ b/scripts/base/protocols/smb/files.bro @@ -65,5 +65,7 @@ event file_over_new_connection(f: fa_file, c: connection, is_orig: bool) &priori if ( c$smb_state$current_file?$name ) f$info$filename = c$smb_state$current_file$name; + write_file_log(c$smb_state); + } } diff --git a/src/3rdparty b/src/3rdparty index 6e93c5546a..b822eeed58 160000 --- a/src/3rdparty +++ b/src/3rdparty @@ -1 +1 @@ -Subproject commit 6e93c5546a4770d513fb57213d7b29e39e12bf4d +Subproject commit b822eeed58c4a1ee3781f1f8c8a19fd590dc4a04 From 84afafc5127df6832434a50d8894ae5b141f9ed3 Mon Sep 17 00:00:00 2001 From: mauro Date: Thu, 14 Feb 2019 16:51:50 +0100 Subject: [PATCH 06/88] added test and pcap files for smb_files.log fix --- .../files.log | 11 +++++++++++ .../smb_files.log | 16 ++++++++++++++++ testing/btest/Traces/smb/smb2readwrite.pcap | Bin 0 -> 20770 bytes .../scripts/base/protocols/smb/smb2-fix.test | 9 +++++++++ 4 files changed, 36 insertions(+) create mode 100644 testing/btest/Baseline/scripts.base.protocols.smb.smb2-fix/files.log create mode 100644 testing/btest/Baseline/scripts.base.protocols.smb.smb2-fix/smb_files.log create mode 100644 testing/btest/Traces/smb/smb2readwrite.pcap create mode 100644 testing/btest/scripts/base/protocols/smb/smb2-fix.test diff --git a/testing/btest/Baseline/scripts.base.protocols.smb.smb2-fix/files.log b/testing/btest/Baseline/scripts.base.protocols.smb.smb2-fix/files.log new file mode 100644 index 0000000000..7704087a53 --- /dev/null +++ b/testing/btest/Baseline/scripts.base.protocols.smb.smb2-fix/files.log @@ -0,0 +1,11 @@ +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path files +#open 2019-02-14-15-17-09 +#fields ts fuid tx_hosts rx_hosts conn_uids source depth analyzers mime_type filename duration local_orig is_orig seen_bytes total_bytes missing_bytes overflow_bytes timedout parent_fuid md5 sha1 sha256 extracted extracted_cutoff extracted_size +#types time string set[addr] set[addr] set[string] string count set[string] string string interval bool bool count count count count bool string string string string string bool count +1549644186.691869 FG403EpKSkh5CwCre 169.254.128.15 169.254.128.18 CHhAvVGS1DHFjwGM9 SMB 0 (empty) text/plain pythonfile 0.000000 - F 16 16 0 0 F - - - - - - - +1549644186.699376 FLCGB5TxPTWKKeQf4 169.254.128.18 169.254.128.15 CHhAvVGS1DHFjwGM9 SMB 0 (empty) text/plain pythonfile2 0.000000 - T 7000 - 0 0 F - - - - - - - +#close 2019-02-14-15-17-09 diff --git a/testing/btest/Baseline/scripts.base.protocols.smb.smb2-fix/smb_files.log b/testing/btest/Baseline/scripts.base.protocols.smb.smb2-fix/smb_files.log new file mode 100644 index 0000000000..197ad14bca --- /dev/null +++ b/testing/btest/Baseline/scripts.base.protocols.smb.smb2-fix/smb_files.log @@ -0,0 +1,16 @@ +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path smb_files +#open 2019-02-14-15-17-09 +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p fuid action path name size prev_name times.modified times.accessed times.created times.changed +#types time string addr port addr port string enum string string count string time time time time +1549644186.686127 CHhAvVGS1DHFjwGM9 169.254.128.18 49155 169.254.128.15 445 - SMB::FILE_OPEN - pythonfile 16 - 1549643138.282481 1549643183.156000 1549643138.280000 1549643138.282481 +1549644186.686127 CHhAvVGS1DHFjwGM9 169.254.128.18 49155 169.254.128.15 445 - SMB::FILE_READ - pythonfile 16 - 1549643138.282481 1549643183.156000 1549643138.280000 1549643138.282481 +1549644186.686127 CHhAvVGS1DHFjwGM9 169.254.128.18 49155 169.254.128.15 445 FG403EpKSkh5CwCre SMB::FILE_READ - pythonfile 16 - 1549643138.282481 1549643183.156000 1549643138.280000 1549643138.282481 +1549644186.692584 CHhAvVGS1DHFjwGM9 169.254.128.18 49155 169.254.128.15 445 - SMB::FILE_OPEN - pythonfile2 0 - 1549644186.688000 1549644186.688000 1549644186.688000 1549644186.688000 +1549644186.692584 CHhAvVGS1DHFjwGM9 169.254.128.18 49155 169.254.128.15 445 - SMB::FILE_WRITE - pythonfile2 0 - 1549644186.688000 1549644186.688000 1549644186.688000 1549644186.688000 +1549644186.692584 CHhAvVGS1DHFjwGM9 169.254.128.18 49155 169.254.128.15 445 FLCGB5TxPTWKKeQf4 SMB::FILE_WRITE - pythonfile2 0 - 1549644186.688000 1549644186.688000 1549644186.688000 1549644186.688000 +1549644187.702245 CHhAvVGS1DHFjwGM9 169.254.128.18 49155 169.254.128.15 445 - SMB::FILE_OPEN - 0 - 1549644186.688000 1549644187.700000 1549644186.688000 1549644186.688000 +#close 2019-02-14-15-17-09 diff --git a/testing/btest/Traces/smb/smb2readwrite.pcap b/testing/btest/Traces/smb/smb2readwrite.pcap new file mode 100644 index 0000000000000000000000000000000000000000..723dd58c258cef9e3d3d9c93c45978c2f99a3710 GIT binary patch literal 20770 zcmeHPd32Q36~7Z;fC)=bmIy%xDG-99Q3q?Ao=zweG>|wzA^`-$;z+;_=@4i@gy{j7 zDD6=cDq*K^+Jefy3SkH!5JeGC7HhSN)Osk}L5|kI^xiw)o0;#;%$Enq@t^PIyzhR? zeD~h>yZ0^Md-vt&?sZF(pgu%WeX!s~<=SD7-Cb^jJMe;XBk1~oBL|P2R*h-|F0iz; z<~qS|UHtUluljGn+&oavvcu)A9PV?hJ>gD;tGPp&=hs&U=Jj$iPk;s*r6&h9p~0&F zQ=YnQU?8ni7QZ1K9t3EdB;BLS3b+OQNb6xHjf*jtLrZuWX%Xg9m<(kw2F8OIJWv8p z!4q&V-cQGz!X-{c3efu@Z+|2)DHZRC-_gUo^6XLKN748D=ah`5`-E8gDK^MJWhe`* zLbxGfX`Wl1;IvL(NoWyjmK}k5gqF)YKi8ewG^y||=6_yBj7mpI6|uq4m=W=JY5U)r zokuOs)h8Ohi*)?+p=&{@e3U{*U^MBv$E>^e63rVFe2eJomNA+cpi<&VoMvm z6M1gObAinJXWP>wu+U3!5+S!}sts<%f>Mt0wFcI{>}wTzUz?xnbF4dvzIG*PB(psc zja-W6Yo++;eMMjE21ynwshng)#B*7mCI&uGm)F28m_^YTc?8kGXKY|Ycqq%x1+|`* z>|6)*&b98K%e$Z}J6BWYe@L%#sOnq`M2+Dg=n|#sgO|oxTJrS-7y-Y9k$9Yd)ouj% zu)+c8=KiOavf_q%E*w);^%j!q*-|1+$Gl=VI(dXao}>qPVHtwFf}0k!g|u&5PH zusSry8};}$z<$lw1Why&Zmj*DhnoHWY}i)2+5NxOyZ@qMpJU@Zcd7+ShcT~&ZS_$_ z_wNSr`#jl5RAHOX(={!+&k2}i?avz5N*ce18lNVOlg_iox~8RhRIB)rqQ-W7$BwMJ z&iL*mactk`_7{l?W00ojP*a26xhz6UFcrLNvt6KHQBzJlls;A2Ji z$i(l)qIRKo=qNjKOax2>Oax2>Oax2>Oax2>Oax2>Oax2>Oax2> zOax2>Oax2>Oax2>Oax2>Oa$sgfK~(_eZvMlahZ*B%&L33Cyf_8=ST~lGhE(nweFNA zpA=wd26375mJMiymvRi3sh;-C#Tl0igxv?xMRi@V1u}_VS0v3ktTtTG zy`447ku*ETLLro6%=tG@2L_D;l1a-@i0$T|xx8-| zae&fRQV^!f8VYl&YM3QTB?YhCHYtgNS_BorwZim%6i%hcT5q^;KA0EIi}X0ZUF36Y zUXBarSG|u?At=p9UW+#v20{&Cn~jUh3&XT4=Q5*&fl$X4ZI&nyio&!hHN;FPkH#Dw z2sIj`L?^&F4AmZwOYc1}P}__7=7nh!Vk|$b{d~D!B7pW&CJ078f~CsVOO=5>pUqa6#<6Vt?HOis9!$*z7*f% zbRDfuymni#6Lg;z>)J!R5tirPn!Sc%aeLbOGZoi@3I-abR!-PMdZfFYolk8XhMwae zr5E@J@cfdAW4EKc!1HNKtB{IoLE)v9+Ar5I_2aRvb|)1#e-vV-zdV=**~q&9_a_zL z^MP9V%6L#w2L15q0O*7J)q3Cnqa1T6`866?F!=W*A4a!*hUkgpA$%?9GVOO_7)S4g zhBM&@aZlcr^tcb@`%t<^`?X)A=g*DrxQXQd+O?eIi)%qSsF8n5hy(aBx1^Ig(tDEp zOx*bvjR3W=lma<(y6r%@f)2AJ_n>P*ZK0pxF(N;77Jd--q(+mUi`#U1MWHX`LVoSE zAF5F9w5rYrsQlWspb=lbHo5zya*HwxzjGEihioBv&6bTNy5LmkTF~ThX(DoO*Y1(u zWx|8-0Qyva^t&NZes@@sYlpkQ4!_|c?c^xrMfn4x_B!^Xd_gn6s^M!vBN#{Yh}a^m zWX#DyO^;Iaw(&3tH(`a6U(h;s1jdsq{4E9dWVm54evP|e5SHJe@gyR4_{H0ENzeUs zz~tZl)grFl=ZlkB6)`ET+DYr^}I}k2+3AUl7SaxA~;uRWG5OtpI^|b|Y_gmlE znS@ka3#y65Uq%P9HO6yw8+xh(jHpiQ@AxT5fCYUBdn6&=+#CwaY}@ z@k1+|#NLH?xZjJv5`8sxE&gWMzl!!mwGRz{qG%FnL}@!}I68gYNip98^rMKXN}nT8 z=uWY~Na2#)`}R6!INeZ8ycSEF7&KnEC7`g7)k-+s@TuZRAyq4#JZ7iTwmNP&-O!oF z2mU7d@j;*v#|M{r)VP&dC!B6j)i6ub@OlW9V(ke-oJTOumn55AMw@*^TQ4fku-t?= z|MMDgmPdZ1;mDJQICo*3lO>!#a(QXl@pji@6T=P&g*?;PNB>?)+` zvv zV2N2;%2A0mRj) z@eC|3W%(llCVJ8t#4HKKWiD?ZLj^=tjddV)n41iTP#wxK-+I;7(G22xJ&1t}1o0e! zm`yva0p^PSgD#T8Rt5N%B8b#ir9umk94|=YATh2IVWCA6oT zXQxB|E+eqV=cvx2Io;s{2mne8unuHAXSi3+!{+;UTwXXGxbH8_DB)hYFQUw6^shJU z2#6h7CE6=Tn$Ca0a4t224e<-TA*!=n-d*YO3=!HI88L*areQ;nO5bd3YGjBf*$}yU z@OGu6Au7la!&=qpN(NdNOL9{FEm8j=gceNyzG~XhQNCClg^(J66LrW zcM*$2Ii`_2<>^j_o?asvx&jS-h7DcEysRn`gHbxy((9NZAzN&IGUiMNjQIYO3@d@{Fz)5)%mlpegrvw zEJ_B~k9pOG^JjOGS4^I#_ln&vm$!Nwc|~3GXR4T(^Jk&?G;{teG@oY9pK)7*hsZoe z=uF&?PtEzW_6&?Ue`d~~8O@)m_MzcnsaD-+6wzRh;r!WH9-Y!Zmx%gIsNUvt)MV29 zS-}&c<`S<1xS}^3Z%~f;%A08&$0L$&;_||IoparpSHgLn(~2VnnromWk4Q+vPd+r9 f*XhBZ2le#hgPKg2cXw+ZHP$hIrmEqM% Date: Thu, 3 Jan 2019 13:51:50 -0500 Subject: [PATCH 07/88] improve performance of dns policy defer allocating various tables until at least 2 pending queries are seen. --- scripts/base/protocols/dns/main.bro | 35 +++++++++++++++++++++++------ 1 file changed, 28 insertions(+), 7 deletions(-) diff --git a/scripts/base/protocols/dns/main.bro b/scripts/base/protocols/dns/main.bro index a0e22aae6b..8ce14c8e18 100644 --- a/scripts/base/protocols/dns/main.bro +++ b/scripts/base/protocols/dns/main.bro @@ -128,13 +128,16 @@ export { ## A record type which tracks the status of DNS queries for a given ## :bro:type:`connection`. type State: record { + ## a single query that hasn't been matched with a response yet. + pending_query: Info &optional; + ## Indexed by query id, returns Info record corresponding to ## queries that haven't been matched with a response yet. - pending_queries: PendingMessages; + pending_queries: PendingMessages &optional; ## Indexed by query id, returns Info record corresponding to ## replies that haven't been matched with a query yet. - pending_replies: PendingMessages; + pending_replies: PendingMessages &optional; }; } @@ -230,7 +233,7 @@ hook set_session(c: connection, msg: dns_msg, is_query: bool) &priority=5 if ( is_query ) { - if ( msg$id in c$dns_state$pending_replies && + if ( c$dns_state?$pending_replies && msg$id in c$dns_state$pending_replies && Queue::len(c$dns_state$pending_replies[msg$id]) > 0 ) { # Match this DNS query w/ what's at head of pending reply queue. @@ -241,12 +244,24 @@ hook set_session(c: connection, msg: dns_msg, is_query: bool) &priority=5 # Create a new DNS session and put it in the query queue so # we can wait for a matching reply. c$dns = new_session(c, msg$id); - enqueue_new_msg(c$dns_state$pending_queries, msg$id, c$dns); + if(!c$dns_state?$pending_query) + c$dns_state$pending_query = c$dns; + else + { + if(!c$dns_state?$pending_queries) + c$dns_state$pending_queries = table(); + enqueue_new_msg(c$dns_state$pending_queries, msg$id, c$dns); + } } } else { - if ( msg$id in c$dns_state$pending_queries && + if (c$dns_state?$pending_query && c$dns_state$pending_query$trans_id == msg$id) + { + c$dns = c$dns_state$pending_query; + delete c$dns_state$pending_query; + } + else if (c$dns_state?$pending_queries && msg$id in c$dns_state$pending_queries && Queue::len(c$dns_state$pending_queries[msg$id]) > 0 ) { # Match this DNS reply w/ what's at head of pending query queue. @@ -257,6 +272,8 @@ hook set_session(c: connection, msg: dns_msg, is_query: bool) &priority=5 # Create a new DNS session and put it in the reply queue so # we can wait for a matching query. c$dns = new_session(c, msg$id); + if(!c$dns_state?$pending_replies) + c$dns_state$pending_replies = table(); enqueue_new_msg(c$dns_state$pending_replies, msg$id, c$dns); } } @@ -511,6 +528,10 @@ event connection_state_remove(c: connection) &priority=-5 # If Bro is expiring state, we should go ahead and log all unmatched # queries and replies now. - log_unmatched_msgs(c$dns_state$pending_queries); - log_unmatched_msgs(c$dns_state$pending_replies); + if(c$dns_state?$pending_query) + Log::write(DNS::LOG, c$dns_state$pending_query); + if(c$dns_state?$pending_queries) + log_unmatched_msgs(c$dns_state$pending_queries); + if(c$dns_state?$pending_replies) + log_unmatched_msgs(c$dns_state$pending_replies); } From a5ad864e13021db412b4adc1d05c72a8dad74102 Mon Sep 17 00:00:00 2001 From: Justin Azoff Date: Wed, 9 Jan 2019 09:46:08 -0500 Subject: [PATCH 08/88] Use more efficient method to grab the protocol. get_conn_transport_proto needs to use sessions->FindConnection and do a hash lookup to find the connection while get_port_transport_proto just looks at the port directly. --- scripts/base/protocols/dns/main.bro | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/base/protocols/dns/main.bro b/scripts/base/protocols/dns/main.bro index 8ce14c8e18..fdc08f6c02 100644 --- a/scripts/base/protocols/dns/main.bro +++ b/scripts/base/protocols/dns/main.bro @@ -162,7 +162,7 @@ function new_session(c: connection, trans_id: count): Info info$ts = network_time(); info$id = c$id; info$uid = c$uid; - info$proto = get_conn_transport_proto(c$id); + info$proto = get_port_transport_proto(c$id$resp_p); info$trans_id = trans_id; return info; } From ea167846faa89c488f1750b84cb53815a6647dbe Mon Sep 17 00:00:00 2001 From: Justin Azoff Date: Sun, 17 Feb 2019 12:48:24 -0500 Subject: [PATCH 09/88] update baselines --- .../all-events.log | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/testing/btest/Baseline/scripts.policy.misc.dump-events/all-events.log b/testing/btest/Baseline/scripts.policy.misc.dump-events/all-events.log index 0492d87770..8f6550e2e2 100644 --- a/testing/btest/Baseline/scripts.policy.misc.dump-events/all-events.log +++ b/testing/btest/Baseline/scripts.policy.misc.dump-events/all-events.log @@ -13,41 +13,41 @@ [3] len: count = 34 1254722767.492060 dns_request - [0] c: connection = [id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], orig=[size=34, state=1, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.49206, duration=0.0, service={\x0a\x0a}, history=D, uid=CHhAvVGS1DHFjwGM9, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=[ts=1254722767.49206, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], proto=udp, trans_id=31062, rtt=, query=, qclass=, qclass_name=, qtype=, qtype_name=, rcode=, rcode_name=, AA=F, TC=F, RD=F, RA=F, Z=0, answers=, TTLs=, rejected=F, total_answers=, total_replies=, saw_query=F, saw_reply=F], dns_state=[pending_queries={\x0a\x09[31062] = [initialized=T, vals={\x0a\x09\x09[0] = [ts=1254722767.49206, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], proto=udp, trans_id=31062, rtt=, query=, qclass=, qclass_name=, qtype=, qtype_name=, rcode=, rcode_name=, AA=F, TC=F, RD=F, RA=F, Z=0, answers=, TTLs=, rejected=F, total_answers=, total_replies=, saw_query=F, saw_reply=F]\x0a\x09}, settings=[max_len=], top=1, bottom=0, size=0]\x0a}, pending_replies={\x0a\x0a}], ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=] + [0] c: connection = [id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], orig=[size=34, state=1, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.49206, duration=0.0, service={\x0a\x0a}, history=D, uid=CHhAvVGS1DHFjwGM9, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=[ts=1254722767.49206, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], proto=udp, trans_id=31062, rtt=, query=, qclass=, qclass_name=, qtype=, qtype_name=, rcode=, rcode_name=, AA=F, TC=F, RD=F, RA=F, Z=0, answers=, TTLs=, rejected=F, total_answers=, total_replies=, saw_query=F, saw_reply=F], dns_state=[pending_query=[ts=1254722767.49206, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], proto=udp, trans_id=31062, rtt=, query=, qclass=, qclass_name=, qtype=, qtype_name=, rcode=, rcode_name=, AA=F, TC=F, RD=F, RA=F, Z=0, answers=, TTLs=, rejected=F, total_answers=, total_replies=, saw_query=F, saw_reply=F], pending_queries=, pending_replies=], ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=] [1] msg: dns_msg = [id=31062, opcode=0, rcode=0, QR=F, AA=F, TC=F, RD=T, RA=F, Z=0, num_queries=1, num_answers=0, num_auth=0, num_addl=0] [2] query: string = mail.patriots.in [3] qtype: count = 1 [4] qclass: count = 1 1254722767.492060 protocol_confirmation - [0] c: connection = [id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], orig=[size=34, state=1, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.49206, duration=0.0, service={\x0a\x0a}, history=D, uid=CHhAvVGS1DHFjwGM9, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=[ts=1254722767.49206, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], proto=udp, trans_id=31062, rtt=, query=mail.patriots.in, qclass=1, qclass_name=C_INTERNET, qtype=1, qtype_name=A, rcode=, rcode_name=, AA=F, TC=F, RD=T, RA=F, Z=0, answers=, TTLs=, rejected=F, total_answers=, total_replies=, saw_query=F, saw_reply=F], dns_state=[pending_queries={\x0a\x09[31062] = [initialized=T, vals={\x0a\x09\x09[0] = [ts=1254722767.49206, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], proto=udp, trans_id=31062, rtt=, query=mail.patriots.in, qclass=1, qclass_name=C_INTERNET, qtype=1, qtype_name=A, rcode=, rcode_name=, AA=F, TC=F, RD=T, RA=F, Z=0, answers=, TTLs=, rejected=F, total_answers=, total_replies=, saw_query=F, saw_reply=F]\x0a\x09}, settings=[max_len=], top=1, bottom=0, size=0]\x0a}, pending_replies={\x0a\x0a}], ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=] + [0] c: connection = [id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], orig=[size=34, state=1, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.49206, duration=0.0, service={\x0a\x0a}, history=D, uid=CHhAvVGS1DHFjwGM9, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=[ts=1254722767.49206, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], proto=udp, trans_id=31062, rtt=, query=mail.patriots.in, qclass=1, qclass_name=C_INTERNET, qtype=1, qtype_name=A, rcode=, rcode_name=, AA=F, TC=F, RD=T, RA=F, Z=0, answers=, TTLs=, rejected=F, total_answers=, total_replies=, saw_query=F, saw_reply=F], dns_state=[pending_query=[ts=1254722767.49206, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], proto=udp, trans_id=31062, rtt=, query=mail.patriots.in, qclass=1, qclass_name=C_INTERNET, qtype=1, qtype_name=A, rcode=, rcode_name=, AA=F, TC=F, RD=T, RA=F, Z=0, answers=, TTLs=, rejected=F, total_answers=, total_replies=, saw_query=F, saw_reply=F], pending_queries=, pending_replies=], ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=] [1] atype: enum = Analyzer::ANALYZER_DNS [2] aid: count = 3 1254722767.492060 dns_end - [0] c: connection = [id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], orig=[size=34, state=1, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.49206, duration=0.0, service={\x0aDNS\x0a}, history=D, uid=CHhAvVGS1DHFjwGM9, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=[ts=1254722767.49206, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], proto=udp, trans_id=31062, rtt=, query=mail.patriots.in, qclass=1, qclass_name=C_INTERNET, qtype=1, qtype_name=A, rcode=, rcode_name=, AA=F, TC=F, RD=T, RA=F, Z=0, answers=, TTLs=, rejected=F, total_answers=, total_replies=, saw_query=F, saw_reply=F], dns_state=[pending_queries={\x0a\x09[31062] = [initialized=T, vals={\x0a\x09\x09[0] = [ts=1254722767.49206, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], proto=udp, trans_id=31062, rtt=, query=mail.patriots.in, qclass=1, qclass_name=C_INTERNET, qtype=1, qtype_name=A, rcode=, rcode_name=, AA=F, TC=F, RD=T, RA=F, Z=0, answers=, TTLs=, rejected=F, total_answers=, total_replies=, saw_query=F, saw_reply=F]\x0a\x09}, settings=[max_len=], top=1, bottom=0, size=0]\x0a}, pending_replies={\x0a\x0a}], ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=] + [0] c: connection = [id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], orig=[size=34, state=1, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.49206, duration=0.0, service={\x0aDNS\x0a}, history=D, uid=CHhAvVGS1DHFjwGM9, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=[ts=1254722767.49206, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], proto=udp, trans_id=31062, rtt=, query=mail.patriots.in, qclass=1, qclass_name=C_INTERNET, qtype=1, qtype_name=A, rcode=, rcode_name=, AA=F, TC=F, RD=T, RA=F, Z=0, answers=, TTLs=, rejected=F, total_answers=, total_replies=, saw_query=F, saw_reply=F], dns_state=[pending_query=[ts=1254722767.49206, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], proto=udp, trans_id=31062, rtt=, query=mail.patriots.in, qclass=1, qclass_name=C_INTERNET, qtype=1, qtype_name=A, rcode=, rcode_name=, AA=F, TC=F, RD=T, RA=F, Z=0, answers=, TTLs=, rejected=F, total_answers=, total_replies=, saw_query=F, saw_reply=F], pending_queries=, pending_replies=], ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=] [1] msg: dns_msg = [id=31062, opcode=0, rcode=0, QR=F, AA=F, TC=F, RD=T, RA=F, Z=0, num_queries=1, num_answers=0, num_auth=0, num_addl=0] 1254722767.526085 dns_message - [0] c: connection = [id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], orig=[size=34, state=1, num_pkts=1, num_bytes_ip=62, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=100, state=1, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.49206, duration=0.034025, service={\x0aDNS\x0a}, history=Dd, uid=CHhAvVGS1DHFjwGM9, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=[ts=1254722767.49206, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], proto=udp, trans_id=31062, rtt=, query=mail.patriots.in, qclass=1, qclass_name=C_INTERNET, qtype=1, qtype_name=A, rcode=, rcode_name=, AA=F, TC=F, RD=T, RA=F, Z=0, answers=, TTLs=, rejected=F, total_answers=, total_replies=, saw_query=T, saw_reply=F], dns_state=[pending_queries={\x0a\x09[31062] = [initialized=T, vals={\x0a\x09\x09[0] = [ts=1254722767.49206, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], proto=udp, trans_id=31062, rtt=, query=mail.patriots.in, qclass=1, qclass_name=C_INTERNET, qtype=1, qtype_name=A, rcode=, rcode_name=, AA=F, TC=F, RD=T, RA=F, Z=0, answers=, TTLs=, rejected=F, total_answers=, total_replies=, saw_query=T, saw_reply=F]\x0a\x09}, settings=[max_len=], top=1, bottom=0, size=0]\x0a}, pending_replies={\x0a\x0a}], ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=] + [0] c: connection = [id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], orig=[size=34, state=1, num_pkts=1, num_bytes_ip=62, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=100, state=1, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.49206, duration=0.034025, service={\x0aDNS\x0a}, history=Dd, uid=CHhAvVGS1DHFjwGM9, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=[ts=1254722767.49206, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], proto=udp, trans_id=31062, rtt=, query=mail.patriots.in, qclass=1, qclass_name=C_INTERNET, qtype=1, qtype_name=A, rcode=, rcode_name=, AA=F, TC=F, RD=T, RA=F, Z=0, answers=, TTLs=, rejected=F, total_answers=, total_replies=, saw_query=T, saw_reply=F], dns_state=[pending_query=[ts=1254722767.49206, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], proto=udp, trans_id=31062, rtt=, query=mail.patriots.in, qclass=1, qclass_name=C_INTERNET, qtype=1, qtype_name=A, rcode=, rcode_name=, AA=F, TC=F, RD=T, RA=F, Z=0, answers=, TTLs=, rejected=F, total_answers=, total_replies=, saw_query=T, saw_reply=F], pending_queries=, pending_replies=], ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=] [1] is_orig: bool = F [2] msg: dns_msg = [id=31062, opcode=0, rcode=0, QR=T, AA=F, TC=F, RD=T, RA=T, Z=0, num_queries=1, num_answers=2, num_auth=2, num_addl=0] [3] len: count = 100 1254722767.526085 dns_CNAME_reply - [0] c: connection = [id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], orig=[size=34, state=1, num_pkts=1, num_bytes_ip=62, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=100, state=1, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.49206, duration=0.034025, service={\x0aDNS\x0a}, history=Dd, uid=CHhAvVGS1DHFjwGM9, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=[ts=1254722767.49206, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], proto=udp, trans_id=31062, rtt=, query=mail.patriots.in, qclass=1, qclass_name=C_INTERNET, qtype=1, qtype_name=A, rcode=0, rcode_name=NOERROR, AA=F, TC=F, RD=T, RA=F, Z=0, answers=, TTLs=, rejected=F, total_answers=2, total_replies=4, saw_query=T, saw_reply=F], dns_state=[pending_queries={\x0a\x0a}, pending_replies={\x0a\x0a}], ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=] + [0] c: connection = [id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], orig=[size=34, state=1, num_pkts=1, num_bytes_ip=62, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=100, state=1, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.49206, duration=0.034025, service={\x0aDNS\x0a}, history=Dd, uid=CHhAvVGS1DHFjwGM9, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=[ts=1254722767.49206, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], proto=udp, trans_id=31062, rtt=, query=mail.patriots.in, qclass=1, qclass_name=C_INTERNET, qtype=1, qtype_name=A, rcode=0, rcode_name=NOERROR, AA=F, TC=F, RD=T, RA=F, Z=0, answers=, TTLs=, rejected=F, total_answers=2, total_replies=4, saw_query=T, saw_reply=F], dns_state=[pending_query=, pending_queries=, pending_replies=], ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=] [1] msg: dns_msg = [id=31062, opcode=0, rcode=0, QR=T, AA=F, TC=F, RD=T, RA=T, Z=0, num_queries=1, num_answers=2, num_auth=2, num_addl=0] [2] ans: dns_answer = [answer_type=1, query=mail.patriots.in, qtype=5, qclass=1, TTL=3.0 hrs 27.0 secs] [3] name: string = patriots.in 1254722767.526085 dns_A_reply - [0] c: connection = [id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], orig=[size=34, state=1, num_pkts=1, num_bytes_ip=62, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=100, state=1, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.49206, duration=0.034025, service={\x0aDNS\x0a}, history=Dd, uid=CHhAvVGS1DHFjwGM9, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=[ts=1254722767.49206, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], proto=udp, trans_id=31062, rtt=34.0 msecs 24.0 usecs, query=mail.patriots.in, qclass=1, qclass_name=C_INTERNET, qtype=1, qtype_name=A, rcode=0, rcode_name=NOERROR, AA=F, TC=F, RD=T, RA=T, Z=0, answers=[patriots.in], TTLs=[3.0 hrs 27.0 secs], rejected=F, total_answers=2, total_replies=4, saw_query=T, saw_reply=F], dns_state=[pending_queries={\x0a\x0a}, pending_replies={\x0a\x0a}], ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=] + [0] c: connection = [id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], orig=[size=34, state=1, num_pkts=1, num_bytes_ip=62, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=100, state=1, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.49206, duration=0.034025, service={\x0aDNS\x0a}, history=Dd, uid=CHhAvVGS1DHFjwGM9, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=[ts=1254722767.49206, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], proto=udp, trans_id=31062, rtt=34.0 msecs 24.0 usecs, query=mail.patriots.in, qclass=1, qclass_name=C_INTERNET, qtype=1, qtype_name=A, rcode=0, rcode_name=NOERROR, AA=F, TC=F, RD=T, RA=T, Z=0, answers=[patriots.in], TTLs=[3.0 hrs 27.0 secs], rejected=F, total_answers=2, total_replies=4, saw_query=T, saw_reply=F], dns_state=[pending_query=, pending_queries=, pending_replies=], ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=] [1] msg: dns_msg = [id=31062, opcode=0, rcode=0, QR=T, AA=F, TC=F, RD=T, RA=T, Z=0, num_queries=1, num_answers=2, num_auth=2, num_addl=0] [2] ans: dns_answer = [answer_type=1, query=patriots.in, qtype=1, qclass=1, TTL=3.0 hrs 28.0 secs] [3] a: addr = 74.53.140.153 1254722767.526085 dns_end - [0] c: connection = [id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], orig=[size=34, state=1, num_pkts=1, num_bytes_ip=62, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=100, state=1, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.49206, duration=0.034025, service={\x0aDNS\x0a}, history=Dd, uid=CHhAvVGS1DHFjwGM9, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=[ts=1254722767.49206, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], proto=udp, trans_id=31062, rtt=34.0 msecs 24.0 usecs, query=mail.patriots.in, qclass=1, qclass_name=C_INTERNET, qtype=1, qtype_name=A, rcode=0, rcode_name=NOERROR, AA=F, TC=F, RD=T, RA=T, Z=0, answers=[patriots.in, 74.53.140.153], TTLs=[3.0 hrs 27.0 secs, 3.0 hrs 28.0 secs], rejected=F, total_answers=2, total_replies=4, saw_query=T, saw_reply=F], dns_state=[pending_queries={\x0a\x0a}, pending_replies={\x0a\x0a}], ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=] + [0] c: connection = [id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], orig=[size=34, state=1, num_pkts=1, num_bytes_ip=62, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=100, state=1, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.49206, duration=0.034025, service={\x0aDNS\x0a}, history=Dd, uid=CHhAvVGS1DHFjwGM9, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=[ts=1254722767.49206, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], proto=udp, trans_id=31062, rtt=34.0 msecs 24.0 usecs, query=mail.patriots.in, qclass=1, qclass_name=C_INTERNET, qtype=1, qtype_name=A, rcode=0, rcode_name=NOERROR, AA=F, TC=F, RD=T, RA=T, Z=0, answers=[patriots.in, 74.53.140.153], TTLs=[3.0 hrs 27.0 secs, 3.0 hrs 28.0 secs], rejected=F, total_answers=2, total_replies=4, saw_query=T, saw_reply=F], dns_state=[pending_query=, pending_queries=, pending_replies=], ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=] [1] msg: dns_msg = [id=31062, opcode=0, rcode=0, QR=T, AA=F, TC=F, RD=T, RA=T, Z=0, num_queries=1, num_answers=2, num_auth=2, num_addl=0] 1254722767.529046 new_connection @@ -489,7 +489,7 @@ 1437831776.764391 ChecksumOffloading::check 1437831776.764391 connection_state_remove - [0] c: connection = [id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], orig=[size=34, state=1, num_pkts=1, num_bytes_ip=62, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=100, state=1, num_pkts=1, num_bytes_ip=128, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.49206, duration=0.034025, service={\x0aDNS\x0a}, history=Dd, uid=CHhAvVGS1DHFjwGM9, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=, dns_state=[pending_queries={\x0a\x0a}, pending_replies={\x0a\x0a}], ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=] + [0] c: connection = [id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], orig=[size=34, state=1, num_pkts=1, num_bytes_ip=62, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=100, state=1, num_pkts=1, num_bytes_ip=128, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.49206, duration=0.034025, service={\x0aDNS\x0a}, history=Dd, uid=CHhAvVGS1DHFjwGM9, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=, dns_state=[pending_query=, pending_queries=, pending_replies=], ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=] 1437831776.764391 connection_state_remove [0] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14705, state=5, num_pkts=28, num_bytes_ip=21673, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=538, state=5, num_pkts=25, num_bytes_ip=1546, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=7.576953, service={\x0aSMTP\x0a}, history=ShAdDaTFf, uid=ClEkJM2Vm5giqnMf4h, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=[ts=1254722772.248789, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=2, helo=GP, mailfrom=, rcptto=, date=, from=, to=, cc=, reply_to=, msg_id=, in_reply_to=, subject=, x_originating_ip=, first_received=, second_received=, last_reply=221 xc90.websitewelcome.com closing connection, path=[74.53.140.153, 10.10.1.4], user_agent=, tls=F, process_received_from=T, has_client_activity=F, entity=, fuids=[]], smtp_state=[helo=GP, messages_transferred=1, pending_messages=, mime_depth=5], socks=, ssh=, syslog=] From 52dbaef6da882be427412fda02a3dc7606fdea26 Mon Sep 17 00:00:00 2001 From: Justin Azoff Date: Mon, 18 Feb 2019 12:50:22 -0500 Subject: [PATCH 10/88] Defer initialization of lists and dicts until an item is added. Instead of pre-allocating every list with space for 10 items, don't initialize it at all until the first Insert. Instead of pre-allocating every dictionary with 17 buckets, don't initialize it at all until the first Insert. --- src/Dict.cc | 27 +++++++++++++++++++++++---- src/List.cc | 37 +++++++++++++------------------------ src/List.h | 4 +--- 3 files changed, 37 insertions(+), 31 deletions(-) diff --git a/src/Dict.cc b/src/Dict.cc index 9e68d64089..abcc1a78c8 100644 --- a/src/Dict.cc +++ b/src/Dict.cc @@ -53,7 +53,7 @@ public: Dictionary::Dictionary(dict_order ordering, int initial_size) { - Init(initial_size); + tbl = 0; tbl2 = 0; if ( ordering == ORDERED ) @@ -61,14 +61,13 @@ Dictionary::Dictionary(dict_order ordering, int initial_size) else order = 0; - SetDensityThresh(DEFAULT_DENSITY_THRESH); - delete_func = 0; tbl_next_ind = 0; cumulative_entries = 0; num_buckets2 = num_entries2 = max_num_entries2 = thresh_entries2 = 0; den_thresh2 = 0; + max_num_entries = num_entries = 0; } Dictionary::~Dictionary() @@ -80,12 +79,14 @@ Dictionary::~Dictionary() void Dictionary::Clear() { DeInit(); - Init(2); + tbl = 0; tbl2 = 0; } void Dictionary::DeInit() { + if ( tbl == 0 ) + return; for ( int i = 0; i < num_buckets; ++i ) if ( tbl[i] ) { @@ -127,6 +128,8 @@ void Dictionary::DeInit() void* Dictionary::Lookup(const void* key, int key_size, hash_t hash) const { + if (tbl == 0 && tbl2 == 0 ) + return 0; hash_t h; PList(DictEntry)* chain; @@ -155,6 +158,8 @@ void* Dictionary::Lookup(const void* key, int key_size, hash_t hash) const void* Dictionary::Insert(void* key, int key_size, hash_t hash, void* val, int copy_key) { + if ( tbl == 0 ) + Init(DEFAULT_DICT_SIZE); DictEntry* new_entry = new DictEntry(key, key_size, hash, val); void* old_val = Insert(new_entry, copy_key); @@ -179,6 +184,8 @@ void* Dictionary::Insert(void* key, int key_size, hash_t hash, void* val, void* Dictionary::Remove(const void* key, int key_size, hash_t hash, bool dont_delete) { + if ( tbl == 0 && tbl2 == 0 ) + return 0; hash_t h; PList(DictEntry)* chain; int* num_entries_ptr; @@ -280,6 +287,13 @@ void Dictionary::StopIteration(IterCookie* cookie) const void* Dictionary::NextEntry(HashKey*& h, IterCookie*& cookie, int return_hash) const { + if ( tbl == 0 && tbl2 == 0 ) + { + const_cast(&cookies)->remove(cookie); + delete cookie; + cookie = 0; + return 0; + } // If there are any inserted entries, return them first. // That keeps the list small and helps avoiding searching // a large list when deleting an entry. @@ -366,6 +380,7 @@ void Dictionary::Init(int size) tbl[i] = 0; max_num_entries = num_entries = 0; + SetDensityThresh(DEFAULT_DENSITY_THRESH); } void Dictionary::Init2(int size) @@ -382,6 +397,8 @@ void Dictionary::Init2(int size) // private void* Dictionary::Insert(DictEntry* new_entry, int copy_key) { + if ( tbl == 0 ) + Init(DEFAULT_DICT_SIZE); PList(DictEntry)** ttbl; int* num_entries_ptr; int* max_num_entries_ptr; @@ -568,6 +585,8 @@ unsigned int Dictionary::MemoryAllocation() const { int size = padded_sizeof(*this); + if ( tbl == 0 ) + return size; for ( int i = 0; i < num_buckets; ++i ) if ( tbl[i] ) { diff --git a/src/List.cc b/src/List.cc index a2b4609975..23604a7d04 100644 --- a/src/List.cc +++ b/src/List.cc @@ -6,33 +6,27 @@ #include "List.h" #include "util.h" -static const int DEFAULT_CHUNK_SIZE = 10; +#define DEFAULT_LIST_SIZE 10 +#define GROWTH_FACTOR 2 BaseList::BaseList(int size) { - chunk_size = DEFAULT_CHUNK_SIZE; + num_entries = 0; + max_entries = 0; + entry = 0; - if ( size < 0 ) - { - num_entries = max_entries = 0; - entry = 0; - } - else - { - if ( size > 0 ) - chunk_size = size; + if ( size <= 0 ) + return; - num_entries = 0; - entry = (ent *) safe_malloc(chunk_size * sizeof(ent)); - max_entries = chunk_size; - } + max_entries = size; + + entry = (ent *) safe_malloc(max_entries * sizeof(ent)); } BaseList::BaseList(BaseList& b) { max_entries = b.max_entries; - chunk_size = b.chunk_size; num_entries = b.num_entries; if ( max_entries ) @@ -58,7 +52,6 @@ void BaseList::operator=(BaseList& b) free(entry); max_entries = b.max_entries; - chunk_size = b.chunk_size; num_entries = b.num_entries; if ( max_entries ) @@ -74,8 +67,7 @@ void BaseList::insert(ent a) { if ( num_entries == max_entries ) { - resize(max_entries + chunk_size); // make more room - chunk_size *= 2; + resize(max_entries==0 ? DEFAULT_LIST_SIZE : max_entries*GROWTH_FACTOR); // make more room } for ( int i = num_entries; i > 0; --i ) @@ -95,8 +87,7 @@ void BaseList::sortedinsert(ent a, list_cmp_func cmp_func) // First append element. if ( num_entries == max_entries ) { - resize(max_entries + chunk_size); - chunk_size *= 2; + resize(max_entries==0 ? DEFAULT_LIST_SIZE : max_entries*GROWTH_FACTOR); } entry[num_entries++] = a; @@ -142,8 +133,7 @@ void BaseList::append(ent a) { if ( num_entries == max_entries ) { - resize(max_entries + chunk_size); // make more room - chunk_size *= 2; + resize(max_entries==0 ? DEFAULT_LIST_SIZE : max_entries*GROWTH_FACTOR); // make more room } entry[num_entries++] = a; @@ -168,7 +158,6 @@ void BaseList::clear() } num_entries = max_entries = 0; - chunk_size = DEFAULT_CHUNK_SIZE; } ent BaseList::replace(int ent_index, ent new_ent) diff --git a/src/List.h b/src/List.h index fcc0274225..6fb2bbcec6 100644 --- a/src/List.h +++ b/src/List.h @@ -11,7 +11,7 @@ // element up, and resizing the list, which involves getting new space // and moving the data. Resizing occurs automatically when inserting // more elements than the list can currently hold. Automatic -// resizing is done one "chunk_size" of elements at a time and +// resizing is done by growing by GROWTH_FACTOR at a time and // always increases the size of the list. Resizing to zero // (or to less than the current value of num_entries) // will decrease the size of the list to the current number of @@ -32,7 +32,6 @@ public: void clear(); // remove all entries int length() const { return num_entries; } - int chunk() const { return chunk_size; } int max() const { return max_entries; } int resize(int = 0); // 0 => size to fit current number of entries @@ -79,7 +78,6 @@ protected: void operator=(BaseList&); ent* entry; - int chunk_size; // increase size by this amount when necessary int max_entries; int num_entries; }; From f1cdae2829782bd4bd017a15d9086e52ff149955 Mon Sep 17 00:00:00 2001 From: mauro Date: Wed, 6 Feb 2019 10:19:05 +0100 Subject: [PATCH 11/88] added smb2-com-transform-header for smb3.x --- aux/broker | 2 +- doc | 2 +- scripts/base/init-bare.bro | 24 +++++++++++ src/3rdparty | 2 +- src/analyzer/protocol/smb/CMakeLists.txt | 2 + src/analyzer/protocol/smb/smb-common.pac | 1 + src/analyzer/protocol/smb/smb.pac | 3 ++ .../smb/smb2-com-transform-header.pac | 41 +++++++++++++++++++ src/analyzer/protocol/smb/smb2-protocol.pac | 2 +- .../smb/smb2_com_transform_header.bif | 15 +++++++ 10 files changed, 90 insertions(+), 4 deletions(-) create mode 100644 src/analyzer/protocol/smb/smb2-com-transform-header.pac create mode 100644 src/analyzer/protocol/smb/smb2_com_transform_header.bif diff --git a/aux/broker b/aux/broker index bf734622dc..c7b1dfd38e 160000 --- a/aux/broker +++ b/aux/broker @@ -1 +1 @@ -Subproject commit bf734622dceaafaf7a481185efd22bd7cc805f9b +Subproject commit c7b1dfd38ec6c42729f8c462eef6457a8dd948b6 diff --git a/doc b/doc index 5acafa0d34..c0092fab7b 160000 --- a/doc +++ b/doc @@ -1 +1 @@ -Subproject commit 5acafa0d340a6f4096dccbe69b8fb62d7c9ce87f +Subproject commit c0092fab7b28c029eddb6b9b654f6096d8e4456a diff --git a/scripts/base/init-bare.bro b/scripts/base/init-bare.bro index 600a507d4f..4588c13411 100644 --- a/scripts/base/init-bare.bro +++ b/scripts/base/init-bare.bro @@ -3327,6 +3327,30 @@ export { ## The action taken in establishing the open. create_action : count; }; + + ## An SMB2 transform header (for SMB 3.x dialects with encryption enabled). + ## + ## For more information, see MS-SMB2:2.2.41 + ## + ## .. bro:see:: smb2_header smb2_message smb2_close_request smb2_close_response + ## smb2_create_request smb2_create_response smb2_negotiate_request + ## smb2_negotiate_response smb2_read_request + ## smb2_session_setup_request smb2_session_setup_response + ## smb2_file_rename smb2_file_delete + ## smb2_tree_connect_request smb2_tree_connect_response + ## smb2_write_request + type SMB2::Transform_header: record { + ## The 16-byte signature of the encrypted message, generated by using Session.EncryptionKey. + signature : string; + ## An implementation specific value assigned for every encrypted message. + nonce : string; + ## The size, in bytes, of the SMB2 message. + orig_msg_size : count; + ## A flags field, interpreted in different ways depending of the SMB2 dialect. + flags : count; + ## A value that uniquely identifies the established session for the command. + session_id : count; + }; } module GLOBAL; diff --git a/src/3rdparty b/src/3rdparty index 6e93c5546a..b822eeed58 160000 --- a/src/3rdparty +++ b/src/3rdparty @@ -1 +1 @@ -Subproject commit 6e93c5546a4770d513fb57213d7b29e39e12bf4d +Subproject commit b822eeed58c4a1ee3781f1f8c8a19fd590dc4a04 diff --git a/src/analyzer/protocol/smb/CMakeLists.txt b/src/analyzer/protocol/smb/CMakeLists.txt index cc5d690dfd..b156d185bc 100644 --- a/src/analyzer/protocol/smb/CMakeLists.txt +++ b/src/analyzer/protocol/smb/CMakeLists.txt @@ -35,6 +35,7 @@ bro_plugin_bif( smb2_com_tree_connect.bif smb2_com_tree_disconnect.bif smb2_com_write.bif + smb2_com_transform_header.bif smb2_events.bif events.bif @@ -84,5 +85,6 @@ bro_plugin_pac( smb2-com-tree-connect.pac smb2-com-tree-disconnect.pac smb2-com-write.pac + smb2-com-transform-header.pac ) bro_plugin_end() diff --git a/src/analyzer/protocol/smb/smb-common.pac b/src/analyzer/protocol/smb/smb-common.pac index 5e2a655ed7..fe84a8035d 100644 --- a/src/analyzer/protocol/smb/smb-common.pac +++ b/src/analyzer/protocol/smb/smb-common.pac @@ -1,6 +1,7 @@ enum SMBVersion { SMB1 = 0xff534d42, # \xffSMB SMB2 = 0xfe534d42, # \xfeSMB + SMB3 = 0xfd534d42, # \xfdSMB }; enum TransactionType { diff --git a/src/analyzer/protocol/smb/smb.pac b/src/analyzer/protocol/smb/smb.pac index a21101faaa..5114110735 100644 --- a/src/analyzer/protocol/smb/smb.pac +++ b/src/analyzer/protocol/smb/smb.pac @@ -40,6 +40,7 @@ #include "smb2_com_tree_connect.bif.h" #include "smb2_com_tree_disconnect.bif.h" #include "smb2_com_write.bif.h" +#include "smb2_com_transform_header.bif.h" %} analyzer SMB withcontext { @@ -93,6 +94,7 @@ connection SMB_Conn(bro_analyzer: BroAnalyzer) { %include smb2-com-tree-connect.pac %include smb2-com-tree-disconnect.pac %include smb2-com-write.pac +%include smb2-com-transform-header.pac type uint24 = record { byte1 : uint8; @@ -128,6 +130,7 @@ type SMB_Protocol_Identifier(is_orig: bool, msg_len: uint32) = record { smb_1_or_2 : case protocol of { SMB1 -> smb1 : SMB_PDU(is_orig, msg_len); SMB2 -> smb2 : SMB2_PDU(is_orig); + SMB3 -> smb3 : SMB2_transform_header; # if smb 3.x with encryption enabled, a different smb header (SMB2_transform_header) is used default -> unknown : empty; }; }; diff --git a/src/analyzer/protocol/smb/smb2-com-transform-header.pac b/src/analyzer/protocol/smb/smb2-com-transform-header.pac new file mode 100644 index 0000000000..10c1e5422f --- /dev/null +++ b/src/analyzer/protocol/smb/smb2-com-transform-header.pac @@ -0,0 +1,41 @@ +refine connection SMB_Conn += { + + function BuildSMB2TransformHeaderVal(hdr: SMB2_transform_header): BroVal + %{ + RecordVal* r = new RecordVal(BifType::Record::SMB2::Transform_header); + + //r->Assign(0, uint8s_to_stringval(${hdr.signature})); + //r->Assign(1, uint8s_to_stringval(${hdr.nonce})); + r->Assign(0, bytestring_to_val(${hdr.signature})); + r->Assign(1, bytestring_to_val(${hdr.nonce})); + r->Assign(2, val_mgr->GetCount(${hdr.orig_msg_size})); + r->Assign(3, val_mgr->GetCount(${hdr.flags})); + r->Assign(4, val_mgr->GetCount(${hdr.session_id})); + + return r; + %} + + function proc_smb2_transform_header(hdr: SMB2_transform_header) : bool + %{ + if ( smb2_transform_header ) + BifEvent::generate_smb2_transform_header(bro_analyzer(), + bro_analyzer()->Conn(), + BuildSMB2TransformHeaderVal(hdr)); + + return true; + %} + +}; + +type SMB2_transform_header = record { + signature : bytestring &length = 16; + nonce : bytestring &length = 16; + #signature : uint8[16]; + #nonce : uint8[16]; + orig_msg_size : uint32; + reserved : uint16; + flags : uint16; + session_id : uint64; +} &let { + proc: bool = $context.connection.proc_smb2_transform_header(this); +} &byteorder = littleendian; diff --git a/src/analyzer/protocol/smb/smb2-protocol.pac b/src/analyzer/protocol/smb/smb2-protocol.pac index f5095a66d1..d02a69edb1 100644 --- a/src/analyzer/protocol/smb/smb2-protocol.pac +++ b/src/analyzer/protocol/smb/smb2-protocol.pac @@ -281,7 +281,7 @@ type SMB2_error_response(header: SMB2_Header) = record { type SMB2_logoff_request(header: SMB2_Header) = record { structure_size : uint16; reserved : uint16; -}; +}; type SMB2_logoff_response(header: SMB2_Header) = record { structure_size : uint16; diff --git a/src/analyzer/protocol/smb/smb2_com_transform_header.bif b/src/analyzer/protocol/smb/smb2_com_transform_header.bif new file mode 100644 index 0000000000..fd77829dd4 --- /dev/null +++ b/src/analyzer/protocol/smb/smb2_com_transform_header.bif @@ -0,0 +1,15 @@ +## Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)` +## version 3.x *transform_header*. This is used by the client or server when sending +## encrypted messages. +## +## For more information, see MS-SMB2:2.2.41 +## +## c: The connection. +## +## hdr: The parsed transformed header message, which is starting with \xfd534d42 and different from SMB1 and SMB2 headers. +## +## .. bro:see:: smb2_message +event smb2_transform_header%(c: connection, hdr: SMB2::Transform_header%); + +type SMB2::Transform_header: record; + From a346b01a85ed3ba5b7c329ccb4b9ce18d01b765d Mon Sep 17 00:00:00 2001 From: mauro Date: Thu, 21 Feb 2019 12:01:02 +0100 Subject: [PATCH 12/88] clean up, test and pcap for transform_header added --- .../smb/smb2-com-transform-header.pac | 4 -- src/analyzer/protocol/smb/smb2-protocol.pac | 2 +- .../smb/smb2_com_transform_header.bif | 2 +- .../canonified_loaded_scripts.log | 1 + .../canonified_loaded_scripts.log | 1 + testing/btest/Baseline/plugins.hooks/output | 3 ++ .../scripts.base.protocols.smb.smb3/.stdout | 44 ++++++++++++++++++ .../smb_mapping.log | 11 +++++ testing/btest/Traces/smb/smb3.pcap | Bin 0 -> 15692 bytes .../scripts/base/protocols/smb/smb3.test | 14 ++++++ 10 files changed, 76 insertions(+), 6 deletions(-) create mode 100644 testing/btest/Baseline/scripts.base.protocols.smb.smb3/.stdout create mode 100644 testing/btest/Baseline/scripts.base.protocols.smb.smb3/smb_mapping.log create mode 100644 testing/btest/Traces/smb/smb3.pcap create mode 100644 testing/btest/scripts/base/protocols/smb/smb3.test diff --git a/src/analyzer/protocol/smb/smb2-com-transform-header.pac b/src/analyzer/protocol/smb/smb2-com-transform-header.pac index 10c1e5422f..9fa4fb7dc9 100644 --- a/src/analyzer/protocol/smb/smb2-com-transform-header.pac +++ b/src/analyzer/protocol/smb/smb2-com-transform-header.pac @@ -4,8 +4,6 @@ refine connection SMB_Conn += { %{ RecordVal* r = new RecordVal(BifType::Record::SMB2::Transform_header); - //r->Assign(0, uint8s_to_stringval(${hdr.signature})); - //r->Assign(1, uint8s_to_stringval(${hdr.nonce})); r->Assign(0, bytestring_to_val(${hdr.signature})); r->Assign(1, bytestring_to_val(${hdr.nonce})); r->Assign(2, val_mgr->GetCount(${hdr.orig_msg_size})); @@ -30,8 +28,6 @@ refine connection SMB_Conn += { type SMB2_transform_header = record { signature : bytestring &length = 16; nonce : bytestring &length = 16; - #signature : uint8[16]; - #nonce : uint8[16]; orig_msg_size : uint32; reserved : uint16; flags : uint16; diff --git a/src/analyzer/protocol/smb/smb2-protocol.pac b/src/analyzer/protocol/smb/smb2-protocol.pac index d02a69edb1..f5095a66d1 100644 --- a/src/analyzer/protocol/smb/smb2-protocol.pac +++ b/src/analyzer/protocol/smb/smb2-protocol.pac @@ -281,7 +281,7 @@ type SMB2_error_response(header: SMB2_Header) = record { type SMB2_logoff_request(header: SMB2_Header) = record { structure_size : uint16; reserved : uint16; -}; +}; type SMB2_logoff_response(header: SMB2_Header) = record { structure_size : uint16; diff --git a/src/analyzer/protocol/smb/smb2_com_transform_header.bif b/src/analyzer/protocol/smb/smb2_com_transform_header.bif index fd77829dd4..6fc60e59ed 100644 --- a/src/analyzer/protocol/smb/smb2_com_transform_header.bif +++ b/src/analyzer/protocol/smb/smb2_com_transform_header.bif @@ -6,7 +6,7 @@ ## ## c: The connection. ## -## hdr: The parsed transformed header message, which is starting with \xfd534d42 and different from SMB1 and SMB2 headers. +## hdr: The parsed transformed header message, which is starting with \xfdSMB and different from SMB1 and SMB2 headers. ## ## .. bro:see:: smb2_message event smb2_transform_header%(c: connection, hdr: SMB2::Transform_header%); diff --git a/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log b/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log index 02e6855308..64f8dedc72 100644 --- a/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log +++ b/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log @@ -136,6 +136,7 @@ scripts/base/init-frameworks-and-bifs.bro build/scripts/base/bif/plugins/Bro_SMB.smb2_com_tree_connect.bif.bro build/scripts/base/bif/plugins/Bro_SMB.smb2_com_tree_disconnect.bif.bro build/scripts/base/bif/plugins/Bro_SMB.smb2_com_write.bif.bro + build/scripts/base/bif/plugins/Bro_SMB.smb2_com_transform_header.bif.bro build/scripts/base/bif/plugins/Bro_SMB.smb2_events.bif.bro build/scripts/base/bif/plugins/Bro_SMB.events.bif.bro build/scripts/base/bif/plugins/Bro_SMB.consts.bif.bro diff --git a/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log b/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log index 1df4b007c1..abb0ca0304 100644 --- a/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log +++ b/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log @@ -136,6 +136,7 @@ scripts/base/init-frameworks-and-bifs.bro build/scripts/base/bif/plugins/Bro_SMB.smb2_com_tree_connect.bif.bro build/scripts/base/bif/plugins/Bro_SMB.smb2_com_tree_disconnect.bif.bro build/scripts/base/bif/plugins/Bro_SMB.smb2_com_write.bif.bro + build/scripts/base/bif/plugins/Bro_SMB.smb2_com_transform_header.bif.bro build/scripts/base/bif/plugins/Bro_SMB.smb2_events.bif.bro build/scripts/base/bif/plugins/Bro_SMB.events.bif.bro build/scripts/base/bif/plugins/Bro_SMB.consts.bif.bro diff --git a/testing/btest/Baseline/plugins.hooks/output b/testing/btest/Baseline/plugins.hooks/output index ecbb136298..412dbaef10 100644 --- a/testing/btest/Baseline/plugins.hooks/output +++ b/testing/btest/Baseline/plugins.hooks/output @@ -658,6 +658,7 @@ 0.000000 MetaHookPost LoadFile(0, .<...>/Bro_SMB.smb2_com_read.bif.bro) -> -1 0.000000 MetaHookPost LoadFile(0, .<...>/Bro_SMB.smb2_com_session_setup.bif.bro) -> -1 0.000000 MetaHookPost LoadFile(0, .<...>/Bro_SMB.smb2_com_set_info.bif.bro) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/Bro_SMB.smb2_com_transform_header.bif.bro) -> -1 0.000000 MetaHookPost LoadFile(0, .<...>/Bro_SMB.smb2_com_tree_connect.bif.bro) -> -1 0.000000 MetaHookPost LoadFile(0, .<...>/Bro_SMB.smb2_com_tree_disconnect.bif.bro) -> -1 0.000000 MetaHookPost LoadFile(0, .<...>/Bro_SMB.smb2_com_write.bif.bro) -> -1 @@ -1553,6 +1554,7 @@ 0.000000 MetaHookPre LoadFile(0, .<...>/Bro_SMB.smb2_com_read.bif.bro) 0.000000 MetaHookPre LoadFile(0, .<...>/Bro_SMB.smb2_com_session_setup.bif.bro) 0.000000 MetaHookPre LoadFile(0, .<...>/Bro_SMB.smb2_com_set_info.bif.bro) +0.000000 MetaHookPre LoadFile(0, .<...>/Bro_SMB.smb2_com_transform_header.bif.bro) 0.000000 MetaHookPre LoadFile(0, .<...>/Bro_SMB.smb2_com_tree_connect.bif.bro) 0.000000 MetaHookPre LoadFile(0, .<...>/Bro_SMB.smb2_com_tree_disconnect.bif.bro) 0.000000 MetaHookPre LoadFile(0, .<...>/Bro_SMB.smb2_com_write.bif.bro) @@ -2447,6 +2449,7 @@ 0.000000 | HookLoadFile .<...>/Bro_SMB.smb2_com_read.bif.bro 0.000000 | HookLoadFile .<...>/Bro_SMB.smb2_com_session_setup.bif.bro 0.000000 | HookLoadFile .<...>/Bro_SMB.smb2_com_set_info.bif.bro +0.000000 | HookLoadFile .<...>/Bro_SMB.smb2_com_transform_header.bif.bro 0.000000 | HookLoadFile .<...>/Bro_SMB.smb2_com_tree_connect.bif.bro 0.000000 | HookLoadFile .<...>/Bro_SMB.smb2_com_tree_disconnect.bif.bro 0.000000 | HookLoadFile .<...>/Bro_SMB.smb2_com_write.bif.bro diff --git a/testing/btest/Baseline/scripts.base.protocols.smb.smb3/.stdout b/testing/btest/Baseline/scripts.base.protocols.smb.smb3/.stdout new file mode 100644 index 0000000000..155317d262 --- /dev/null +++ b/testing/btest/Baseline/scripts.base.protocols.smb.smb3/.stdout @@ -0,0 +1,44 @@ +smb2_transform_header 10.160.64.139 -> 10.160.65.202:445 [signature=v\x17k\x19V\xed,\x9cZ\xcf\x00\xa3\x0c\x04\x85\xbc, nonce=:\xaa\x96\x8f\x18\xaea\xe6\xe7o\x1f\x00\x00\x00\x00\x00, orig_msg_size=146, flags=1, session_id=79167320227901] +smb2_transform_header 10.160.64.139 -> 10.160.65.202:445 [signature=\xec\xbf\xd2v\x00\xd6["R\xf6?\xc8\xf95\xd6\xe7, nonce=]\xf5\xc4\xfcx\xdd\x8e~\x00\x00\x00\x00\x00\x00\x00\x00, orig_msg_size=136, flags=1, session_id=79167320227901] +smb2_transform_header 10.160.64.139 -> 10.160.65.202:445 [signature=\x9ah^\xb0y\xca\xcc\xc00\xb7\x0f\x0e.6\xd8l, nonce=\x91yv\x16z\xfa\x18V<\xd4\xbd\x00\x00\x00\x00\x00, orig_msg_size=128, flags=1, session_id=79167320227901] +smb2_transform_header 10.160.64.139 -> 10.160.65.202:445 [signature=\xa4\x8a\xcf\xab\xe3\x97\x1fy\xb1??\x12\xed\x01U\xa8, nonce=^\xf5\xc4\xfcx\xdd\x8e~\x00\x00\x00\x00\x00\x00\x00\x00, orig_msg_size=152, flags=1, session_id=79167320227901] +smb2_transform_header 10.160.64.139 -> 10.160.65.202:445 [signature=\xafq\xe0B3?a(J\xa9\x94\xd7\x98\x83\xeb\xca, nonce=\xe9of$\xde\s\xa4\x9e\x96\x8e\x00\x00\x00\x00\x00, orig_msg_size=121, flags=1, session_id=79167320227901] +smb2_transform_header 10.160.64.139 -> 10.160.65.202:445 [signature=\xc3w\x8c\xc7\x9e\xe9\x98@:\x13\xa2\x1d\xcfz\xaa\xcb, nonce=_\xf5\xc4\xfcx\xdd\x8e~\x00\x00\x00\x00\x00\x00\x00\x00, orig_msg_size=720, flags=1, session_id=79167320227901] +smb2_transform_header 10.160.64.139 -> 10.160.65.202:445 [signature=\x18\x8d9\xce\xa4\xb1\xe3\xf6@\xaf\xf5\xd0\xb1V\x98R, nonce=\xc0\xbdfU\x16\xdb\xb4\xb4\x99P\x7f\x00\x00\x00\x00\x00, orig_msg_size=105, flags=1, session_id=79167320227901] +smb2_transform_header 10.160.64.139 -> 10.160.65.202:445 [signature=\x9c\xd4:\x8b\xbe\xecS\xe4\x013\x18t\x7fb\x90\xaf, nonce=`\xf5\xc4\xfcx\xdd\x8e~\x00\x00\x00\x00\x00\x00\x00\x00, orig_msg_size=92, flags=1, session_id=79167320227901] +smb2_transform_header 10.160.64.139 -> 10.160.65.202:445 [signature=T\x80\xd9\x08\xf7>\xe9\xde8;\xa0\x89\x9a\x0f}[, nonce=\x11\xde\xf2n\x84P\x0b,+\x1f\xce\x00\x00\x00\x00\x00, orig_msg_size=105, flags=1, session_id=79167320227901] +smb2_transform_header 10.160.64.139 -> 10.160.65.202:445 [signature=\xcfX\xd9\x1f\xa4\x11\x06\xbd\x89\xa7blz5[\xa3, nonce=a\xf5\xc4\xfcx\xdd\x8e~\x00\x00\x00\x00\x00\x00\x00\x00, orig_msg_size=80, flags=1, session_id=79167320227901] +smb2_transform_header 10.160.64.139 -> 10.160.65.202:445 [signature=\x8f\xa7u\xda\x0c\xe8f=)o\x13\xa8\xab\xa8"\xf6, nonce=Eq!\xd9D\xdc1B\x01J\x80\x00\x00\x00\x00\x00, orig_msg_size=105, flags=1, session_id=79167320227901] +smb2_transform_header 10.160.64.139 -> 10.160.65.202:445 [signature=8l\xb2\xecl\xa8\x1f~e\xf4\xbfB\x08\x0e\x83\x0f, nonce=b\xf5\xc4\xfcx\xdd\x8e~\x00\x00\x00\x00\x00\x00\x00\x00, orig_msg_size=100, flags=1, session_id=79167320227901] +smb2_transform_header 10.160.64.139 -> 10.160.65.202:445 [signature=+\xed\xaf_\xdc\x12\xc4\xb1\x0f\xfa\xf2\xc2\xdfs\xe5w, nonce=\xff\xbe\xf8\xe1\xce~2\xf3\xd0\x1d5\x00\x00\x00\x00\x00, orig_msg_size=88, flags=1, session_id=79167320227901] +smb2_transform_header 10.160.64.139 -> 10.160.65.202:445 [signature=\xc6d~\xf8\xd2\xffs\xc9/\xad\x17jz\x008\xd1, nonce=c\xf5\xc4\xfcx\xdd\x8e~\x00\x00\x00\x00\x00\x00\x00\x00, orig_msg_size=124, flags=1, session_id=79167320227901] +smb2_transform_header 10.160.64.139 -> 10.160.65.202:445 [signature=\xc6F\x1b\x19\x07\xa7\xf0\xc9E\xbd\xd2a\xdb\xb6\x1b\xc8, nonce=G\x10mh\x09\xb5\x1b\xed\x9d\x03\x0f\x00\x00\x00\x00\x00, orig_msg_size=158, flags=1, session_id=79167320227901] +smb2_transform_header 10.160.64.139 -> 10.160.65.202:445 [signature=\x0e\xf8\xbb\xfbB'\x83\x9b\xa3\x98\xa5K\xa4,pO, nonce=d\xf5\xc4\xfcx\xdd\x8e~\x00\x00\x00\x00\x00\x00\x00\x00, orig_msg_size=73, flags=1, session_id=79167320227901] +smb2_transform_header 10.160.64.139 -> 10.160.65.202:445 [signature=\xa6\xdc\x0e\x9c\x06\xd2V\xf5\xf5za\xd3[\xfb\xde|, nonce=\xa2\x15\x19\xce~\xee \x16\x15\x9a\xe8\x00\x00\x00\x00\x00, orig_msg_size=128, flags=1, session_id=79167320227901] +smb2_transform_header 10.160.64.139 -> 10.160.65.202:445 [signature=\xfc\xfbM9\xa6\xfb\xb8\xcc"\xd8\xc3S\xbcX#\x16, nonce=e\xf5\xc4\xfcx\xdd\x8e~\x00\x00\x00\x00\x00\x00\x00\x00, orig_msg_size=152, flags=1, session_id=79167320227901] +smb2_transform_header 10.160.64.139 -> 10.160.65.202:445 [signature=\xbe\x85\xe3\xdeX\xda\x89\x87\x8e\xd6\x0aq\x7f\xf7\xff\xb5, nonce=\x9a\xae\x1f\x88M\x09W#\x18\x1a\x9d\x00\x00\x00\x00\x00, orig_msg_size=88, flags=1, session_id=79167320227901] +smb2_transform_header 10.160.64.139 -> 10.160.65.202:445 [signature=\x83ime\x91/8f\x13\x9f\x16Qa\xd3\x00\x8a, nonce=f\xf5\xc4\xfcx\xdd\x8e~\x00\x00\x00\x00\x00\x00\x00\x00, orig_msg_size=124, flags=1, session_id=79167320227901] +smb2_transform_header 10.160.64.139 -> 10.160.65.202:445 [signature=\x91\x8d[\x18\x9d*\x97\xc2\x0bK\xdb\x94dbB\xae, nonce=\x97\x9f\xd7\xc4,?u\xf1\xcf\x1f\x0f\x00\x00\x00\x00\x00, orig_msg_size=128, flags=1, session_id=79167320227901] +smb2_transform_header 10.160.64.139 -> 10.160.65.202:445 [signature=R\x96KU\x95\xfc\x05\x17\xe5\xbd\xed\x16\x12}\x8e\x81, nonce=g\xf5\xc4\xfcx\xdd\x8e~\x00\x00\x00\x00\x00\x00\x00\x00, orig_msg_size=152, flags=1, session_id=79167320227901] +smb2_transform_header 10.160.64.139 -> 10.160.65.202:445 [signature=\xf4RBG}\xd0i\x0f\xcbdP\xe7n\xd9\xc0W, nonce="\xda\xcdU@;<\x09\x0a\x14\xa0\x00\x00\x00\x00\x00, orig_msg_size=88, flags=1, session_id=79167320227901] +smb2_transform_header 10.160.64.139 -> 10.160.65.202:445 [signature=t\xb9p\xb1\xec\xbfm%\xfc\x8d\x0e\xacR\xe1/J, nonce=h\xf5\xc4\xfcx\xdd\x8e~\x00\x00\x00\x00\x00\x00\x00\x00, orig_msg_size=124, flags=1, session_id=79167320227901] +smb2_transform_header 10.160.64.139 -> 10.160.65.202:445 [signature=\x98\xbc\xb1|\x9d,EK%\x9b\x0d\xec\xcdF\xde\xcb, nonce=\xd8\xa5V:\xeaQM:\xe9V\xca\x00\x00\x00\x00\x00, orig_msg_size=128, flags=1, session_id=79167320227901] +smb2_transform_header 10.160.64.139 -> 10.160.65.202:445 [signature=\xf2\x8f\xc9U\x8c)\x12\xb8\xcc<\xb9\xa6Ni\xe9\xcf, nonce=i\xf5\xc4\xfcx\xdd\x8e~\x00\x00\x00\x00\x00\x00\x00\x00, orig_msg_size=152, flags=1, session_id=79167320227901] +smb2_transform_header 10.160.64.139 -> 10.160.65.202:445 [signature=UY\x80\xef\xe4Jw,\xb95E!\xa1I\x9fM, nonce=\xf0\xe60Q\xc4\x15\xaf\xab\x8a)\xe9\x00\x00\x00\x00\x00, orig_msg_size=105, flags=1, session_id=79167320227901] +smb2_transform_header 10.160.64.139 -> 10.160.65.202:445 [signature=y-8dk\x8dKH\xf3\xdd\xb3\xbf%n\xfa3, nonce=j\xf5\xc4\xfcx\xdd\x8e~\x00\x00\x00\x00\x00\x00\x00\x00, orig_msg_size=176, flags=1, session_id=79167320227901] +smb2_transform_header 10.160.64.139 -> 10.160.65.202:445 [signature=\x0by\xe8l\x11\xdbm\x90K\xcc\x11wd\xdb\xd8\xe6, nonce=\xd2V"\xa9C\xac0\x15\xf2Pe\x00\x00\x00\x00\x00, orig_msg_size=88, flags=1, session_id=79167320227901] +smb2_transform_header 10.160.64.139 -> 10.160.65.202:445 [signature=\xef%\xd6\x89\x095\xba\xc8P\xd2\x85\xb0\x00\xd2\x07?, nonce=k\xf5\xc4\xfcx\xdd\x8e~\x00\x00\x00\x00\x00\x00\x00\x00, orig_msg_size=124, flags=1, session_id=79167320227901] +smb2_transform_header 10.160.64.139 -> 10.160.65.202:445 [signature=\xdeR\xf3J\xde\x13n5\x86P]\x13\xb8\x02|\xcd, nonce=u\x81\xc63\x06\x1f\xda\xd1\x03\xaa!\x00\x00\x00\x00\x00, orig_msg_size=128, flags=1, session_id=79167320227901] +smb2_transform_header 10.160.64.139 -> 10.160.65.202:445 [signature=_\xaarMl\x89l$\x7f\xe9\xfb\x11E\xa6\xb5F, nonce=l\xf5\xc4\xfcx\xdd\x8e~\x00\x00\x00\x00\x00\x00\x00\x00, orig_msg_size=152, flags=1, session_id=79167320227901] +smb2_transform_header 10.160.64.139 -> 10.160.65.202:445 [signature=\xee\x9aE\xbc%\xe9\xee\xc0)\x1f\x85\x86\xf5\xb16\xaa, nonce=\x9f_\xed\xaa\xd53\xd4y\xe3\xbc\xdb\x00\x00\x00\x00\x00, orig_msg_size=105, flags=1, session_id=79167320227901] +smb2_transform_header 10.160.64.139 -> 10.160.65.202:445 [signature=N\x9d.\xf1\x01\xe0\xa82\xa4\x8dg\x8ek\xbb\x9d., nonce=m\xf5\xc4\xfcx\xdd\x8e~\x00\x00\x00\x00\x00\x00\x00\x00, orig_msg_size=176, flags=1, session_id=79167320227901] +smb2_transform_header 10.160.64.139 -> 10.160.65.202:445 [signature=\x098_IU\x1d\xc1\x14?\xebwC\x1aje\xbc, nonce=\xf51\xbb\x95\xc6\x98B\xf9\x82\xab\x8a\x00\x00\x00\x00\x00, orig_msg_size=88, flags=1, session_id=79167320227901] +smb2_transform_header 10.160.64.139 -> 10.160.65.202:445 [signature=\xa6!\x0c\xe0\xe35\xfd\x0e\x82\xd3\x0a\xfbE\xaa\x85\x06, nonce=n\xf5\xc4\xfcx\xdd\x8e~\x00\x00\x00\x00\x00\x00\x00\x00, orig_msg_size=124, flags=1, session_id=79167320227901] +smb2_transform_header 10.160.64.139 -> 10.160.65.202:445 [signature=m\x98z\x98Hq\x12L\x85v\x17\xec\xa4\xb7A\x95, nonce=\x04\xa7}z\xb4&\xf7B\xaa\x983\x00\x00\x00\x00\x00, orig_msg_size=128, flags=1, session_id=79167320227901] +smb2_transform_header 10.160.64.139 -> 10.160.65.202:445 [signature=\xd8\xcf>8!\xcfZ6\x04@\x9f\x86a\xfe\xee\xda, nonce=o\xf5\xc4\xfcx\xdd\x8e~\x00\x00\x00\x00\x00\x00\x00\x00, orig_msg_size=152, flags=1, session_id=79167320227901] +smb2_transform_header 10.160.64.139 -> 10.160.65.202:445 [signature=9\x00\xe0\x00\xb8%\xddH\xbf\xa9M\xf1\xed\x0c\xf0\xa5, nonce=I\xf8\x1a_\xf1\x1e0\xca\x0a\x8eU\x00\x00\x00\x00\x00, orig_msg_size=98, flags=1, session_id=79167320227901] +smb2_transform_header 10.160.64.139 -> 10.160.65.202:445 [signature=E|\xeb$V\xf4p,\xa8c\xe6\x1d\xd1a\xb2\xfb, nonce=p\xf5\xc4\xfcx\xdd\x8e~\x00\x00\x00\x00\x00\x00\x00\x00, orig_msg_size=350, flags=1, session_id=79167320227901] +smb2_transform_header 10.160.64.139 -> 10.160.65.202:445 [signature=\xd2U\xd6\xcf!\x94f\xf8&`J\xd4I(\xa7\x0e, nonce=\x06\x1e\x18+ C\xa1P\xb7\x86f\x00\x00\x00\x00\x00, orig_msg_size=98, flags=1, session_id=79167320227901] +smb2_transform_header 10.160.64.139 -> 10.160.65.202:445 [signature=4\xb6\xb2|\x02$\x8bF\xf0\x16\x97\xc3s\xd7(F, nonce=q\xf5\xc4\xfcx\xdd\x8e~\x00\x00\x00\x00\x00\x00\x00\x00, orig_msg_size=73, flags=1, session_id=79167320227901] +smb2_transform_header 10.160.64.139 -> 10.160.65.202:445 [signature=1\x9d\xe63DL\x16\xc2\x8bt\x15\xe8\xb4\xf2\xfa\x90, nonce=}\x09FCI\xf9\x09&\x8aEf\x00\x00\x00\x00\x00, orig_msg_size=88, flags=1, session_id=79167320227901] +smb2_transform_header 10.160.64.139 -> 10.160.65.202:445 [signature=\x82\xef\x1e_\xee{\xc2\xack\x05\xbe\x82\x93<\x18\xe7, nonce=r\xf5\xc4\xfcx\xdd\x8e~\x00\x00\x00\x00\x00\x00\x00\x00, orig_msg_size=124, flags=1, session_id=79167320227901] diff --git a/testing/btest/Baseline/scripts.base.protocols.smb.smb3/smb_mapping.log b/testing/btest/Baseline/scripts.base.protocols.smb.smb3/smb_mapping.log new file mode 100644 index 0000000000..7f4bc10f49 --- /dev/null +++ b/testing/btest/Baseline/scripts.base.protocols.smb.smb3/smb_mapping.log @@ -0,0 +1,11 @@ +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path smb_mapping +#open 2019-02-21-09-15-32 +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p path service native_file_system share_type +#types time string addr port addr port string string string string +1495015336.544229 CHhAvVGS1DHFjwGM9 10.160.64.139 38166 10.160.65.202 445 \\\\WS2016\\encrypted - - DISK +1495015336.569009 CHhAvVGS1DHFjwGM9 10.160.64.139 38166 10.160.65.202 445 \\\\10.160.65.202\\IPC$ - - PIPE +#close 2019-02-21-09-15-32 diff --git a/testing/btest/Traces/smb/smb3.pcap b/testing/btest/Traces/smb/smb3.pcap new file mode 100644 index 0000000000000000000000000000000000000000..3c1800ea19b04285dd45772887915df23499e7a9 GIT binary patch literal 15692 zcmchecOX{p|Nn1$XA~Kgy(xR8NVX_5WMpT@ZDj8)nUP&&Wk(?*r0fzhvLYihAximO z=O}OP`uhC$yY8-YpL09+b*|Uz`M6%M>s;p!pNI&*3V}cSB)A60=J1s=V=KALoZukRs1Og3Vgiu$O;-@pSGjVjg>11X~hcvRi zX=8?uk2FIfE$!{-EKTwGO?f~O72x3!5P|mo`=hm)8$O?iIiHAtFrN^=i3q=`2@j7D zAFsKv0H3KTzd4_ourWU9A5@_JLVZ2<`yGM6g!i$*aR;bSsl1GZa1bUnE(H5fRntJs zt|TKU&P%K5;UZ)Zh;-^%NrWVJ$OwL>WCVWZg|-9=v^p-8W;tDZBW_Z;2K`q~2x}U&w!7NOo{u-BM zVej5IFd!QsTdqT=f&$snCqim`9vnk;*NR<>AY0IQ9JeJAzSzq`kR6acXmtq`kR8CD zGG9tM&e+afTYw$8kUgM{&4ae=_6xe&pYp$Kxq!exK>w81`0DS(V#!B0oEu}7HMNt2 z8}J3&-5MS_lfTy0gNCSddsNZcgXW941)p)<1sj_a8x0E!J=2EADpQzODW1{&B zqobd~#^VT<_y0zQhK>&J2Ji0TgHLyNG4`E}pT)t$mdQfHWM}VWXliC|X=i3?XlZAt zCVNqUS6D<6U}%IiGqkj@vv)Mx^(*AxakwA5{_WNvHGU3`q52mqrPQBcR$5V5Dbuw# zW(TYcJ}%p1r4RBkXyn#@|Dr*T`dxmDiuhmtr9vR~0Mka${rNgVMdOmPy80EEBSCcB z@x4Fn?LZ%)^7C2qP=0>G{0JW8$C#Z<D~ zuW#Uh_V*ZuyK)_v2>JKTZ&RW1*>i)`xELHm6_p>fOzL@vpWuOm{JiAWwKrh~{Cq|- z?D5kN_$dKLH~uev{y_1+{CkielHYwr?D_i-k&?iYRPch{A^(2>@6_Nm1>T|Z3se&D zf&>;s4;>dB9-gNeVJ~&pr+dA5hU+QX@0S1gXy$G*W(XHW81&u$-`f1)zzAq;pAsj(=azfaHcMx}HT{KfuwMzw*`tmcPk~DX9g!C+hx(o`W=LtJf<0!BXRn&Nk z@OAtJkC&-~dXJ`zK{U{rwa|YFq(6gDNV2h#cw#h`*4x2l;Ec2l#V<`1@YB$KL?p z4{F42x4*mMV!%p*PeJ*^4Jv;QMaO@h4Dd_D47)e)5p6TM+g~Px9(e5^lX_qj+96DU z7H(ifJAorp&?;mLWD}Izp#s??8%kMQ8aMiQh7xHX^`}JPlIPb zg8|US6;zx4Xt3WV$l^aStK}+gQoz>cFBik5n$3WZ=p@h}@C7G;vV%qoworeeesldE z1yH{e5=o5-!7)_-(&88OBCN%&gIc^I09w3+v>*W~==Z#15NPoXG~V(P%sX6;TT^K* za;55aBeDoFgKEVJ?%ts+HkzKXhx&m)#KK#&y}r+|C4C=CeEy2^`H@BC7!IGEaLkwI zU)(Do9x_iX@H21IWhW8wepY%dI=+ESX!7Ryv)K;`dtdgawviX>FXhnvX!NEN?DspG ziJ)Al{xT3~h`p?ro;0YbbD_8B&ad!^&0)zPa(%p4Ry$j9ZkpY1F`kGPGX)K;7OSO4 zt}=b__i%JU&%e{nr@OHY8qe3HHzEuQzYs8j13TT?96v@Xmj} zdMP?7XD|}sz3f@-IUQ<*(M5f!=8LmvvWs}ju!X-;|EUPtMb1YZ9%yv+`5gvsp`CF} zevylP)Qx#&7b@;5aZZQSub#Urj2sEj_|YOCY0leB+dtPwd96t%s!3u#x!?FxmYFqI zB}Gv%XG>JI;kkw#Yy9_&to2K8_{=$(WQNoPSC;HuwY+wH1NrF0J|CUTAvOLEK7;CC zJS|W!!90bb@YJVkZyE%6`eE6;$I}qtsR1-n0r@EThC!)YTSo)WQ{p41g$8V5+*~N! zzf)?7_kv&miZ8tV&qv6)m}gJWix;X2*0~9fwrYfTpW|>l`^wXCPM~~FTfV$zKGdJ% znena5zCQ|UO0P!9o?d-CP@w2foRRx=9&651kthFhgEKe7lII88gkz&rcOo1!=6#s& z-JcuuwYKjft(Zu`8j)NZxW&t{m|8MPe_YG+<>ZV#Zc6MWIYkF^Fq$EsK)w;!=bK{S z8!~VVRaAb^Fp+35Kl%sxF%9BUd3_u3!#aCukDn&M&k$&%1M*FFc=w~pL|V5p2??@A zG|fB%6n>IWeB)I8p%AM-s=iL)%5<|e(X~27iPRZ&gCZH3P$xW7jDR1SICQ=^QVShd z`{M4{Oi#3mv&>4gJIW$Sm@}ifalVbWeIJ?W-M*dIV~R(g+qnE>u_8nWM|I-pv6puu z%tv);1bolFo~BlHy?3LO^*U$g+ZS6-N{p&sJ@0s7?-Vu?Ke|)g))=51lwJM8d;Mpi z5GFwv_BB84)m>jfK0CJ0XRjZV8h-_!LG>@5K2a~jJl#3S)9c&1_GX&Cl<0(c$UUBh z0Z&b!ks`=vB@W|K{1QfNiuv*HlLF@3=IqUxM)i={>388A3Zgw!{^KbTnLz0zzb;n% zX7pR{g(tyO#PQDp*mJaW&zbvwkR?gfdK~TDf18-tCyv)DJbIXqrP-`PGsD&Ez0OO~ zwM!X33SP3YBT01edk}9;basiwS`DY%?J|uFs$;cvSy1gc?wI+h z>c|B91U=rA$S2qrkWXxWhkYn!$5xOUD}rOFqH=^GjzotzT4XxNk(nl!O6z&R5lb$} zm{80H{&)pA8U|Ss6Y@!uYvil+xg<%kqYqAYyBD+@qHy#EPX7P-g!mF2Z-r0p>$p~4 z+xbPJ>zULqg9TiMRvh2?RTfrp@?HC>g7>1QPK>7$@%*QF0%=z6`gUrdP_gm5urO}C zkWpOq&Y;d-_7uweDvb;>qn9@0;vg zti<)aOP(q+OWV7x9=^dD$Qkp5Gkz?UllHls?idf3(Bf^Jrz=&WQ5+-_>DH{v*>u$I z&(ofrm-ouQ#}SOpNI^~%ky>C%rOz^bqLV@5qh9sdx(S>J-l2f@;rEO-q$BnI^S&l# zl#&d(?o;E7PhB`uGAAb2_>mj0gvV!Jsc;=LSef;uX1Ib@Nztq(9F}r?@)nIIZ$?7r z!|~~w$ch|mQeBf%iH1RX3w@E_#DlFv#W}__HnNJ)S|d{v#Z>yL3WbRbM?_wb#1R#W zt-VzUXn0{6nuu?8yXR5CbB)kx`pZ|8krJuv(iRUlU(1*rsXXG=v#hQhgg4kIfu~L# ztJaP~GoU7y*~WR(FTVi65ioZwEi0_|vnqR}n!>SfaXl|eqR3>L3&q)}PErQnUgo0E zkDcrgmC-a^Az(1wX7av!+!&*Ehi5hKGApr4WP@eg*5xAq0R8NFjM{U4+UArp23#F% zGS6Zsq(nd2sB*+)pI4K8`+afz(M(l@X$8To#g8ifj?vT~u~)e*UR-#ptvKI1rZ3y3 zTac}JZv*KS7}hnY?)QL@hEF%;>`vmNSO%Q(#(OMVg-3I}&A+dZHp&LGUTR@}Vx}|v zoVV6Pjf1%6LMN{Nu>V?mEsMaA=xSYhja`>b;fvn(u)8a-k&n>}JTPDA@uuDj;a|sl zmWNedW+#nM8cCa3*fCq=+j#Y8LiFXCD-Ss26(&iP{4`j<&7zg`?TpQy=qB17W6)T` z+!udZ8c2;N!DmqYEB^FRufXvq{b2lQJ+EtjLm$K+CcWP|AB?jP(0Bulq(Nhi^0sJK zcG={HWXbxQGOZ-FhB|Xiis6cidslqGDF|>U0G0p7+Tdo6nPUZ^G0kUt9foYOy!q4O zjU}lctysOC!y+pgtLGJ#&GD_M@r3Ra^*@XXJC8em))PBo*y%~9$lM||vrgBK)3x-D zKZ6^>sZH#vR96Ys#hA`q`u^>a^o(N+j#zJOKfC8SF$-r;*mlSVn{W?y=eCS5NR6S} z0;ral(lDGDwddKiNyWLt=HimTlv!1f(tVwY{Pu7`cj;>f;+i0~8q?~R+6P3I{0&dDQtuh; z+Ka0FqmDzh{{m~DhNAr#(Ebb1Uc3t2D*T=sj{xo4fHAQ48oq`OGnmJuaA1otKI0dDRw0Bwj`HUPkyRS%h+u2i`q2$ zg60{4kbwS=h$f|gYa!DMV+JkuF7 z<+qZ&n73&R43GA_=DVZQr@6AH{Q}&NUG0AYA3$A)>R;N|A~9j@AE0Reg-fN)7iiB( zdU8+uPN4k=Xd@8PzFT{cHk%Z?E-csB#$E7QmJy2fSD>ry)83BAL7=aWj)+SzItg=r zX@PemxrO^wCl^1T2nqJd`(JHZZ-n_6KS=(PxLI6&Io}4!!jwW4WfZ~wdNTdzn!DSe z?mN#kIf0z(Nkp@TY)Zxm1Y{$s-f;tm>b(l;N}Eh8_q{3B`Sc`UWeNS7NsUNe4+>iUKpQHer+)J-SBIpQncVZ`)AXc+isk;-;P>`iqKm1i93dr5(1XH*hpu;Cpl6gHdn<)xY$9 zgT#XMzI{+{OE)f+c6y*U2L-qT{5`jL^IPvENN*9F@&%hbT5q$pdMVr^0mQ~AdV`?? z%75{WKvmsCYb9`msiB3S>8EHUlKXXAZ4>jA_$@ats*tt>b{~P@B(=sgKO|2^bA6QB zJ<*pTHI7dQ(bb~++%;9q5)cXBKQV?pk4{kj;`w#{obox(vDX9dhfl=JXm==1bW3qw zJOy76W?&7z`Y!MEA4!dSz%f++iucXbUttCc4>HhBuWN5b4j8bd9N%ML6pZ;dppi(( ze$K@b!w+Q5WyIfC8^@5JTz8&tPIP(meSLFM5S)TQXv5q8?2qYj9`egfIj`>){(Y5c z0OPjpcBjW9jN>@c5%gbYwD<{)0=lkJa?PGHx8*_G+IY3#>hkJzP6H)%k%f#i_o6eA z1#x=7gV`m#5ng7V(po@>lBZ18u;4`THrTHup8`j+EpypQO zKyzrlo})W#PxE&`a|oPL$mSMP@6DbaWb2ut<5unnk+&u&ntMW5+o$7S!ZF1OrAlNYH;juImr^lJJTz+Q${eoF4bFLLo2 zLwZ3cyzb1T;^|j)m1p_vf6B_cKd}qgk%+w78TBUUfn`*S+(m~KJyFFl#m|zBGgdXH zN=Hy`P&+c_6{yV65d47$=-NY^@531MB?`MekNFl@3;*H#;Hq zp5DE`_5Qt9wR;7~E~uYS*>4vXI6n7#eLcCF^$%lgH_kw`XrQ4A0dEOCI9-VTYxfA`Co=1qz z>4xelvy@LZe(Dn`eIk0e(dz=6XLZ}pU7xpgW6d4Dmvws;@)zW{DY)0WdRuOh8aIJs zsQxv+E0MUc-VYDzZG95x{S(sr3`oYmWBLHldknPU1^MmB=CdDCtN|%mNe`8>xo%!I zMH$};(AD;hZ*(hhr-5B zz(zV?BW)c-fZw@$9Iycm8hG6)=fjay>>jQ4b$6q8*M5w8J|L&+@?N5&AWxo!j6?Xs z+yB@|ryEdL$cyZW)n%(Oq$oQ%{+3L)J@e<~t@KYHKN7UQwov}qWT$pAIs?7wlHOJ| z-F4?{I4d{()s_lNaguv-xqF#k3nPvx_?WUPm`kz@yk_m)2tOe_>3jMeR=)I$tF#nl zZ68fWk|@qaKTPtQ*s0^Q^0;ViDqa#l&Z(3Cxely${A=Aw294~nbtgPne@ztq)45bS zD}nxOQM!Bj4*~thfywZ?)AkQ#(VQPu9Sj3a>b2U86lN&;C!zSpn^2Kpo6}Y3={@Gf zXyLQZ*Pf;04Af@bad0RfoP8erb&59cM}nZU(^9RZ%Oje~5z!&C{N9rD4pJO3P1>c* z+8x!MrGyU_Q_I!b`R`$cxWt>?Cn?Fb^OjndH1-g0e@bK=I-0o<=oCn2O15?G9)|+C zQ`Qdc`&k{8)AhDFACb>#a9Oxh9wKs?j>|2Vst)s|Jm{+@rU&x?XpIiyY5zQc1e@%z zdB8WAr@Vtabyn)y+t>k~Dm8Kr@C2>Z!SjIUL6f7}Lt!CN{rC<(-*zgKi)llZ@vbsb zQm4V*(nj$a+j2tsjp`Eugp4wp%%>(Jez2dj5h2mAXP1lr@_>oed7L%&MDEw-+euH? zZ%OcX7}seDFIqiGAJIa)R1hm6_z`>dJDvTC*g(dYTj!M))>~NSva^VqeM0^{4=@2X zA2JWXhdH@vL`2g{X4ce0N)(4rcD4dqkfPXTL!=klv`MxDfgHe*&kcf?kZ^} zY-1h&RJTY$<`v~A+bJ_mTh2J@a#fG=^HCat#Cd0o)@n>pL}vyz`y!X+}1xgKnL?({tg{c zaya@Wd&gJTF9&%`^?%f==l*wWStL9(wrs&X<)H8ca+U2W;Ay%!d5@{;^D$B-Gflro^EmvD|y9HQ3kaTzaY7HMwrC z$L$g^v*z1&?4zIN7LP>6#Vl_wb>zL6L3ws&yUL}~4L$o{>1){IWE5~R0Stm; zi&OQ@vW0qE=Iz@@3e_ggDBeKf1U0q<%qziL*QR4a41rH=5O71r%mN^%fmmN8(Pk@c8((Oz9R zj(Ims@JFnLN8|^a>kSXfU*6g%PSME1OZM>K6v=VN+D63EuX1%Vw&hPK;Qu?e(2^Y* zTfW0AcpYS+8$92z%KQUuxS_q+vSVHEfUjx9;GWu9qVGD^%TL<^m=qwNC^wZuNF zDvQl&!Rt7G&0Eee2gknBt~xs<#ofNa)YN*SD3+nl;N%(Q3N`(=Z>UFD(P*U{qtHTP z?#~oT#Y?u47#q6Hd=9qqcNQ2=Y?hu^*C2e2)usEzr@1eSCHKcK&UldsW4v56;uo`5 zx0*colvIn(hbcJAW{Go~2Xkbik0TX+$u~ue{JM^j#BIvN`0v;f2z+x$Y$1Y~Q9T%2 z>~gqN-az??)0K6PnX%u@!1I>XJFS|L>||9P;?+4SmUG>fD9oV77GK{hr!=drB(7Vo zd3p`%H+V=bxnhTSGMOYq$A@NzG}%hVT)b$T)pq~5PZ;CWy)RKhF`4zcHhzqWBzw!6wH-6VCjw1z*r~2fx}B#xe@&gbqocr9FSJ*${_8a5AUz4VfB7?S*}q;*N=|mz zdi4*Or?`VWy#cw(-o=*^gF?gR08h|dA6~=K)bU-OQgr327L=jCuaKdpfOkVOR zoP7?Q^7k5+bBA>3xVKEfSfgP$a=6R8a}1aFvry`1#wzXijunMD6zP-oGSu&#+?0FM zMLKDI8MW!+A#hfvkui`+~VkL{-6>Uf%*Q3c~j*8Q&=e#^P}h_!wI*OA|t-D z$Mf0aURsKK53 z?|IDlZ*Hcb`yDrK5mW2iO7dSv9@jJ5edo7A;ieS6{(tuZk!Q1~$!?WxX_t6-RB4sH zU3^4EeC!o?cFJLpSp1NxyDN`Q%kEq2XExVRrHo5#W{pJ;Xg`@~ySrP+%-^CAFy-4> zSxcdKrGCEZY*xk4{ODY0hZw7?N`&=>NJ!arte{9%&l&%8Ouu>~?D-+bqBR9NjBFQs zF@;}Qxx$9Fu4FG47HiDTu_Bv_rc^{2N!27mH$SeZFIHPS5O{0H2bFX9ihA%~kmi;f z)W0S94ooo zy9a4+k6T#9K9?w9v`-ldFHH{4@TBeAIggu-L;ZGX@STPpTHwlnfswfD#8{)Nq~gn? z4yT5hPK1xw*IWNPS5*U>519uO!~9quHUHuV&Q;6I{b6{5HLtJq z1eGFsa3riz_(9E8Yh(_}tkn1I7m#mTOVm?3G;8`KA8ni}82xGz)9JXBeL|3+_wLKQ zYm_yD7G2SNPs6pV1>cWQ`r8u}F5RgV+d!k*4!q}m@w0ylc5fH$n+JA8Gv8hg7Ceu# z{z%_IG}Kr>{*eAz`E-{L>%_Aknk*626AQJ0uj*SFz2(0BJ6D~Smp<$s`xnfD+d&rI zy6D+6e|<(LY*+?%C<=*TRoYJM_rhB)SoT;2Hs@u&%P!HCBQJ3{W5+KuG4|c~p~92e$f%5J8hEO1n|3A17HnfpO1lT#^cgTf4Iu5wx0pMhR=Mc zX~5G*z>^{Iqy0Q3*8rcvxoRm{rj~hbsezp~D0sb0s35~|v7nE?*KM*E{L}#yOL+TV zoMyY@Gq5FiN3X5VywS$luN|}I>^A+ca(?w7Y;yHj5&j6F4cr$`gL1F4jb&=YmRwzk z_P297+S|IRKT6m2GO@0l;yLMGoPvz|t#gsSodYG|C+#9y zeW_ni{4-a@03RHZt4LvPP=4#|@DXs+4Y*-jb^a4;lELo=VQ%1DrIL2~3)*-dU-oT_ zDC=iwr)^QVLCsZjMmI&+JhJ050$3B9I+FI{vJKhRmy{6}Ey-1JG45lq1mVKw6{DuP!m-F-oV zO1H328?L(Beb{PwOg^C)Wz#A}UTt~KGkJPZq{cWp_UnV>sGQ?QhAxxb&!k#(aXJU> z?$xOWpLro%r1;i=SiIt?4bkj+nVTUR_emRVd$R2wK|7G7{*|jXRHP4Cv!OwQc|v(s z-_xyY@7M--a_uiaz!P|qwVSK(L<|))Prf)NG4Fbj+RChUo%dNnOOn)<|D$l2B-C70 zT;{uFpA?ERe{BOfYO=^e)%pT=tx)+q@sPmR|ew9=FfOU5+B*l69#hjQ= zsQ*f1GaB#OmHN8bL{hJKqK}EG&*gAs{T{{jJedix6gG;i2iQXEQ&4_})+nF?&2_Xc zOCOf2$Y6eM9E>}TZConv3?Y7Wa{uB7&Q&?|gyWNfKacpo!~Y>u5QJ@q!VhY$D)S8p zTe5YpTq#RFi~FJIR+;?9xo#h)`&C9M7TY>E=dSXyeXuPejJ)VBD_hZji*Uy2o%Ih9 zDdFnLb1GyQ&0)G6ZI3{qHqJhq?5g zq==W(y)EUus@0M~Hk@VB(;fQnT&1sfSgxW$hgonw7+c;M>e?f{0SnQ+z}36=RkT!i z<;f5WaIUgVa!-4gN$Trc+umTyu8N&Ju?f90yF5}fsDzoE0MTe5U` zkyf~;8jsnoPa$$}>g^u{q-xiKN)GZu8;20T2Rz;en& zi--$X+nzqmlO;`RH<`{p`fA2}EU7sh!J!#C`dskMi*~+8jwjw>3ed8-I=@J|FUs`O zCsO)W{kt)TD?hS(o|ic_Cb3v_fym*WQJk^6n?n3tzqKI)s74wLEeZKOSMZ%Sb3Y*l1UrzC~;YWcHsmpgm!-giyf~=+As^&mO)T8(ugC@^nWk$;)kyqrpXYjaLlpMiU| zmlIKRbhtVt z73eBeBy#H#!FU%knUL6IwK+v5>-G2#^HcEkcgOorV0#ldhAJxah)N_m93ztsGVeUa zrP8Mam}kiZ!ESdAA^A0kku;zU_?fA|lX6dVrU=;;io_=5dp21I6y_D6tL+=_>%~;m z4#@DvuKP{om)*u1uq1`~{ zj!d6R^m%{D-BC0j_?T{;n08|Cnd$y#T%30foiAa*`X(RLw@*pe-o*^)JMg$}Pu~+j zUvLMrJ73~Wo936kM9~=GL_S-w`aRkUPxhk179LBu%&xwu^QEFHU-cy^7J7SL|Mc%A zxRCVkv#|I?guvfk|g!)#-ToS5iLmqh9O6 zf3zl9yKYv0vr6$>i~5Fxb8c&!9os>}Gd;trr>FmG8={{_^Bg54J~Jjt%9; z+vBz@>D{^a>%Q!?dUVZYy|R8%H}Q_|{REpgmcOC7ow{pUbaKPhpzDdd%}{2z{M2ny PgLDa9)B72_^QHd>)N;5A literal 0 HcmV?d00001 diff --git a/testing/btest/scripts/base/protocols/smb/smb3.test b/testing/btest/scripts/base/protocols/smb/smb3.test new file mode 100644 index 0000000000..f762ea10f3 --- /dev/null +++ b/testing/btest/scripts/base/protocols/smb/smb3.test @@ -0,0 +1,14 @@ +# @TEST-EXEC: bro -r $TRACES/smb/smb3.pcap %INPUT +# @TEST-EXEC: btest-diff smb_mapping.log +# @TEST-EXEC: test ! -f dpd.log +# @TEST-EXEC: test ! -f weird.log +# @TEST-EXEC: btest-diff .stdout + +@load base/protocols/smb + +# Add a test for SMB2 transform header. +event smb2_transform_header(c: connection, hdr: SMB2::Transform_header) + { + print fmt("smb2_transform_header %s -> %s:%d %s", c$id$orig_h, c$id$resp_h, c$id$resp_p, hdr); + } + From 74c225c7cb6df4d884afb05014e0691ccd48a18f Mon Sep 17 00:00:00 2001 From: Jon Siwek Date: Mon, 25 Feb 2019 12:55:03 -0600 Subject: [PATCH 13/88] GH-286: Check for record type mismatch in ternary operator Fixes GH-286 --- scripts/base/frameworks/intel/main.bro | 26 ++++++++++++------- src/Expr.cc | 8 +++++- .../language.ternary-record-mismatch/out | 1 + .../output | 2 +- .../language/ternary-record-mismatch.bro | 16 ++++++++++++ 5 files changed, 41 insertions(+), 12 deletions(-) create mode 100644 testing/btest/Baseline/language.ternary-record-mismatch/out create mode 100644 testing/btest/language/ternary-record-mismatch.bro diff --git a/scripts/base/frameworks/intel/main.bro b/scripts/base/frameworks/intel/main.bro index ffa115e92c..1f4f7afe23 100644 --- a/scripts/base/frameworks/intel/main.bro +++ b/scripts/base/frameworks/intel/main.bro @@ -268,16 +268,21 @@ function expire_string_data(data: table[string, Type] of MetaDataTable, idx: any # Function to check for intelligence hits. function find(s: Seen): bool { - local ds = have_full_data ? data_store : min_data_store; - if ( s?$host ) { - return ((s$host in ds$host_data) || - (|matching_subnets(addr_to_subnet(s$host), ds$subnet_data)| > 0)); + if ( have_full_data ) + return ((s$host in data_store$host_data) || + (|matching_subnets(addr_to_subnet(s$host), data_store$subnet_data)| > 0)); + else + return ((s$host in min_data_store$host_data) || + (|matching_subnets(addr_to_subnet(s$host), min_data_store$subnet_data)| > 0)); } else { - return ([to_lower(s$indicator), s$indicator_type] in ds$string_data); + if ( have_full_data ) + return ([to_lower(s$indicator), s$indicator_type] in data_store$string_data); + else + return ([to_lower(s$indicator), s$indicator_type] in min_data_store$string_data); } } @@ -499,16 +504,17 @@ function insert(item: Item) # Function to check whether an item is present. function item_exists(item: Item): bool { - local ds = have_full_data ? data_store : min_data_store; - switch ( item$indicator_type ) { case ADDR: - return to_addr(item$indicator) in ds$host_data; + return have_full_data ? to_addr(item$indicator) in data_store$host_data : + to_addr(item$indicator) in min_data_store$host_data; case SUBNET: - return to_subnet(item$indicator) in ds$subnet_data; + return have_full_data ? to_subnet(item$indicator) in data_store$subnet_data : + to_subnet(item$indicator) in min_data_store$subnet_data; default: - return [item$indicator, item$indicator_type] in ds$string_data; + return have_full_data ? [item$indicator, item$indicator_type] in data_store$string_data : + [item$indicator, item$indicator_type] in min_data_store$string_data; } } diff --git a/src/Expr.cc b/src/Expr.cc index be186524ad..fee74b04b1 100644 --- a/src/Expr.cc +++ b/src/Expr.cc @@ -2337,7 +2337,13 @@ CondExpr::CondExpr(Expr* arg_op1, Expr* arg_op2, Expr* arg_op3) ExprError("operands must be of the same type"); else - SetType(op2->Type()->Ref()); + { + if ( IsRecord(bt2) && IsRecord(bt3) && + ! same_type(op2->Type(), op3->Type()) ) + ExprError("operands must be of the same type"); + else + SetType(op2->Type()->Ref()); + } } } diff --git a/testing/btest/Baseline/language.ternary-record-mismatch/out b/testing/btest/Baseline/language.ternary-record-mismatch/out new file mode 100644 index 0000000000..0c1cefce0d --- /dev/null +++ b/testing/btest/Baseline/language.ternary-record-mismatch/out @@ -0,0 +1 @@ +error in /Users/jon/pro/zeek/zeek/testing/btest/.tmp/language.ternary-record-mismatch/ternary-record-mismatch.bro, lines 13-14: operands must be of the same type ((F) ? (coerce [$a=a string, $b=6] to MyRecord) : [$a=a different string, $b=7]) diff --git a/testing/btest/Baseline/scripts.base.frameworks.intel.remove-non-existing/output b/testing/btest/Baseline/scripts.base.frameworks.intel.remove-non-existing/output index 03dcf582e9..fd0420cc79 100644 --- a/testing/btest/Baseline/scripts.base.frameworks.intel.remove-non-existing/output +++ b/testing/btest/Baseline/scripts.base.frameworks.intel.remove-non-existing/output @@ -6,6 +6,6 @@ #open 2018-02-27-17-25-30 #fields ts level message location #types time enum string string -0.000000 Reporter::INFO Tried to remove non-existing item '192.168.1.1' (Intel::ADDR). /home/jgras/devel/bro/scripts/base/frameworks/intel/./main.bro, lines 547-548 +0.000000 Reporter::INFO Tried to remove non-existing item '192.168.1.1' (Intel::ADDR). /home/jgras/devel/bro/scripts/base/frameworks/intel/./main.bro, lines 553-554 0.000000 Reporter::INFO received termination signal (empty) #close 2018-02-27-17-25-30 diff --git a/testing/btest/language/ternary-record-mismatch.bro b/testing/btest/language/ternary-record-mismatch.bro new file mode 100644 index 0000000000..068952a69f --- /dev/null +++ b/testing/btest/language/ternary-record-mismatch.bro @@ -0,0 +1,16 @@ +# @TEST-EXEC-FAIL: bro -b %INPUT >out 2>&1 +# @TEST-EXEC: TEST_DIFF_CANONIFIER="$SCRIPTS/diff-remove-abspath" btest-diff out + +type MyRecord: record { + a: string; + b: count; + c: bool &default = T; +}; + +event bro_init() + { + local rec: MyRecord = record($a = "a string", $b = 6); + local rec2: MyRecord = (F) ? MyRecord($a = "a string", $b = 6) : + record($a = "a different string", $b = 7); + rec2$c = F; + } From 53dc1176b787d4395507c6bf213cc3a486d9a4a2 Mon Sep 17 00:00:00 2001 From: Jon Siwek Date: Mon, 25 Feb 2019 14:07:53 -0600 Subject: [PATCH 14/88] GH-281: Improve parsing of Google Pixel user agent Fixes GH-281 --- scripts/base/frameworks/software/main.bro | 16 ++++++++ .../output | 37 +++++++++++-------- .../frameworks/software/version-parsing.bro | 12 +++++- 3 files changed, 48 insertions(+), 17 deletions(-) diff --git a/scripts/base/frameworks/software/main.bro b/scripts/base/frameworks/software/main.bro index ddd7ae9801..068f34d1cf 100644 --- a/scripts/base/frameworks/software/main.bro +++ b/scripts/base/frameworks/software/main.bro @@ -147,6 +147,22 @@ function parse(unparsed_version: string): Description { return parse_mozilla(unparsed_version); } + else if ( /A\/[0-9\.]*\/Google\/Pixel/ in unparsed_version ) + { + software_name = "Android (Google Pixel)"; + local parts = split_string_all(unparsed_version, /\//); + if ( 2 in parts ) + { + local vs = parts[2]; + + if ( "." in vs ) + v = parse(vs)$version; + else + v = Version($major=extract_count(vs)); + + return [$version=v, $unparsed_version=unparsed_version, $name=software_name]; + } + } else { # The regular expression should match the complete version number diff --git a/testing/btest/Baseline/scripts.base.frameworks.software.version-parsing/output b/testing/btest/Baseline/scripts.base.frameworks.software.version-parsing/output index 6f59b224b3..a9715483b1 100644 --- a/testing/btest/Baseline/scripts.base.frameworks.software.version-parsing/output +++ b/testing/btest/Baseline/scripts.base.frameworks.software.version-parsing/output @@ -1,38 +1,33 @@ -success on: Flash/10,2,153,1 -success on: Apache/2.0.46 (Win32) mod_ssl/2.0.46 OpenSSL/0.9.7b mod_jk2/2.0.4 -success on: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0) -success on: %E6%9C%89%E9%81%93%E8%AF%8D%E5%85%B8/128 CFNetwork/760.2.6 Darwin/15.3.0 (x86_64) -success on: Java1.2.2-JDeveloper -success on: Zope/(Zope 2.7.8-final, python 2.3.5, darwin) ZServer/1.1 Plone/Unknown -success on: iTunes/9.0 (Macintosh; Intel Mac OS X 10.5.8) AppleWebKit/531.9 -success on: ProFTPD 1.2.5rc1 Server (Debian) -success on: Flash%20Player/26.0.0.137 CFNetwork/811.5.4 Darwin/16.6.0 (x86_64) -success on: Mozilla/5.0 (iPhone; U; CPU iPhone OS 4_3_2 like Mac OS X; en-us) AppleWebKit/533.17.9 (KHTML, like Gecko) Version/5.0.2 Mobile/8H7 Safari/6533.18.5 -success on: Opera/9.80 (Windows NT 5.1; Opera Mobi/49; U; en) Presto/2.4.18 Version/10.00 -success on: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0) -success on: Apple Mail (2.1084) -success on: Apache/2.0.63 (Unix) mod_auth_kerb/5.3 mod_ssl/2.0.63 OpenSSL/0.9.7a mod_fastcgi/2.4.2 -success on: Apache/1.3.19 (Unix) -success on: Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko success on: Wget/1.11.4 (Red Hat modified) success on: \xe6\xbc\xab\xe7\x94\xbb\xe4\xba\xba 2.6.2 rv:1.2 (iPhone; iOS 10.3.2; en_US) success on: wu-2.6.2(1) success on: QQ%E9%82%AE%E7%AE%B1/5.3.2.8 CFNetwork/811.5.4 Darwin/16.6.0 success on: The Bat! (3.0.1 RC3) Professional +success on: Mozilla/5.0 (iPhone; U; CPU iPhone OS 4_3_2 like Mac OS X; en-us) AppleWebKit/533.17.9 (KHTML, like Gecko) Version/5.0.2 Mobile/8H7 Safari/6533.18.5 success on: Mozilla/5.0 (iPod; U; CPU iPhone OS 4_0 like Mac OS X; en-us) AppleWebKit/532.9 (KHTML, like Gecko) Version/4.0.5 Mobile/8A293 Safari/6531.22.7 +success on: Opera/9.80 (Windows NT 5.1; Opera Mobi/49; U; en) Presto/2.4.18 Version/10.00 success on: The Bat! (v2.00.9) Personal success on: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.2) Gecko/20040804 Netscape/7.2 (ax) +success on: %E6%9C%89%E9%81%93%E8%AF%8D%E5%85%B8/128 CFNetwork/760.2.6 Darwin/15.3.0 (x86_64) +success on: Zope/(Zope 2.7.8-final, python 2.3.5, darwin) ZServer/1.1 Plone/Unknown +success on: A/8.1.0/Google/Pixel#2/walleye/unknown/QCX3/l10660929675510745862/-/104360422/-/google/3606/3607/- success on: Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 5.1; Media Center PC 3.0; .NET CLR 1.0.3705; .NET CLR 1.1.4322; .NET CLR 2.0.50727; InfoPath.1) +success on: Apache/2.0.46 (Win32) mod_ssl/2.0.46 OpenSSL/0.9.7b mod_jk2/2.0.4 success on: wu-2.4.2-academ[BETA-18-VR14](1) success on: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3; Creative AutoUpdate v1.40.02) success on: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; GTB5; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.0.04506; InfoPath.2) +success on: A/8.0.0/Google/Pixel#XL/marlin/unknown/QCX3/l8100358318783302904/-/1456904160/-/google/662107/662098/- +success on: Apache/2.0.63 (Unix) mod_auth_kerb/5.3 mod_ssl/2.0.63 OpenSSL/0.9.7a mod_fastcgi/2.4.2 +success on: Apache/1.3.19 (Unix) success on: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_7; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 success on: Mozilla/5.0 (Windows Phone 10.0; Android 6.0.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Mobile Safari/537.36 Edge/15.15063 +success on: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0) success on: Total Commander success on: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.3; Trident/7.0; .NET4.0E; .NET4.0C) success on: libwww-perl/5.820 success on: Mozilla/5.0 (Macintosh; U; PPC Mac OS X; en) AppleWebKit/420+ (KHTML, like Gecko) AdobeAIR/1.0 success on: Java/1.6.0_13 +success on: A/9/Google/Pixel#2/walleye/unknown/QCX3/l17463753539612639959/-/2406658516/-/google/724998/724992/- success on: Python-urllib/3.1 success on: Mozilla/4.0 (compatible; MSIE 8.0; Android 2.2.2; Linux; Opera Mobi/ADR-1103311355; en) Opera 11.00 success on: CacheFlyServe v26b @@ -41,7 +36,11 @@ success on: OpenSSH_5.2 success on: (vsFTPd 2.0.5) success on: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_6; en-us) AppleWebKit/533.20.25 (KHTML, like Gecko) Version/5.0.4 Safari/533.20.27 success on: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; Tablet PC 2.0; InfoPath.2; InfoPath.3) +success on: Flash%20Player/26.0.0.137 CFNetwork/811.5.4 Darwin/16.6.0 (x86_64) success on: Apache +success on: Flash/10,2,153,1 +success on: A/9/Google/Pixel#2/walleye/unknown/QCX3/l9335055540778241916/-/1576068601/-/google/63672/63666/00:BOOT.XF.1.2.2.c1-00036-M8998LZB-2+01:TZ.BF.4.0.6-00152+03:RPM.BF.1.7-00128+11:MPSS.AT.2.0.c4.5-00253-8998_GEN_PACK-1.172723.1.178350.2+12:ADSP.HT.3.0-00372-CB8998-1+14:VIDEO.VE.4.4-00033+15:SLPI.HB.2.0.c3-00016-M8998AZL-1 +success on: Java1.2.2-JDeveloper success on: Mozilla/5.0 (Windows; U; Windows NT 5.1; de; rv:1.9.2.11) Gecko/20101013 Lightning/1.0b2 Thunderbird/3.1.5 success on: Mozilla/5.0 (Windows; U; en) AppleWebKit/420+ (KHTML, like Gecko) AdobeAIR/1.0 success on: curl/7.15.1 (i486-pc-linux-gnu) libcurl/7.15.1 OpenSSL/0.9.8a zlib/1.2.3 libidn/0.5.18 @@ -51,5 +50,11 @@ success on: OpenSSH_4.4 success on: mt2/1.2.3.967 Oct 13 2010-13:40:24 ord-pixel-x2 pid 0x35a3 13731 success on: Opera/9.80 (J2ME/MIDP; Opera Mini/9.80 (S60; SymbOS; Opera Mobi/23.348; U; en) Presto/2.5.25 Version/10.54 success on: Opera/9.80 (Windows NT 6.1; U; sv) Presto/2.7.62 Version/11.01 +success on: iTunes/9.0 (Macintosh; Intel Mac OS X 10.5.8) AppleWebKit/531.9 +success on: ProFTPD 1.2.5rc1 Server (Debian) +success on: Apple Mail (2.1084) +success on: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0) +success on: A/9/Google/Pixel#2#XL/taimen/unknown/QCX3/l2640039522761750592/-/1061307257/-/google/1199700/1199701/- success on: Opera/9.80 (J2ME/MIDP; Opera Mini/5.0.18741/18.794; U; en) Presto/2.4.15 success on: Wget/1.9+cvs-stable (Red Hat modified) +success on: Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko diff --git a/testing/btest/scripts/base/frameworks/software/version-parsing.bro b/testing/btest/scripts/base/frameworks/software/version-parsing.bro index 9a54f3d966..806a058a03 100644 --- a/testing/btest/scripts/base/frameworks/software/version-parsing.bro +++ b/testing/btest/scripts/base/frameworks/software/version-parsing.bro @@ -1,5 +1,5 @@ # @TEST-EXEC: bro %INPUT > output -# @TEST-EXEC: btest-diff output +# @TEST-EXEC: TEST_DIFF_CANONIFIER=$SCRIPTS/diff-sort btest-diff output module Software; @@ -121,6 +121,16 @@ global matched_software: table[string] of Software::Description = { [$name="QQ\xe9\x82\xae\xe7\xae\xb1", $version=[$major=5,$minor=3,$minor2=2,$minor3=8,$addl="CFNetwork/811"], $unparsed_version=""], ["Mozilla/5.0 (Windows Phone 10.0; Android 6.0.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Mobile Safari/537.36 Edge/15.15063"] = [$name="Edge", $version=[$major=15,$minor=15063], $unparsed_version=""], + ["A/8.0.0/Google/Pixel#XL/marlin/unknown/QCX3/l8100358318783302904/-/1456904160/-/google/662107/662098/-"] = + [$name="Android (Google Pixel)", $version=[$major=8,$minor=0,$minor2=0], $unparsed_version=""], + ["A/8.1.0/Google/Pixel#2/walleye/unknown/QCX3/l10660929675510745862/-/104360422/-/google/3606/3607/-"] = + [$name="Android (Google Pixel)", $version=[$major=8,$minor=1,$minor2=0], $unparsed_version=""], + ["A/9/Google/Pixel#2/walleye/unknown/QCX3/l17463753539612639959/-/2406658516/-/google/724998/724992/-"] = + [$name="Android (Google Pixel)", $version=[$major=9], $unparsed_version=""], + ["A/9/Google/Pixel#2#XL/taimen/unknown/QCX3/l2640039522761750592/-/1061307257/-/google/1199700/1199701/-"] = + [$name="Android (Google Pixel)", $version=[$major=9], $unparsed_version=""], + ["A/9/Google/Pixel#2/walleye/unknown/QCX3/l9335055540778241916/-/1576068601/-/google/63672/63666/00:BOOT.XF.1.2.2.c1-00036-M8998LZB-2+01:TZ.BF.4.0.6-00152+03:RPM.BF.1.7-00128+11:MPSS.AT.2.0.c4.5-00253-8998_GEN_PACK-1.172723.1.178350.2+12:ADSP.HT.3.0-00372-CB8998-1+14:VIDEO.VE.4.4-00033+15:SLPI.HB.2.0.c3-00016-M8998AZL-1"] = + [$name="Android (Google Pixel)", $version=[$major=9], $unparsed_version=""], }; event bro_init() From 8b9d525097b69bccf1ed3064ac081aced50d78e6 Mon Sep 17 00:00:00 2001 From: Jon Siwek Date: Tue, 26 Feb 2019 15:09:32 -0600 Subject: [PATCH 15/88] Update external test suite commit hash --- testing/external/commit-hash.zeek-testing | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/testing/external/commit-hash.zeek-testing b/testing/external/commit-hash.zeek-testing index 5ec3d9d5e4..41defd2bb3 100644 --- a/testing/external/commit-hash.zeek-testing +++ b/testing/external/commit-hash.zeek-testing @@ -1 +1 @@ -2f7a827cc339fc14b0c978c986fa776dd9e7903c +6514799425ffd87e05ce2b243433caef2261a56b From 3d4dd2ea67fad80a9c6eda0d6d214e79b3b9c35a Mon Sep 17 00:00:00 2001 From: Nate Guagenti Date: Tue, 26 Feb 2019 16:56:10 -0500 Subject: [PATCH 16/88] Update main.bro added back user agent --- scripts/base/protocols/http/main.bro | 3 +++ 1 file changed, 3 insertions(+) diff --git a/scripts/base/protocols/http/main.bro b/scripts/base/protocols/http/main.bro index 381411436c..ee81ae9f09 100644 --- a/scripts/base/protocols/http/main.bro +++ b/scripts/base/protocols/http/main.bro @@ -263,6 +263,9 @@ event http_header(c: connection, is_orig: bool, name: string, value: string) &pr else if ( name == "ORIGIN" ) c$http$origin = value; + else if ( name == "USER-AGENT" ) + c$http$user_agent = value; + else if ( name in proxy_headers ) { if ( ! c$http?$proxied ) From 4ae92161e9f6331470b6373b4443471064c8ab96 Mon Sep 17 00:00:00 2001 From: Stephen Hosom <0xhosom@gmail.com> Date: Wed, 27 Feb 2019 08:47:53 -0500 Subject: [PATCH 17/88] Support filenamess for SMB files Hook file_new to observe filenames in SMB traffic and fire into Intel::seen --- .../frameworks/intel/seen/smb-filenames.bro | 20 +++++++++++++++++++ 1 file changed, 20 insertions(+) create mode 100644 scripts/policy/frameworks/intel/seen/smb-filenames.bro diff --git a/scripts/policy/frameworks/intel/seen/smb-filenames.bro b/scripts/policy/frameworks/intel/seen/smb-filenames.bro new file mode 100644 index 0000000000..9664ccba5f --- /dev/null +++ b/scripts/policy/frameworks/intel/seen/smb-filenames.bro @@ -0,0 +1,20 @@ +@load base/frameworks/intel +@load ./where-locations + +event file_new(f: fa_file) + { + if ( f$source != "SMB" ) + return; + + for ( id in f$conns ) + { + local c = f$conns[id]; + if ( c?$smb_state && c$smb_state?$current_file && c$smb_state$current_file?$name ) + { + Intel::seen([$indicator=c$smb_state$current_file$name, + $indicator_type=Intel::FILE_NAME, + $f=f, + $where=Files::IN_NAME]); + } + } + } \ No newline at end of file From 8ce6d67acc342781a987361a0194a012bc241b64 Mon Sep 17 00:00:00 2001 From: Stephen Hosom <0xhosom@gmail.com> Date: Wed, 27 Feb 2019 08:53:52 -0500 Subject: [PATCH 18/88] Add SMB::IN_FILE_NAME to Intel::Where enum This should reduce the ambiguity of where precisely the indicator was seen so that it isn't confused with the normal File::IN_NAME hit. --- scripts/policy/frameworks/intel/seen/smb-filenames.bro | 2 +- scripts/policy/frameworks/intel/seen/where-locations.bro | 1 + 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/scripts/policy/frameworks/intel/seen/smb-filenames.bro b/scripts/policy/frameworks/intel/seen/smb-filenames.bro index 9664ccba5f..7a18276f49 100644 --- a/scripts/policy/frameworks/intel/seen/smb-filenames.bro +++ b/scripts/policy/frameworks/intel/seen/smb-filenames.bro @@ -14,7 +14,7 @@ event file_new(f: fa_file) Intel::seen([$indicator=c$smb_state$current_file$name, $indicator_type=Intel::FILE_NAME, $f=f, - $where=Files::IN_NAME]); + $where=SMB::IN_FILE_NAME]); } } } \ No newline at end of file diff --git a/scripts/policy/frameworks/intel/seen/where-locations.bro b/scripts/policy/frameworks/intel/seen/where-locations.bro index 59a89b0eb2..9d30b5ff8f 100644 --- a/scripts/policy/frameworks/intel/seen/where-locations.bro +++ b/scripts/policy/frameworks/intel/seen/where-locations.bro @@ -26,5 +26,6 @@ export { SSL::IN_SERVER_NAME, SMTP::IN_HEADER, X509::IN_CERT, + SMB::IN_FILE_NAME, }; } From 2d3a21968e2e50c7913514ace6d90ab0b69c2f1c Mon Sep 17 00:00:00 2001 From: Stephen Hosom <0xhosom@gmail.com> Date: Wed, 27 Feb 2019 08:56:28 -0500 Subject: [PATCH 19/88] load smb-filenames in scripts/policy/frameworks/intel/seen/__load__.bro --- scripts/policy/frameworks/intel/seen/__load__.bro | 1 + 1 file changed, 1 insertion(+) diff --git a/scripts/policy/frameworks/intel/seen/__load__.bro b/scripts/policy/frameworks/intel/seen/__load__.bro index d364e8c587..a01741ea20 100644 --- a/scripts/policy/frameworks/intel/seen/__load__.bro +++ b/scripts/policy/frameworks/intel/seen/__load__.bro @@ -9,3 +9,4 @@ @load ./smtp @load ./smtp-url-extraction @load ./x509 +@load ./smb-filenames \ No newline at end of file From 1d5eac4ee130b1f289fe7661022f27ffd4bfa32e Mon Sep 17 00:00:00 2001 From: Stephen Hosom <0xhosom@gmail.com> Date: Wed, 27 Feb 2019 09:24:52 -0500 Subject: [PATCH 20/88] Normalize the intel seen filename for smb. --- scripts/policy/frameworks/intel/seen/smb-filenames.bro | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/scripts/policy/frameworks/intel/seen/smb-filenames.bro b/scripts/policy/frameworks/intel/seen/smb-filenames.bro index 7a18276f49..17b59c6e7c 100644 --- a/scripts/policy/frameworks/intel/seen/smb-filenames.bro +++ b/scripts/policy/frameworks/intel/seen/smb-filenames.bro @@ -11,7 +11,9 @@ event file_new(f: fa_file) local c = f$conns[id]; if ( c?$smb_state && c$smb_state?$current_file && c$smb_state$current_file?$name ) { - Intel::seen([$indicator=c$smb_state$current_file$name, + local split_fname = split_string(c$smb_state$current_file$name, /\\/); + local fname = split_fname[|split_fname|-1]; + Intel::seen([$indicator=fname, $indicator_type=Intel::FILE_NAME, $f=f, $where=SMB::IN_FILE_NAME]); From b20cd599a025e45de4346c978be47a69f8d8782a Mon Sep 17 00:00:00 2001 From: Jon Siwek Date: Wed, 27 Feb 2019 11:22:29 -0600 Subject: [PATCH 21/88] GH-282: Remove JSON formatter's range restriction on numbers It now produces numbers as large as is required to match the data it needs to represent. It's up to the consumer to decide how to appropriately handle values that may be outside their supported range/precision. Fixes GH-282 --- src/threading/formatters/JSON.cc | 22 +++------------------- 1 file changed, 3 insertions(+), 19 deletions(-) diff --git a/src/threading/formatters/JSON.cc b/src/threading/formatters/JSON.cc index f495a76b62..73e9489dc5 100644 --- a/src/threading/formatters/JSON.cc +++ b/src/threading/formatters/JSON.cc @@ -77,17 +77,8 @@ bool JSON::Describe(ODesc* desc, Value* val, const string& name) const case TYPE_COUNT: case TYPE_COUNTER: - { - // JSON doesn't support unsigned 64bit ints. - if ( val->val.uint_val >= INT64_MAX ) - { - GetThread()->Error(GetThread()->Fmt("count value too large for JSON: %" PRIu64, val->val.uint_val)); - desc->AddRaw("null", 4); - } - else - desc->Add(val->val.uint_val); + desc->Add(val->val.uint_val); break; - } case TYPE_PORT: desc->Add(val->val.port_val.port); @@ -149,16 +140,9 @@ bool JSON::Describe(ODesc* desc, Value* val, const string& name) const else if ( timestamps == TS_MILLIS ) { - // ElasticSearch uses milliseconds for timestamps and json only - // supports signed ints (uints can be too large). + // ElasticSearch uses milliseconds for timestamps uint64_t ts = (uint64_t) (val->val.double_val * 1000); - if ( ts < INT64_MAX ) - desc->Add(ts); - else - { - GetThread()->Error(GetThread()->Fmt("time value too large for JSON milliseconds: %" PRIu64, ts)); - desc->AddRaw("null", 4); - } + desc->Add(ts); } break; From 92b6656bad2e97e62bc9050b9bf138aff89babf0 Mon Sep 17 00:00:00 2001 From: Jon Siwek Date: Wed, 27 Feb 2019 14:25:15 -0600 Subject: [PATCH 22/88] GH-289: Add options to limit entries in http.log file fields The "orig_fuids", "orig_filenames", "orig_mime_types" http.log fields as well as their "resp" counterparts are now limited to having "HTTP::max_files_orig" or "HTTP::max_files_resp" entries, which are 15 by default. The limit can also be ignored case-by-case via the "HTTP::max_files_policy" hook. Fixes GH-289 --- doc | 2 +- scripts/base/protocols/http/entities.bro | 56 +++++++++++++++++++ testing/btest/Baseline/plugins.hooks/output | 20 ++++--- .../http-limit-ignored.log | 10 ++++ .../http-limited.log | 10 ++++ .../http.log | 10 ++++ .../out-limit-ignored | 2 + .../out-limited | 2 + .../protocols/http/multipart-file-limit.bro | 23 ++++++++ 9 files changed, 127 insertions(+), 8 deletions(-) create mode 100644 testing/btest/Baseline/scripts.base.protocols.http.multipart-file-limit/http-limit-ignored.log create mode 100644 testing/btest/Baseline/scripts.base.protocols.http.multipart-file-limit/http-limited.log create mode 100644 testing/btest/Baseline/scripts.base.protocols.http.multipart-file-limit/http.log create mode 100644 testing/btest/Baseline/scripts.base.protocols.http.multipart-file-limit/out-limit-ignored create mode 100644 testing/btest/Baseline/scripts.base.protocols.http.multipart-file-limit/out-limited create mode 100644 testing/btest/scripts/base/protocols/http/multipart-file-limit.bro diff --git a/doc b/doc index 650a136dcc..143cf073e0 160000 --- a/doc +++ b/doc @@ -1 +1 @@ -Subproject commit 650a136dccefe44fa276e4fb06d9dc854f9ab06c +Subproject commit 143cf073e0b95ddef40028027a860b9b8e5125ea diff --git a/scripts/base/protocols/http/entities.bro b/scripts/base/protocols/http/entities.bro index 3670d7879a..c16bb3f630 100644 --- a/scripts/base/protocols/http/entities.bro +++ b/scripts/base/protocols/http/entities.bro @@ -13,23 +13,45 @@ export { filename: string &optional; }; + ## Maximum number of originator files to log. + ## :bro:see:`HTTP::max_files_policy` even is called once this + ## limit is reached to determine if it's enforced. + option max_files_orig = 15; + + ## Maximum number of responder files to log. + ## :bro:see:`HTTP::max_files_policy` even is called once this + ## limit is reached to determine if it's enforced. + option max_files_resp = 15; + + ## Called when reaching the max number of files across a given HTTP + ## connection according to :bro:see:`HTTP::max_files_orig` + ## or :bro:see:`HTTP::max_files_resp`. Break from the hook + ## early to signal that the file limit should not be applied. + global max_files_policy: hook(f: fa_file, is_orig: bool); + redef record Info += { ## An ordered vector of file unique IDs. + ## Limited to :bro:see:`HTTP::max_files_orig` entries. orig_fuids: vector of string &log &optional; ## An ordered vector of filenames from the client. + ## Limited to :bro:see:`HTTP::max_files_orig` entries. orig_filenames: vector of string &log &optional; ## An ordered vector of mime types. + ## Limited to :bro:see:`HTTP::max_files_orig` entries. orig_mime_types: vector of string &log &optional; ## An ordered vector of file unique IDs. + ## Limited to :bro:see:`HTTP::max_files_resp` entries. resp_fuids: vector of string &log &optional; ## An ordered vector of filenames from the server. + ## Limited to :bro:see:`HTTP::max_files_resp` entries. resp_filenames: vector of string &log &optional; ## An ordered vector of mime types. + ## Limited to :bro:see:`HTTP::max_files_resp` entries. resp_mime_types: vector of string &log &optional; ## The current entity. @@ -82,6 +104,23 @@ event file_over_new_connection(f: fa_file, c: connection, is_orig: bool) &priori if ( c$http?$current_entity && c$http$current_entity?$filename ) f$info$filename = c$http$current_entity$filename; + local size: count; + local max: count; + + if ( f$is_orig ) + { + size = f$http?$orig_fuids ? |f$http$orig_fuids| : 0; + max = max_files_orig; + } + else + { + size = f$http?$resp_fuids ? |f$http$resp_fuids| : 0; + max = max_files_resp; + } + + if ( size >= max && hook HTTP::max_files_policy(f, f$is_orig) ) + return; + if ( f$is_orig ) { if ( ! c$http?$orig_fuids ) @@ -125,6 +164,23 @@ event file_sniff(f: fa_file, meta: fa_metadata) &priority=5 if ( ! meta?$mime_type ) return; + local size: count; + local max: count; + + if ( f$is_orig ) + { + size = f$http?$orig_mime_types ? |f$http$orig_mime_types| : 0; + max = max_files_orig; + } + else + { + size = f$http?$resp_mime_types ? |f$http$resp_mime_types| : 0; + max = max_files_resp; + } + + if ( size >= max && hook HTTP::max_files_policy(f, f$is_orig) ) + return; + if ( f$is_orig ) { if ( ! f$http?$orig_mime_types ) diff --git a/testing/btest/Baseline/plugins.hooks/output b/testing/btest/Baseline/plugins.hooks/output index ecbb136298..4bb3902d07 100644 --- a/testing/btest/Baseline/plugins.hooks/output +++ b/testing/btest/Baseline/plugins.hooks/output @@ -274,7 +274,7 @@ 0.000000 MetaHookPost CallFunction(Log::__create_stream, , (Weird::LOG, [columns=Weird::Info, ev=Weird::log_weird, path=weird])) -> 0.000000 MetaHookPost CallFunction(Log::__create_stream, , (X509::LOG, [columns=X509::Info, ev=X509::log_x509, path=x509])) -> 0.000000 MetaHookPost CallFunction(Log::__create_stream, , (mysql::LOG, [columns=MySQL::Info, ev=MySQL::log_mysql, path=mysql])) -> -0.000000 MetaHookPost CallFunction(Log::__write, , (PacketFilter::LOG, [ts=1547686218.444731, node=bro, filter=ip or not ip, init=T, success=T])) -> +0.000000 MetaHookPost CallFunction(Log::__write, , (PacketFilter::LOG, [ts=1551297972.277316, node=bro, filter=ip or not ip, init=T, success=T])) -> 0.000000 MetaHookPost CallFunction(Log::add_default_filter, , (Broker::LOG)) -> 0.000000 MetaHookPost CallFunction(Log::add_default_filter, , (Cluster::LOG)) -> 0.000000 MetaHookPost CallFunction(Log::add_default_filter, , (Config::LOG)) -> @@ -459,7 +459,7 @@ 0.000000 MetaHookPost CallFunction(Log::create_stream, , (Weird::LOG, [columns=Weird::Info, ev=Weird::log_weird, path=weird])) -> 0.000000 MetaHookPost CallFunction(Log::create_stream, , (X509::LOG, [columns=X509::Info, ev=X509::log_x509, path=x509])) -> 0.000000 MetaHookPost CallFunction(Log::create_stream, , (mysql::LOG, [columns=MySQL::Info, ev=MySQL::log_mysql, path=mysql])) -> -0.000000 MetaHookPost CallFunction(Log::write, , (PacketFilter::LOG, [ts=1547686218.444731, node=bro, filter=ip or not ip, init=T, success=T])) -> +0.000000 MetaHookPost CallFunction(Log::write, , (PacketFilter::LOG, [ts=1551297972.277316, node=bro, filter=ip or not ip, init=T, success=T])) -> 0.000000 MetaHookPost CallFunction(NetControl::check_plugins, , ()) -> 0.000000 MetaHookPost CallFunction(NetControl::init, , ()) -> 0.000000 MetaHookPost CallFunction(Notice::want_pp, , ()) -> @@ -488,6 +488,8 @@ 0.000000 MetaHookPost CallFunction(Option::set_change_handler, , (GridFTP::skip_data, Config::config_option_changed{ Config::log = (coerce [$ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value)] to Config::Info)if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, Config::log)return (Config::new_value)}, -100)) -> 0.000000 MetaHookPost CallFunction(Option::set_change_handler, , (HTTP::default_capture_password, Config::config_option_changed{ Config::log = (coerce [$ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value)] to Config::Info)if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, Config::log)return (Config::new_value)}, -100)) -> 0.000000 MetaHookPost CallFunction(Option::set_change_handler, , (HTTP::http_methods, Config::config_option_changed{ Config::log = (coerce [$ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value)] to Config::Info)if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, Config::log)return (Config::new_value)}, -100)) -> +0.000000 MetaHookPost CallFunction(Option::set_change_handler, , (HTTP::max_files_orig, Config::config_option_changed{ Config::log = (coerce [$ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value)] to Config::Info)if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, Config::log)return (Config::new_value)}, -100)) -> +0.000000 MetaHookPost CallFunction(Option::set_change_handler, , (HTTP::max_files_resp, Config::config_option_changed{ Config::log = (coerce [$ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value)] to Config::Info)if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, Config::log)return (Config::new_value)}, -100)) -> 0.000000 MetaHookPost CallFunction(Option::set_change_handler, , (HTTP::proxy_headers, Config::config_option_changed{ Config::log = (coerce [$ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value)] to Config::Info)if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, Config::log)return (Config::new_value)}, -100)) -> 0.000000 MetaHookPost CallFunction(Option::set_change_handler, , (Input::default_mode, Config::config_option_changed{ Config::log = (coerce [$ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value)] to Config::Info)if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, Config::log)return (Config::new_value)}, -100)) -> 0.000000 MetaHookPost CallFunction(Option::set_change_handler, , (Input::default_reader, Config::config_option_changed{ Config::log = (coerce [$ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value)] to Config::Info)if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, Config::log)return (Config::new_value)}, -100)) -> @@ -1169,7 +1171,7 @@ 0.000000 MetaHookPre CallFunction(Log::__create_stream, , (Weird::LOG, [columns=Weird::Info, ev=Weird::log_weird, path=weird])) 0.000000 MetaHookPre CallFunction(Log::__create_stream, , (X509::LOG, [columns=X509::Info, ev=X509::log_x509, path=x509])) 0.000000 MetaHookPre CallFunction(Log::__create_stream, , (mysql::LOG, [columns=MySQL::Info, ev=MySQL::log_mysql, path=mysql])) -0.000000 MetaHookPre CallFunction(Log::__write, , (PacketFilter::LOG, [ts=1547686218.444731, node=bro, filter=ip or not ip, init=T, success=T])) +0.000000 MetaHookPre CallFunction(Log::__write, , (PacketFilter::LOG, [ts=1551297972.277316, node=bro, filter=ip or not ip, init=T, success=T])) 0.000000 MetaHookPre CallFunction(Log::add_default_filter, , (Broker::LOG)) 0.000000 MetaHookPre CallFunction(Log::add_default_filter, , (Cluster::LOG)) 0.000000 MetaHookPre CallFunction(Log::add_default_filter, , (Config::LOG)) @@ -1354,7 +1356,7 @@ 0.000000 MetaHookPre CallFunction(Log::create_stream, , (Weird::LOG, [columns=Weird::Info, ev=Weird::log_weird, path=weird])) 0.000000 MetaHookPre CallFunction(Log::create_stream, , (X509::LOG, [columns=X509::Info, ev=X509::log_x509, path=x509])) 0.000000 MetaHookPre CallFunction(Log::create_stream, , (mysql::LOG, [columns=MySQL::Info, ev=MySQL::log_mysql, path=mysql])) -0.000000 MetaHookPre CallFunction(Log::write, , (PacketFilter::LOG, [ts=1547686218.444731, node=bro, filter=ip or not ip, init=T, success=T])) +0.000000 MetaHookPre CallFunction(Log::write, , (PacketFilter::LOG, [ts=1551297972.277316, node=bro, filter=ip or not ip, init=T, success=T])) 0.000000 MetaHookPre CallFunction(NetControl::check_plugins, , ()) 0.000000 MetaHookPre CallFunction(NetControl::init, , ()) 0.000000 MetaHookPre CallFunction(Notice::want_pp, , ()) @@ -1383,6 +1385,8 @@ 0.000000 MetaHookPre CallFunction(Option::set_change_handler, , (GridFTP::skip_data, Config::config_option_changed{ Config::log = (coerce [$ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value)] to Config::Info)if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, Config::log)return (Config::new_value)}, -100)) 0.000000 MetaHookPre CallFunction(Option::set_change_handler, , (HTTP::default_capture_password, Config::config_option_changed{ Config::log = (coerce [$ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value)] to Config::Info)if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, Config::log)return (Config::new_value)}, -100)) 0.000000 MetaHookPre CallFunction(Option::set_change_handler, , (HTTP::http_methods, Config::config_option_changed{ Config::log = (coerce [$ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value)] to Config::Info)if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, Config::log)return (Config::new_value)}, -100)) +0.000000 MetaHookPre CallFunction(Option::set_change_handler, , (HTTP::max_files_orig, Config::config_option_changed{ Config::log = (coerce [$ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value)] to Config::Info)if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, Config::log)return (Config::new_value)}, -100)) +0.000000 MetaHookPre CallFunction(Option::set_change_handler, , (HTTP::max_files_resp, Config::config_option_changed{ Config::log = (coerce [$ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value)] to Config::Info)if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, Config::log)return (Config::new_value)}, -100)) 0.000000 MetaHookPre CallFunction(Option::set_change_handler, , (HTTP::proxy_headers, Config::config_option_changed{ Config::log = (coerce [$ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value)] to Config::Info)if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, Config::log)return (Config::new_value)}, -100)) 0.000000 MetaHookPre CallFunction(Option::set_change_handler, , (Input::default_mode, Config::config_option_changed{ Config::log = (coerce [$ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value)] to Config::Info)if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, Config::log)return (Config::new_value)}, -100)) 0.000000 MetaHookPre CallFunction(Option::set_change_handler, , (Input::default_reader, Config::config_option_changed{ Config::log = (coerce [$ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value)] to Config::Info)if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, Config::log)return (Config::new_value)}, -100)) @@ -2063,7 +2067,7 @@ 0.000000 | HookCallFunction Log::__create_stream(Weird::LOG, [columns=Weird::Info, ev=Weird::log_weird, path=weird]) 0.000000 | HookCallFunction Log::__create_stream(X509::LOG, [columns=X509::Info, ev=X509::log_x509, path=x509]) 0.000000 | HookCallFunction Log::__create_stream(mysql::LOG, [columns=MySQL::Info, ev=MySQL::log_mysql, path=mysql]) -0.000000 | HookCallFunction Log::__write(PacketFilter::LOG, [ts=1547686218.444731, node=bro, filter=ip or not ip, init=T, success=T]) +0.000000 | HookCallFunction Log::__write(PacketFilter::LOG, [ts=1551297972.277316, node=bro, filter=ip or not ip, init=T, success=T]) 0.000000 | HookCallFunction Log::add_default_filter(Broker::LOG) 0.000000 | HookCallFunction Log::add_default_filter(Cluster::LOG) 0.000000 | HookCallFunction Log::add_default_filter(Config::LOG) @@ -2248,7 +2252,7 @@ 0.000000 | HookCallFunction Log::create_stream(Weird::LOG, [columns=Weird::Info, ev=Weird::log_weird, path=weird]) 0.000000 | HookCallFunction Log::create_stream(X509::LOG, [columns=X509::Info, ev=X509::log_x509, path=x509]) 0.000000 | HookCallFunction Log::create_stream(mysql::LOG, [columns=MySQL::Info, ev=MySQL::log_mysql, path=mysql]) -0.000000 | HookCallFunction Log::write(PacketFilter::LOG, [ts=1547686218.444731, node=bro, filter=ip or not ip, init=T, success=T]) +0.000000 | HookCallFunction Log::write(PacketFilter::LOG, [ts=1551297972.277316, node=bro, filter=ip or not ip, init=T, success=T]) 0.000000 | HookCallFunction NetControl::check_plugins() 0.000000 | HookCallFunction NetControl::init() 0.000000 | HookCallFunction Notice::want_pp() @@ -2277,6 +2281,8 @@ 0.000000 | HookCallFunction Option::set_change_handler(GridFTP::skip_data, Config::config_option_changed{ Config::log = (coerce [$ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value)] to Config::Info)if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, Config::log)return (Config::new_value)}, -100) 0.000000 | HookCallFunction Option::set_change_handler(HTTP::default_capture_password, Config::config_option_changed{ Config::log = (coerce [$ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value)] to Config::Info)if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, Config::log)return (Config::new_value)}, -100) 0.000000 | HookCallFunction Option::set_change_handler(HTTP::http_methods, Config::config_option_changed{ Config::log = (coerce [$ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value)] to Config::Info)if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, Config::log)return (Config::new_value)}, -100) +0.000000 | HookCallFunction Option::set_change_handler(HTTP::max_files_orig, Config::config_option_changed{ Config::log = (coerce [$ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value)] to Config::Info)if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, Config::log)return (Config::new_value)}, -100) +0.000000 | HookCallFunction Option::set_change_handler(HTTP::max_files_resp, Config::config_option_changed{ Config::log = (coerce [$ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value)] to Config::Info)if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, Config::log)return (Config::new_value)}, -100) 0.000000 | HookCallFunction Option::set_change_handler(HTTP::proxy_headers, Config::config_option_changed{ Config::log = (coerce [$ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value)] to Config::Info)if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, Config::log)return (Config::new_value)}, -100) 0.000000 | HookCallFunction Option::set_change_handler(Input::default_mode, Config::config_option_changed{ Config::log = (coerce [$ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value)] to Config::Info)if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, Config::log)return (Config::new_value)}, -100) 0.000000 | HookCallFunction Option::set_change_handler(Input::default_reader, Config::config_option_changed{ Config::log = (coerce [$ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value)] to Config::Info)if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, Config::log)return (Config::new_value)}, -100) @@ -2678,7 +2684,7 @@ 0.000000 | HookLoadFile base<...>/x509 0.000000 | HookLoadFile base<...>/xmpp 0.000000 | HookLogInit packet_filter 1/1 {ts (time), node (string), filter (string), init (bool), success (bool)} -0.000000 | HookLogWrite packet_filter [ts=1547686218.444731, node=bro, filter=ip or not ip, init=T, success=T] +0.000000 | HookLogWrite packet_filter [ts=1551297972.277316, node=bro, filter=ip or not ip, init=T, success=T] 0.000000 | HookQueueEvent NetControl::init() 0.000000 | HookQueueEvent bro_init() 0.000000 | HookQueueEvent filter_change_tracking() diff --git a/testing/btest/Baseline/scripts.base.protocols.http.multipart-file-limit/http-limit-ignored.log b/testing/btest/Baseline/scripts.base.protocols.http.multipart-file-limit/http-limit-ignored.log new file mode 100644 index 0000000000..652a095584 --- /dev/null +++ b/testing/btest/Baseline/scripts.base.protocols.http.multipart-file-limit/http-limit-ignored.log @@ -0,0 +1,10 @@ +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path http +#open 2019-02-27-20-20-12 +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p trans_depth method host uri referrer version user_agent request_body_len response_body_len status_code status_msg info_code info_msg tags username password proxied orig_fuids orig_filenames orig_mime_types resp_fuids resp_filenames resp_mime_types +#types time string addr port addr port count string string string string string string count count count string count string set[enum] string string set[string] vector[string] vector[string] vector[string] vector[string] vector[string] vector[string] +1369159408.455878 CHhAvVGS1DHFjwGM9 141.142.228.5 57262 54.243.88.146 80 1 POST httpbin.org /post - 1.1 curl/7.30.0 370 465 200 OK - - (empty) - - - F2yGNX2vGXLxfZeD12,Fq4rJh2kLHKa8YC1q1,F9sKY71Rb9megdy7sg - - FjeopJ2lRk9U1CNNb5 - text/json +#close 2019-02-27-20-20-12 diff --git a/testing/btest/Baseline/scripts.base.protocols.http.multipart-file-limit/http-limited.log b/testing/btest/Baseline/scripts.base.protocols.http.multipart-file-limit/http-limited.log new file mode 100644 index 0000000000..6429813e1e --- /dev/null +++ b/testing/btest/Baseline/scripts.base.protocols.http.multipart-file-limit/http-limited.log @@ -0,0 +1,10 @@ +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path http +#open 2019-02-27-20-19-27 +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p trans_depth method host uri referrer version user_agent request_body_len response_body_len status_code status_msg info_code info_msg tags username password proxied orig_fuids orig_filenames orig_mime_types resp_fuids resp_filenames resp_mime_types +#types time string addr port addr port count string string string string string string count count count string count string set[enum] string string set[string] vector[string] vector[string] vector[string] vector[string] vector[string] vector[string] +1369159408.455878 CHhAvVGS1DHFjwGM9 141.142.228.5 57262 54.243.88.146 80 1 POST httpbin.org /post - 1.1 curl/7.30.0 370 465 200 OK - - (empty) - - - F2yGNX2vGXLxfZeD12 - - FjeopJ2lRk9U1CNNb5 - text/json +#close 2019-02-27-20-19-27 diff --git a/testing/btest/Baseline/scripts.base.protocols.http.multipart-file-limit/http.log b/testing/btest/Baseline/scripts.base.protocols.http.multipart-file-limit/http.log new file mode 100644 index 0000000000..2554b4ad7f --- /dev/null +++ b/testing/btest/Baseline/scripts.base.protocols.http.multipart-file-limit/http.log @@ -0,0 +1,10 @@ +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path http +#open 2019-02-27-20-18-53 +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p trans_depth method host uri referrer version user_agent request_body_len response_body_len status_code status_msg info_code info_msg tags username password proxied orig_fuids orig_filenames orig_mime_types resp_fuids resp_filenames resp_mime_types +#types time string addr port addr port count string string string string string string count count count string count string set[enum] string string set[string] vector[string] vector[string] vector[string] vector[string] vector[string] vector[string] +1369159408.455878 CHhAvVGS1DHFjwGM9 141.142.228.5 57262 54.243.88.146 80 1 POST httpbin.org /post - 1.1 curl/7.30.0 370 465 200 OK - - (empty) - - - F2yGNX2vGXLxfZeD12,Fq4rJh2kLHKa8YC1q1,F9sKY71Rb9megdy7sg - - FjeopJ2lRk9U1CNNb5 - text/json +#close 2019-02-27-20-18-53 diff --git a/testing/btest/Baseline/scripts.base.protocols.http.multipart-file-limit/out-limit-ignored b/testing/btest/Baseline/scripts.base.protocols.http.multipart-file-limit/out-limit-ignored new file mode 100644 index 0000000000..a73a00eeca --- /dev/null +++ b/testing/btest/Baseline/scripts.base.protocols.http.multipart-file-limit/out-limit-ignored @@ -0,0 +1,2 @@ +max_files reached +max_files reached diff --git a/testing/btest/Baseline/scripts.base.protocols.http.multipart-file-limit/out-limited b/testing/btest/Baseline/scripts.base.protocols.http.multipart-file-limit/out-limited new file mode 100644 index 0000000000..a73a00eeca --- /dev/null +++ b/testing/btest/Baseline/scripts.base.protocols.http.multipart-file-limit/out-limited @@ -0,0 +1,2 @@ +max_files reached +max_files reached diff --git a/testing/btest/scripts/base/protocols/http/multipart-file-limit.bro b/testing/btest/scripts/base/protocols/http/multipart-file-limit.bro new file mode 100644 index 0000000000..7c0690babd --- /dev/null +++ b/testing/btest/scripts/base/protocols/http/multipart-file-limit.bro @@ -0,0 +1,23 @@ +# @TEST-EXEC: bro -C -r $TRACES/http/multipart.trace +# @TEST-EXEC: btest-diff http.log +# @TEST-EXEC: bro -C -r $TRACES/http/multipart.trace %INPUT >out-limited +# @TEST-EXEC: mv http.log http-limited.log +# @TEST-EXEC: btest-diff http-limited.log +# @TEST-EXEC: btest-diff out-limited +# @TEST-EXEC: bro -C -r $TRACES/http/multipart.trace %INPUT ignore_http_file_limit=T >out-limit-ignored +# @TEST-EXEC: mv http.log http-limit-ignored.log +# @TEST-EXEC: btest-diff http-limit-ignored.log +# @TEST-EXEC: btest-diff out-limit-ignored + +option ignore_http_file_limit = F; + +redef HTTP::max_files_orig = 1; +redef HTTP::max_files_resp = 1; + +hook HTTP::max_files_policy(f: fa_file, is_orig: bool) + { + print "max_files reached"; + + if ( ignore_http_file_limit ) + break; + } From 3fc23254164fe8798dff01547b805a21a3ab4a33 Mon Sep 17 00:00:00 2001 From: g0nzu1 Date: Sat, 2 Mar 2019 14:54:47 -0500 Subject: [PATCH 23/88] Minor fixes Line 76 and Line Line 76: Replaced ' for ; Line 120: Replaced ojbects to objects I tested it on my cloned repo and everything seems to compile without errors (Ubuntu Bionic Beaver) regarding the DNP3 Protocol --- src/analyzer/protocol/dnp3/dnp3-protocol.pac | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/analyzer/protocol/dnp3/dnp3-protocol.pac b/src/analyzer/protocol/dnp3/dnp3-protocol.pac index 7e1e7ad1af..154fdc8be3 100644 --- a/src/analyzer/protocol/dnp3/dnp3-protocol.pac +++ b/src/analyzer/protocol/dnp3/dnp3-protocol.pac @@ -73,7 +73,7 @@ type DNP3_Response = record { default -> unknown: Debug_Byte; }; } &byteorder = bigendian - &length= 9 + addin_header.len - 5 - 1' + &length= 9 + addin_header.len - 5 - 1; type DNP3_Application_Request_Header = record { empty: bytestring &length = 0; # Work-around BinPAC problem. @@ -117,7 +117,7 @@ type Response_Objects(function_code: uint8) = record { 0x0301 -> diwoflag: Response_Data_Object(function_code, object_header.qualifier_field, object_header.object_type_field )[ ( object_header.number_of_item / 8 ) + 1*( object_header.number_of_item > ( (object_header.number_of_item / 8)*8 ) ) ]; 0x0a01 -> bowoflag: Response_Data_Object(function_code, object_header.qualifier_field, object_header.object_type_field )[ ( object_header.number_of_item / 8 ) + 1*( object_header.number_of_item > ( (object_header.number_of_item / 8)*8 ) )]; 0x0c03 -> bocmd_PM: Response_Data_Object(function_code, object_header.qualifier_field, object_header.object_type_field )[ ( object_header.number_of_item / 8 ) + 1*( object_header.number_of_item > ( (object_header.number_of_item / 8)*8 ) )]; - default -> ojbects: Response_Data_Object(function_code, object_header.qualifier_field, object_header.object_type_field )[ object_header.number_of_item]; + default -> objects: Response_Data_Object(function_code, object_header.qualifier_field, object_header.object_type_field )[ object_header.number_of_item]; }; }; From 628a46d8fd1a6133cf8aea841083d4d9c03be481 Mon Sep 17 00:00:00 2001 From: Jon Siwek Date: Wed, 6 Mar 2019 15:30:58 -0800 Subject: [PATCH 24/88] GH-219: revert previous change to |x| operator for interval/time The result of the |x| operator for interval and time types historically returned a value of type double. This was changed as part of 3256ac7c4914be7dbec07535faef69b99201b90b to return interval/time, but this now reverts to returning a double again to avoid introducing a change that may break user code. Fixes GH-219 --- CHANGES | 4 ++++ VERSION | 2 +- src/Expr.cc | 2 +- src/Val.cc | 2 +- testing/btest/language/interval.bro | 6 +++--- testing/btest/language/time.bro | 2 +- 6 files changed, 11 insertions(+), 7 deletions(-) diff --git a/CHANGES b/CHANGES index e1f0882198..e0d13d1335 100644 --- a/CHANGES +++ b/CHANGES @@ -1,4 +1,8 @@ +2.6-132 | 2019-03-06 15:30:58 -0800 + + * GH-219: revert a breaking change to |x| operator for interval/time (Jon Siwek, Corelight) + 2.6-130 | 2019-02-22 14:56:41 -0600 * Make input framework parse whitespace around various data types. (Johanna Amann, Corelight) diff --git a/VERSION b/VERSION index fadaf6e549..2ce4bd41ab 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -2.6-130 +2.6-132 diff --git a/src/Expr.cc b/src/Expr.cc index be186524ad..b51516d66b 100644 --- a/src/Expr.cc +++ b/src/Expr.cc @@ -1382,7 +1382,7 @@ SizeExpr::SizeExpr(Expr* arg_op) : UnaryExpr(EXPR_SIZE, arg_op) return; if ( op->Type()->InternalType() == TYPE_INTERNAL_DOUBLE ) - SetType(op->Type()->Ref()); + SetType(base_type(TYPE_DOUBLE)); else SetType(base_type(TYPE_COUNT)); } diff --git a/src/Val.cc b/src/Val.cc index a96d2b098e..b55a9090d3 100644 --- a/src/Val.cc +++ b/src/Val.cc @@ -425,7 +425,7 @@ Val* Val::SizeVal() const return val_mgr->GetCount(val.uint_val); case TYPE_INTERNAL_DOUBLE: - return new Val(fabs(val.double_val), type->Tag()); + return new Val(fabs(val.double_val), TYPE_DOUBLE); case TYPE_INTERNAL_OTHER: if ( type->Tag() == TYPE_FUNC ) diff --git a/testing/btest/language/interval.bro b/testing/btest/language/interval.bro index c567d0af02..0bb912c4d9 100644 --- a/testing/btest/language/interval.bro +++ b/testing/btest/language/interval.bro @@ -70,9 +70,9 @@ event bro_init() test_case( "compare different time units", in13 >= in35 ); test_case( "add different time units", in13 + in14 == 4min ); test_case( "subtract different time units", in24 - in23 == 0sec ); - test_case( "absolute value", |in25| == 2hr ); - test_case( "absolute value", |in36| == 2.5day ); - test_case( "absolute value", |5sec - 9sec| == 4sec ); + test_case( "absolute value", |in25| == 2.0*3600 ); + test_case( "absolute value", |in36| == 2.5*86400 ); + test_case( "absolute value", |5sec - 9sec| == 4.0 ); in34 += 2hr; test_case( "assignment operator", in34 == 122min ); in34 -= 2hr; diff --git a/testing/btest/language/time.bro b/testing/btest/language/time.bro index 3310c3a3f7..dd4b6336fe 100644 --- a/testing/btest/language/time.bro +++ b/testing/btest/language/time.bro @@ -27,7 +27,7 @@ event bro_init() test_case( "inequality", t1 != t3 ); test_case( "equality", t1 == t4 ); test_case( "subtract time", t2 - t1 == 3sec); - test_case( "size operator", |t5| == t5 ); + test_case( "size operator", |t5| == 1234567890.0 ); } From e0a099fdfa229507e2ba0b38aede7856bb6279b3 Mon Sep 17 00:00:00 2001 From: Jon Siwek Date: Thu, 7 Mar 2019 12:20:18 -0800 Subject: [PATCH 25/88] Updating submodule(s). [nomail] --- aux/broctl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/aux/broctl b/aux/broctl index 1748d8fe7f..7d60de2027 160000 --- a/aux/broctl +++ b/aux/broctl @@ -1 +1 @@ -Subproject commit 1748d8fe7fa2f32d775045079dd11d3048cb1696 +Subproject commit 7d60de2027bb3de77bc4c4f88bd252ab607ad2a6 From 8e2741544d10177b2bc0404474d35dfc343a8616 Mon Sep 17 00:00:00 2001 From: Jon Siwek Date: Thu, 7 Mar 2019 18:49:30 -0800 Subject: [PATCH 26/88] Updating submodule(s). [nomail] --- aux/bifcl | 2 +- aux/binpac | 2 +- aux/broccoli | 2 +- aux/broctl | 2 +- aux/broker | 2 +- aux/zeek-aux | 2 +- cmake | 2 +- 7 files changed, 7 insertions(+), 7 deletions(-) diff --git a/aux/bifcl b/aux/bifcl index 0fae77f96a..7e214967f4 160000 --- a/aux/bifcl +++ b/aux/bifcl @@ -1 +1 @@ -Subproject commit 0fae77f96abe63c93c2b8ab902651ad42e5d6de4 +Subproject commit 7e214967f4a4416a9e4c45d58b43f569e933b365 diff --git a/aux/binpac b/aux/binpac index 24d7a40fa8..b6cfc1243f 160000 --- a/aux/binpac +++ b/aux/binpac @@ -1 +1 @@ -Subproject commit 24d7a40fa81c906510150fb89ff15579be282bb2 +Subproject commit b6cfc1243f3e63037131e214f5c64a03eaad1d00 diff --git a/aux/broccoli b/aux/broccoli index d583984372..1b437de310 160000 --- a/aux/broccoli +++ b/aux/broccoli @@ -1 +1 @@ -Subproject commit d5839843727b2dd17f2f85159522879f0d455318 +Subproject commit 1b437de310fb137ff271018065280ee1e65d6deb diff --git a/aux/broctl b/aux/broctl index 7d60de2027..5601ca0ac3 160000 --- a/aux/broctl +++ b/aux/broctl @@ -1 +1 @@ -Subproject commit 7d60de2027bb3de77bc4c4f88bd252ab607ad2a6 +Subproject commit 5601ca0ac31a59356bb67343cb3a66eca7386651 diff --git a/aux/broker b/aux/broker index 7065ab0d25..22560477b5 160000 --- a/aux/broker +++ b/aux/broker @@ -1 +1 @@ -Subproject commit 7065ab0d25f3db797b0290724da87c02c262827c +Subproject commit 22560477b5d107fc75af628f67d3afe9ec211b35 diff --git a/aux/zeek-aux b/aux/zeek-aux index 46411f7e42..a95eee2a2f 160000 --- a/aux/zeek-aux +++ b/aux/zeek-aux @@ -1 +1 @@ -Subproject commit 46411f7e4235f119fea5f38fc0329a60631400e3 +Subproject commit a95eee2a2f018f899dfe19a4f9f2425c041f05bd diff --git a/cmake b/cmake index 6135c1a663..ad4d2fa614 160000 --- a/cmake +++ b/cmake @@ -1 +1 @@ -Subproject commit 6135c1a6639dfbfcf9b1fd720fa6a96118b3ab43 +Subproject commit ad4d2fa614390e6bb288fd2be4387a96ff3fb9e7 From a36ac12e885a60ee77f9141d4c35882cb53bc1f2 Mon Sep 17 00:00:00 2001 From: Jon Siwek Date: Fri, 8 Mar 2019 18:36:25 -0800 Subject: [PATCH 27/88] Improve DNS query queuing logic Related to https://github.com/zeek/zeek/pull/276 --- CHANGES | 4 ++++ VERSION | 2 +- scripts/base/protocols/dns/main.bro | 33 ++++++++++++++++++++--------- 3 files changed, 28 insertions(+), 11 deletions(-) diff --git a/CHANGES b/CHANGES index a8c1db9da1..4c3921ec17 100644 --- a/CHANGES +++ b/CHANGES @@ -1,4 +1,8 @@ +2.6-141 | 2019-03-08 18:36:25 -0800 + + * Improve DNS query queuing logic (Jon Siwek, Corelight) + 2.6-140 | 2019-03-08 16:21:42 -0800 * Improve performance of DNS policy scripts (Justin Azoff, Corelight) diff --git a/VERSION b/VERSION index 1e19626e64..36cb7a5c15 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -2.6-140 +2.6-141 diff --git a/scripts/base/protocols/dns/main.bro b/scripts/base/protocols/dns/main.bro index 4e597368b0..2a49e332d7 100644 --- a/scripts/base/protocols/dns/main.bro +++ b/scripts/base/protocols/dns/main.bro @@ -265,21 +265,34 @@ hook set_session(c: connection, msg: dns_msg, is_query: bool) &priority=5 if ( c$dns_state?$pending_query && c$dns_state$pending_query$trans_id == msg$id ) { c$dns = c$dns_state$pending_query; + delete c$dns_state$pending_query; - if ( c$dns_state?$pending_queries && msg$id in c$dns_state$pending_queries && - Queue::len(c$dns_state$pending_queries[msg$id]) > 0 ) + if ( c$dns_state?$pending_queries ) { - # Popping off the next available pending query to set as the - # the shortcut is necessary in order to preserve the overall - # queuing order of queries that happen to share the same + # Popping off an arbitrary, unpaired query to set as the + # new fastpath is necessary in order to preserve the overall + # queuing order of any pending queries that may share a # transaction ID. If we didn't fill c$dns_state$pending_query - # back in with the next element in the current queue, then - # it's possible a new query would jump ahead of the queue as + # back in, then it's possible a new query would jump ahead in + # the queue of some other pending query since # c$dns_state$pending_query is filled first if available. - c$dns_state$pending_query = pop_msg(c$dns_state$pending_queries, msg$id); + + if ( msg$id in c$dns_state$pending_queries && + Queue::len(c$dns_state$pending_queries[msg$id]) > 0 ) + # Prioritize any pending query with matching ID to the one + # that just got paired with a response. + c$dns_state$pending_query = pop_msg(c$dns_state$pending_queries, msg$id); + else + { + # Just pick an arbitrary, unpaired query. + for ( trans_id in c$dns_state$pending_queries ) + if ( Queue::len(c$dns_state$pending_queries[trans_id]) > 0 ) + { + c$dns_state$pending_query = pop_msg(c$dns_state$pending_queries, trans_id); + break; + } + } } - else - delete c$dns_state$pending_query; } else if ( c$dns_state?$pending_queries && msg$id in c$dns_state$pending_queries && Queue::len(c$dns_state$pending_queries[msg$id]) > 0 ) From f4088be8a640dbe4a9d14ea0130b4d5e7a6511c4 Mon Sep 17 00:00:00 2001 From: Henrik Lund Kramshoej Date: Wed, 17 Oct 2018 09:23:21 +0200 Subject: [PATCH 28/88] Initial VXLAN support, need -C flag to work when running bro --- scripts/base/frameworks/tunnels/main.bro | 4 +- src/TunnelEncapsulation.h | 1 + src/analyzer/protocol/CMakeLists.txt | 1 + src/analyzer/protocol/vxlan/CMakeLists.txt | 9 + src/analyzer/protocol/vxlan/Plugin.cc | 25 +++ src/analyzer/protocol/vxlan/VXLAN.cc | 169 ++++++++++++++++++ src/analyzer/protocol/vxlan/VXLAN.h | 87 +++++++++ src/analyzer/protocol/vxlan/events.bif | 12 ++ src/const.bif | 1 + src/types.bif | 1 + .../Baseline/core.tunnels.vxlan/conn.log | 14 ++ .../Baseline/core.tunnels.vxlan/tunnel.log | 13 ++ testing/btest/core/tunnels/vxlan.test | 3 + 13 files changed, 339 insertions(+), 1 deletion(-) create mode 100644 src/analyzer/protocol/vxlan/CMakeLists.txt create mode 100644 src/analyzer/protocol/vxlan/Plugin.cc create mode 100644 src/analyzer/protocol/vxlan/VXLAN.cc create mode 100644 src/analyzer/protocol/vxlan/VXLAN.h create mode 100644 src/analyzer/protocol/vxlan/events.bif create mode 100644 testing/btest/Baseline/core.tunnels.vxlan/conn.log create mode 100644 testing/btest/Baseline/core.tunnels.vxlan/tunnel.log create mode 100644 testing/btest/core/tunnels/vxlan.test diff --git a/scripts/base/frameworks/tunnels/main.bro b/scripts/base/frameworks/tunnels/main.bro index 7721ce3a02..3faf267eee 100644 --- a/scripts/base/frameworks/tunnels/main.bro +++ b/scripts/base/frameworks/tunnels/main.bro @@ -85,7 +85,8 @@ export { const ayiya_ports = { 5072/udp }; const teredo_ports = { 3544/udp }; const gtpv1_ports = { 2152/udp, 2123/udp }; -redef likely_server_ports += { ayiya_ports, teredo_ports, gtpv1_ports }; +const vxlan_ports = { 4789/udp }; +redef likely_server_ports += { ayiya_ports, teredo_ports, gtpv1_ports, vxlan_ports }; event bro_init() &priority=5 { @@ -93,6 +94,7 @@ event bro_init() &priority=5 Analyzer::register_for_ports(Analyzer::ANALYZER_AYIYA, ayiya_ports); Analyzer::register_for_ports(Analyzer::ANALYZER_TEREDO, teredo_ports); + Analyzer::register_for_ports(Analyzer::ANALYZER_VXLAN, vxlan_ports); Analyzer::register_for_ports(Analyzer::ANALYZER_GTPV1, gtpv1_ports); } diff --git a/src/TunnelEncapsulation.h b/src/TunnelEncapsulation.h index b853fc01b3..30b7b48569 100644 --- a/src/TunnelEncapsulation.h +++ b/src/TunnelEncapsulation.h @@ -88,6 +88,7 @@ public: return false; if ( ec1.type == BifEnum::Tunnel::IP || + ec1.type == BifEnum::Tunnel::VXLAN || ec1.type == BifEnum::Tunnel::GRE ) // Reversing endpoints is still same tunnel. return ec1.uid == ec2.uid && ec1.proto == ec2.proto && diff --git a/src/analyzer/protocol/CMakeLists.txt b/src/analyzer/protocol/CMakeLists.txt index ff34d243e8..882ba23da9 100644 --- a/src/analyzer/protocol/CMakeLists.txt +++ b/src/analyzer/protocol/CMakeLists.txt @@ -47,5 +47,6 @@ add_subdirectory(syslog) add_subdirectory(tcp) add_subdirectory(teredo) add_subdirectory(udp) +add_subdirectory(vxlan) add_subdirectory(xmpp) add_subdirectory(zip) diff --git a/src/analyzer/protocol/vxlan/CMakeLists.txt b/src/analyzer/protocol/vxlan/CMakeLists.txt new file mode 100644 index 0000000000..e531555321 --- /dev/null +++ b/src/analyzer/protocol/vxlan/CMakeLists.txt @@ -0,0 +1,9 @@ + +include(BroPlugin) + +include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR}) + +bro_plugin_begin(Bro VXLAN) +bro_plugin_cc(VXLAN.cc Plugin.cc) +bro_plugin_bif(events.bif) +bro_plugin_end() diff --git a/src/analyzer/protocol/vxlan/Plugin.cc b/src/analyzer/protocol/vxlan/Plugin.cc new file mode 100644 index 0000000000..89bbcc8e8c --- /dev/null +++ b/src/analyzer/protocol/vxlan/Plugin.cc @@ -0,0 +1,25 @@ +// See the file in the main distribution directory for copyright. + + +#include "plugin/Plugin.h" + +#include "VXLAN.h" + +namespace plugin { +namespace Bro_VXLAN { + +class Plugin : public plugin::Plugin { +public: + plugin::Configuration Configure() + { + AddComponent(new ::analyzer::Component("VXLAN", ::analyzer::vxlan::VXLAN_Analyzer::Instantiate)); + + plugin::Configuration config; + config.name = "Bro::VXLAN"; + config.description = "VXLAN analyzer"; + return config; + } +} plugin; + +} +} diff --git a/src/analyzer/protocol/vxlan/VXLAN.cc b/src/analyzer/protocol/vxlan/VXLAN.cc new file mode 100644 index 0000000000..5c922a43c4 --- /dev/null +++ b/src/analyzer/protocol/vxlan/VXLAN.cc @@ -0,0 +1,169 @@ + +#include "VXLAN.h" +#include "TunnelEncapsulation.h" +#include "Conn.h" +#include "IP.h" +#include "../arp/ARP.h" +#include "Reporter.h" + +#include "events.bif.h" + +using namespace analyzer::vxlan; + +void VXLAN_Analyzer::Done() + { + Analyzer::Done(); + Event(udp_session_done); + } + +bool VXLANEncapsulation::DoParse(const u_char* data, int& len) + { + int eth_len = 14; + int vxlan_len = 8; + int eth_mac = 6; + int proto = 0; + reporter->Error("VXLANEncapsulation::DoParse len: %d", len); + /* Note: outer Ethernet, IP, UDP layers already skipped */ + if ( len < vxlan_len ) + { + Weird("VXLAN_truncated missing VXLAN header"); + return false; + } + /* Flags (8 bits): where the I flag MUST be set to 1 for a valid + VXLAN Network ID (VNI). The other 7 bits (designated "R") are + reserved fields and MUST be set to zero on transmission and + ignored on receipt.*/ + if ( ! (data[0] & 0x8) ) + { + Weird("VXLAN_flags packet missing I flag set "); + return false; + } + if ( len < vxlan_len + eth_len ) + { + Weird("VXLAN_truncated missing inner packet header"); + return false; + } + printf("Checking packet ethertype for inner packet:\n"); + uint16 proto_typ = ntohs(*((uint16*)(data+vxlan_len+2*eth_mac))); + if ( proto_typ == 0x0800 ) + proto = IPPROTO_IPV4; + else if ( proto_typ == 0x86dd ) + proto = IPPROTO_IPV6; + else { + Weird("VXLAN_ethertype inner packet should be ethertype: IPv4 or IPv6"); + int i; + for (i=0; i < 2; i++) + printf("%02x ",data[vxlan_len+2*eth_mac+i]); + return false; + } + data += vxlan_len + eth_len; + len -= vxlan_len + eth_len; + inner_ip = data; + return true; + } + +RecordVal* VXLANEncapsulation::BuildVal(const IP_Hdr* inner) const + { + static RecordType* vxlan_hdr_type = 0; + static RecordType* vxlan_auth_type = 0; + static RecordType* vxlan_origin_type = 0; + reporter->Error("VXLANEncapsulation::BuildVal"); + + RecordVal* vxlan_hdr = new RecordVal(vxlan_hdr_type); + vxlan_hdr->Assign(1, inner->BuildPktHdrVal()); + return vxlan_hdr; + } + +void VXLAN_Analyzer::DeliverPacket(int len, const u_char* data, bool orig, + uint64 seq, const IP_Hdr* ip, int caplen) + { + Analyzer::DeliverPacket(len, data, orig, seq, ip, caplen); + /* Note: it seems we get the packet AFTER UDP header. */ + + VXLANEncapsulation vx(this); + + // If a carried packet has ethernet, this will help skip it. + int eth_len = 14; + int udp_len = 8; + int vlan_len = 4; + int vxlan_len = 8; + int eth_mac = 6; + int i = 0; + int vni= 0; + int proto = 0; + + const EncapsulationStack* e = Conn()->GetEncapsulation(); + IP_Hdr* inner = 0; + int rslt = sessions->ParseIPPacket(len, data + vxlan_len + eth_len, IPPROTO_IPV4, inner); + + reporter->Info("VXLAN_Analyzer::DeliverPacket"); + reporter->Info("len: %d", len); + printf("Packet hex:\n"); + for (i=0; i < len; i++) + printf("%0x ",data[i]); + printf("\n"); + /* Note: outer Ethernet, IP, UDP layers already skipped */ + if ( len < vxlan_len ) + { + Weird("VXLAN_truncated missing VXLAN header"); + return; + } + /* Flags (8 bits): where the I flag MUST be set to 1 for a valid + VXLAN Network ID (VNI). The other 7 bits (designated "R") are + reserved fields and MUST be set to zero on transmission and + ignored on receipt.*/ + if ( ! (data[0] & 0x8) ) + { + Weird("VXLAN_flags packet missing I flag set "); + return; + } + if ( len < vxlan_len + eth_len ) + { + Weird("VXLAN_truncated missing inner packet header"); + return; + } + printf("Checking packet ethertype for inner packet:\n"); + uint16 proto_typ = ntohs(*((uint16*)(data+vxlan_len+2*eth_mac))); + switch (proto_typ) + { + case 0x0800: + proto = IPPROTO_IPV4; + break; + case 0x86dd: + proto = IPPROTO_IPV6; + break; + case 0x8100: + case 0x9100: + /* 802.1q / 802.1ad */ + proto = proto_typ; + if (len < vxlan_len + eth_len + vlan_len) + { + Weird("VXLAN truncated inner packet VLAN ether header "); + return; + } + /* Set type then to next ethertype ? */ + break; + default: + Weird("VXLAN_ethertype inner packet should be ethertype: VLAN, IPv4 or IPv6"); + int i; + for (i=0; i < 2; i++) + printf("%02x ",data[vxlan_len+2*eth_mac+i]); + return; + + } + + printf("Packet safety checks done\n"); + vni = (data[4] << 16) + (data[5] << 8) + (data[6] << 0); + printf("VXLAN VNI %d\n",vni); + + /* Do we want the inner packet with or without Ethernet header? + data += vxlan_len + udp_len + eth_len; + len -= vxlan_len + udp_len + eth_len; + caplen -= vxlan_len + udp_len + eth_len; +*/ + data += udp_len + vxlan_len; + len -= udp_len + vxlan_len; + caplen -= udp_len + vxlan_len; + EncapsulatingConn ec(Conn(), BifEnum::Tunnel::VXLAN); + sessions->DoNextInnerPacket(network_time, 0, inner, e, ec); + } diff --git a/src/analyzer/protocol/vxlan/VXLAN.h b/src/analyzer/protocol/vxlan/VXLAN.h new file mode 100644 index 0000000000..e0f8dd99aa --- /dev/null +++ b/src/analyzer/protocol/vxlan/VXLAN.h @@ -0,0 +1,87 @@ +#ifndef ANALYZER_PROTOCOL_VXLAN_VXLAN_H +#define ANALYZER_PROTOCOL_VXLAN_VXLAN_H + +#include "analyzer/Analyzer.h" +#include "NetVar.h" +#include "Reporter.h" + +namespace analyzer { namespace vxlan { + +class VXLAN_Analyzer : public analyzer::Analyzer { +public: + explicit VXLAN_Analyzer(Connection* conn) : Analyzer("VXLAN", conn), + valid_orig(false), valid_resp(false) + {} + + ~VXLAN_Analyzer() override + {} + + void Done() override; + + void DeliverPacket(int len, const u_char* data, bool orig, + uint64 seq, const IP_Hdr* ip, int caplen) override; + + static analyzer::Analyzer* Instantiate(Connection* conn) + { return new VXLAN_Analyzer(conn); } + + /** + * Emits a weird only if the analyzer has previously been able to + * decapsulate a VXLAN packet in both directions or if *force* param is + * set, since otherwise the weirds could happen frequently enough to be less + * than helpful. The *force* param is meant for cases where just one side + * has a valid encapsulation and so the weird would be informative. + */ + void Weird(const char* name, bool force = false) const + { + if ( ProtocolConfirmed() || force ) + reporter->Weird(Conn(), name); + } + + /** + * If the delayed confirmation option is set, then a valid encapsulation + * seen from both end points is required before confirming. + */ +/* copied from Teredo, do we want this too for VXLAN? + void Confirm() + { + if ( ! BifConst::Tunnel::delay_vxlan_confirmation || + ( valid_orig && valid_resp ) ) + ProtocolConfirmation(); + }*/ + +protected: + bool valid_orig; + bool valid_resp; +}; + +class VXLANEncapsulation { +public: + explicit VXLANEncapsulation(const VXLAN_Analyzer* ta) + : inner_ip(0), analyzer(ta) + {} + + /** + * Returns whether input data parsed as a valid VXLAN encapsulation type. + * If it was valid, the len argument is decremented appropriately. + */ + bool Parse(const u_char* data, int& len) + { return DoParse(data, len); } + + const u_char* InnerIP() const + { return inner_ip; } + + RecordVal* BuildVal(const IP_Hdr* inner) const; + +protected: + bool DoParse(const u_char* data, int& len); + + void Weird(const char* name) const + { analyzer->Weird(name); } + + const u_char* inner_ip; + const VXLAN_Analyzer* analyzer; +}; + +} } // namespace analyzer::* + +#endif diff --git a/src/analyzer/protocol/vxlan/events.bif b/src/analyzer/protocol/vxlan/events.bif new file mode 100644 index 0000000000..9ed9fdc52b --- /dev/null +++ b/src/analyzer/protocol/vxlan/events.bif @@ -0,0 +1,12 @@ +## Generated for any packet encapsulated in a VXLAN tunnel. +## See :rfc:`7348` for more information about the VXLAN protocol. +## +## outer: The VXLAN tunnel connection. +## +## inner: The VXLAN-encapsulated Ethernet packet header and transport header. +## +## .. bro:see:: vxlan_authentication vxlan_origin_indication vxlan_bubble +## +## .. note:: Since this event may be raised on a per-packet basis, handling +## it may become particularly expensive for real-time analysis. +event vxlan_packet%(outer: connection, inner: vxlan_hdr%); diff --git a/src/const.bif b/src/const.bif index 2d062d854a..468929de05 100644 --- a/src/const.bif +++ b/src/const.bif @@ -19,6 +19,7 @@ const Tunnel::enable_ayiya: bool; const Tunnel::enable_teredo: bool; const Tunnel::enable_gtpv1: bool; const Tunnel::enable_gre: bool; +const Tunnel::enable_vxlan: bool; const Tunnel::delay_teredo_confirmation: bool; const Tunnel::delay_gtp_confirmation: bool; const Tunnel::ip_tunnel_timeout: interval; diff --git a/src/types.bif b/src/types.bif index 145a8af89e..babccb0f0d 100644 --- a/src/types.bif +++ b/src/types.bif @@ -192,6 +192,7 @@ enum Type %{ GTPv1, HTTP, GRE, + VXLAN, %} type EncapsulatingConn: record; diff --git a/testing/btest/Baseline/core.tunnels.vxlan/conn.log b/testing/btest/Baseline/core.tunnels.vxlan/conn.log new file mode 100644 index 0000000000..6531850a0c --- /dev/null +++ b/testing/btest/Baseline/core.tunnels.vxlan/conn.log @@ -0,0 +1,14 @@ +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path conn +#open 2018-10-18-11-51-46 +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig local_resp missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes tunnel_parents +#types time string addr port addr port enum string interval count count string bool bool count string count count count count set[string] +1368908504.882198 CUY3VO38piNbzBWoCf 192.168.202.1 42710 192.168.203.1 4789 udp - - - - S0 - - 0 D 1 78 0 0 - +1368908504.882536 C938WE2Zxjsr1dQt8 192.168.203.1 52102 192.168.202.1 4789 udp - - - - S0 - - 0 D 1 78 0 0 - +1368908504.925960 CPPxeT3vy9lhCeFyzf 192.168.202.1 32894 192.168.203.1 4789 udp - 2.959399 424 0 S0 - - 0 D 4 536 0 0 - +1368908504.837063 CAL8II3MrNKoLygbR 192.168.203.1 45149 192.168.202.1 4789 udp - 3.004913 424 0 S0 - - 0 D 4 536 0 0 - +1368908504.837063 C3MYEy2ilZOiJASuTk 192.168.203.3 8 192.168.203.5 0 icmp - 3.048296 224 224 OTH - - 0 - 4 336 4 336 CAL8II3MrNKoLygbR,CPPxeT3vy9lhCeFyzf +#close 2018-10-18-11-51-46 diff --git a/testing/btest/Baseline/core.tunnels.vxlan/tunnel.log b/testing/btest/Baseline/core.tunnels.vxlan/tunnel.log new file mode 100644 index 0000000000..0e9523525c --- /dev/null +++ b/testing/btest/Baseline/core.tunnels.vxlan/tunnel.log @@ -0,0 +1,13 @@ +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path tunnel +#open 2018-10-18-11-51-46 +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p tunnel_type action +#types time string addr port addr port enum enum +1368908504.837063 CAL8II3MrNKoLygbR 192.168.203.1 45149 192.168.202.1 4789 Tunnel::VXLAN Tunnel::DISCOVER +1368908504.925960 CPPxeT3vy9lhCeFyzf 192.168.202.1 32894 192.168.203.1 4789 Tunnel::VXLAN Tunnel::DISCOVER +1368908507.885359 CPPxeT3vy9lhCeFyzf 192.168.202.1 32894 192.168.203.1 4789 Tunnel::VXLAN Tunnel::CLOSE +1368908507.885359 CAL8II3MrNKoLygbR 192.168.203.1 45149 192.168.202.1 4789 Tunnel::VXLAN Tunnel::CLOSE +#close 2018-10-18-11-51-46 diff --git a/testing/btest/core/tunnels/vxlan.test b/testing/btest/core/tunnels/vxlan.test new file mode 100644 index 0000000000..9a77f9c285 --- /dev/null +++ b/testing/btest/core/tunnels/vxlan.test @@ -0,0 +1,3 @@ +# @TEST-EXEC: bro -r $TRACES/tunnels/vxlan-sample.pcap +# @TEST-EXEC: btest-diff conn.log +# @TEST-EXEC: btest-diff tunnel.log From 09ae539ea873b06a45a8be55908a2d6b66177a76 Mon Sep 17 00:00:00 2001 From: Jon Siwek Date: Tue, 12 Mar 2019 18:09:28 -0700 Subject: [PATCH 29/88] GH-250: Improve/cleanup VXLAN decapsulation support * Better parsing/error-checking of VXLAN and encapsulated packet headers * Add/implement the "vxlan_packet" event * Add "Tunnel::vxlan_ports" option to tune the set of VXLAN ports to analyze/decapsulate * Add "Tunnel::validate_vxlan_checksums" option to allow for tuning of how checksums associated with the outer UDP header of a possible VXLAN tunnel are handled Fixes GH-250 --- doc | 2 +- scripts/base/frameworks/tunnels/main.bro | 3 +- scripts/base/init-bare.bro | 12 ++ src/TunnelEncapsulation.h | 9 +- src/analyzer/Manager.cc | 12 ++ src/analyzer/Manager.h | 9 + src/analyzer/protocol/udp/UDP.cc | 26 ++- src/analyzer/protocol/vxlan/VXLAN.cc | 199 ++++++------------ src/analyzer/protocol/vxlan/VXLAN.h | 66 +----- src/analyzer/protocol/vxlan/events.bif | 4 +- src/const.bif | 2 +- .../Baseline/core.print-bpf-filters/conn.log | 4 +- .../Baseline/core.print-bpf-filters/output | 18 +- .../Baseline/core.print-bpf-filters/output2 | 9 +- .../Baseline/core.tunnels.vxlan/conn.log | 14 +- testing/btest/Baseline/core.tunnels.vxlan/out | 8 + .../Baseline/core.tunnels.vxlan/tunnel.log | 12 +- .../canonified_loaded_scripts.log | 1 + .../canonified_loaded_scripts.log | 1 + testing/btest/Baseline/plugins.hooks/output | 26 ++- testing/btest/Traces/tunnels/vxlan.pcap | Bin 0 -> 1552 bytes testing/btest/core/tunnels/vxlan.bro | 9 + testing/btest/core/tunnels/vxlan.test | 3 - 23 files changed, 206 insertions(+), 243 deletions(-) create mode 100644 testing/btest/Baseline/core.tunnels.vxlan/out create mode 100644 testing/btest/Traces/tunnels/vxlan.pcap create mode 100644 testing/btest/core/tunnels/vxlan.bro delete mode 100644 testing/btest/core/tunnels/vxlan.test diff --git a/doc b/doc index 5e7820debc..73c5b6622b 160000 --- a/doc +++ b/doc @@ -1 +1 @@ -Subproject commit 5e7820debc34f86023e696b7e880313be76275f3 +Subproject commit 73c5b6622b5b05e3fe246fcaa5c0587727d9edd0 diff --git a/scripts/base/frameworks/tunnels/main.bro b/scripts/base/frameworks/tunnels/main.bro index 3faf267eee..f90616e38e 100644 --- a/scripts/base/frameworks/tunnels/main.bro +++ b/scripts/base/frameworks/tunnels/main.bro @@ -85,7 +85,6 @@ export { const ayiya_ports = { 5072/udp }; const teredo_ports = { 3544/udp }; const gtpv1_ports = { 2152/udp, 2123/udp }; -const vxlan_ports = { 4789/udp }; redef likely_server_ports += { ayiya_ports, teredo_ports, gtpv1_ports, vxlan_ports }; event bro_init() &priority=5 @@ -94,8 +93,8 @@ event bro_init() &priority=5 Analyzer::register_for_ports(Analyzer::ANALYZER_AYIYA, ayiya_ports); Analyzer::register_for_ports(Analyzer::ANALYZER_TEREDO, teredo_ports); - Analyzer::register_for_ports(Analyzer::ANALYZER_VXLAN, vxlan_ports); Analyzer::register_for_ports(Analyzer::ANALYZER_GTPV1, gtpv1_ports); + Analyzer::register_for_ports(Analyzer::ANALYZER_VXLAN, vxlan_ports); } function register_all(ecv: EncapsulatingConnVector) diff --git a/scripts/base/init-bare.bro b/scripts/base/init-bare.bro index 600a507d4f..47a6fa5f05 100644 --- a/scripts/base/init-bare.bro +++ b/scripts/base/init-bare.bro @@ -4857,6 +4857,18 @@ export { ## How often to cleanup internal state for inactive IP tunnels ## (includes GRE tunnels). const ip_tunnel_timeout = 24hrs &redef; + + ## Whether to validate the checksum supplied in the outer UDP header + ## of a VXLAN encapsulation. The spec says the checksum should be + ## transmitted as zero, but if not, then the decapsulating destination + ## may choose whether to perform the validation. + const validate_vxlan_checksums = T &redef; + + ## The set of UDP ports used for VXLAN traffic. Traffic using this + ## UDP destination port will attempt to be decapsulated. Note that if + ## if you customize this, you may still want to manually ensure that + ## :bro:see:`likely_server_ports` also gets populated accordingly. + const vxlan_ports: set[port] = { 4789/udp }; } # end export module Reporter; diff --git a/src/TunnelEncapsulation.h b/src/TunnelEncapsulation.h index 30b7b48569..27729e56b7 100644 --- a/src/TunnelEncapsulation.h +++ b/src/TunnelEncapsulation.h @@ -88,13 +88,20 @@ public: return false; if ( ec1.type == BifEnum::Tunnel::IP || - ec1.type == BifEnum::Tunnel::VXLAN || ec1.type == BifEnum::Tunnel::GRE ) // Reversing endpoints is still same tunnel. return ec1.uid == ec2.uid && ec1.proto == ec2.proto && ((ec1.src_addr == ec2.src_addr && ec1.dst_addr == ec2.dst_addr) || (ec1.src_addr == ec2.dst_addr && ec1.dst_addr == ec2.src_addr)); + if ( ec1.type == BifEnum::Tunnel::VXLAN ) + // Reversing endpoints is still same tunnel, destination port is + // always the same. + return ec1.dst_port == ec2.dst_port && + ec1.uid == ec2.uid && ec1.proto == ec2.proto && + ((ec1.src_addr == ec2.src_addr && ec1.dst_addr == ec2.dst_addr) || + (ec1.src_addr == ec2.dst_addr && ec1.dst_addr == ec2.src_addr)); + return ec1.src_addr == ec2.src_addr && ec1.dst_addr == ec2.dst_addr && ec1.src_port == ec2.src_port && ec1.dst_port == ec2.dst_port && ec1.uid == ec2.uid && ec1.proto == ec2.proto; diff --git a/src/analyzer/Manager.cc b/src/analyzer/Manager.cc index 286c5eee9f..1546f846e5 100644 --- a/src/analyzer/Manager.cc +++ b/src/analyzer/Manager.cc @@ -96,6 +96,18 @@ void Manager::InitPreScript() void Manager::InitPostScript() { + auto id = global_scope()->Lookup("Tunnel::vxlan_ports"); + + if ( ! (id && id->ID_Val()) ) + reporter->FatalError("Tunnel::vxlan_ports not defined"); + + auto table_val = id->ID_Val()->AsTableVal(); + auto port_list = table_val->ConvertToPureList(); + + for ( auto i = 0; i < port_list->Length(); ++i ) + vxlan_ports.emplace_back(port_list->Index(i)->AsPortVal()->Port()); + + Unref(port_list); } void Manager::DumpDebug() diff --git a/src/analyzer/Manager.h b/src/analyzer/Manager.h index d341940e7d..c429745862 100644 --- a/src/analyzer/Manager.h +++ b/src/analyzer/Manager.h @@ -22,6 +22,7 @@ #define ANALYZER_MANAGER_H #include +#include #include "Analyzer.h" #include "Component.h" @@ -335,6 +336,13 @@ public: void ScheduleAnalyzer(const IPAddr& orig, const IPAddr& resp, PortVal* resp_p, Val* analyzer, double timeout); + + /** + * @return the UDP port numbers to be associated with VXLAN traffic. + */ + const std::vector& GetVxlanPorts() const + { return vxlan_ports; } + private: typedef set tag_set; typedef map analyzer_map_by_port; @@ -390,6 +398,7 @@ private: conns_map conns; conns_queue conns_by_timeout; + std::vector vxlan_ports; }; } diff --git a/src/analyzer/protocol/udp/UDP.cc b/src/analyzer/protocol/udp/UDP.cc index 0da1a2bd65..b887eea5c1 100644 --- a/src/analyzer/protocol/udp/UDP.cc +++ b/src/analyzer/protocol/udp/UDP.cc @@ -7,6 +7,7 @@ #include "Net.h" #include "NetVar.h" #include "analyzer/protocol/udp/UDP.h" +#include "analyzer/Manager.h" #include "Reporter.h" #include "Conn.h" @@ -61,7 +62,30 @@ void UDP_Analyzer::DeliverPacket(int len, const u_char* data, bool is_orig, int chksum = up->uh_sum; - if ( ! ignore_checksums && caplen >= len ) + auto validate_checksum = ! ignore_checksums && caplen >=len; + constexpr auto vxlan_len = 8; + constexpr auto eth_len = 14; + + if ( validate_checksum && + len > (sizeof(struct udphdr) + vxlan_len + eth_len) && + (data[0] & 0x08) == 0x08 ) + { + auto& vxlan_ports = analyzer_mgr->GetVxlanPorts(); + + if ( std::find(vxlan_ports.begin(), vxlan_ports.end(), + ntohs(up->uh_dport)) != vxlan_ports.end() ) + { + // Looks like VXLAN on a well-known port, so the checksum should be + // transmitted as zero, and we should accept that. If not + // transmitted as zero, then validating the checksum is optional. + if ( chksum == 0 ) + validate_checksum = false; + else + validate_checksum = BifConst::Tunnel::validate_vxlan_checksums; + } + } + + if ( validate_checksum ) { bool bad = false; diff --git a/src/analyzer/protocol/vxlan/VXLAN.cc b/src/analyzer/protocol/vxlan/VXLAN.cc index 5c922a43c4..1431f92fed 100644 --- a/src/analyzer/protocol/vxlan/VXLAN.cc +++ b/src/analyzer/protocol/vxlan/VXLAN.cc @@ -3,7 +3,6 @@ #include "TunnelEncapsulation.h" #include "Conn.h" #include "IP.h" -#include "../arp/ARP.h" #include "Reporter.h" #include "events.bif.h" @@ -16,154 +15,86 @@ void VXLAN_Analyzer::Done() Event(udp_session_done); } -bool VXLANEncapsulation::DoParse(const u_char* data, int& len) - { - int eth_len = 14; - int vxlan_len = 8; - int eth_mac = 6; - int proto = 0; - reporter->Error("VXLANEncapsulation::DoParse len: %d", len); - /* Note: outer Ethernet, IP, UDP layers already skipped */ - if ( len < vxlan_len ) - { - Weird("VXLAN_truncated missing VXLAN header"); - return false; - } - /* Flags (8 bits): where the I flag MUST be set to 1 for a valid - VXLAN Network ID (VNI). The other 7 bits (designated "R") are - reserved fields and MUST be set to zero on transmission and - ignored on receipt.*/ - if ( ! (data[0] & 0x8) ) - { - Weird("VXLAN_flags packet missing I flag set "); - return false; - } - if ( len < vxlan_len + eth_len ) - { - Weird("VXLAN_truncated missing inner packet header"); - return false; - } - printf("Checking packet ethertype for inner packet:\n"); - uint16 proto_typ = ntohs(*((uint16*)(data+vxlan_len+2*eth_mac))); - if ( proto_typ == 0x0800 ) - proto = IPPROTO_IPV4; - else if ( proto_typ == 0x86dd ) - proto = IPPROTO_IPV6; - else { - Weird("VXLAN_ethertype inner packet should be ethertype: IPv4 or IPv6"); - int i; - for (i=0; i < 2; i++) - printf("%02x ",data[vxlan_len+2*eth_mac+i]); - return false; - } - data += vxlan_len + eth_len; - len -= vxlan_len + eth_len; - inner_ip = data; - return true; - } - -RecordVal* VXLANEncapsulation::BuildVal(const IP_Hdr* inner) const - { - static RecordType* vxlan_hdr_type = 0; - static RecordType* vxlan_auth_type = 0; - static RecordType* vxlan_origin_type = 0; - reporter->Error("VXLANEncapsulation::BuildVal"); - - RecordVal* vxlan_hdr = new RecordVal(vxlan_hdr_type); - vxlan_hdr->Assign(1, inner->BuildPktHdrVal()); - return vxlan_hdr; - } - void VXLAN_Analyzer::DeliverPacket(int len, const u_char* data, bool orig, - uint64 seq, const IP_Hdr* ip, int caplen) + uint64 seq, const IP_Hdr* ip, int caplen) { Analyzer::DeliverPacket(len, data, orig, seq, ip, caplen); - /* Note: it seems we get the packet AFTER UDP header. */ - VXLANEncapsulation vx(this); + // Outer Ethernet, IP, and UDP layers already skipped. + // Also, generic UDP analyzer already checked/guarantees caplen >= len. - // If a carried packet has ethernet, this will help skip it. - int eth_len = 14; - int udp_len = 8; - int vlan_len = 4; - int vxlan_len = 8; - int eth_mac = 6; - int i = 0; - int vni= 0; - int proto = 0; + constexpr auto vxlan_len = 8; - const EncapsulationStack* e = Conn()->GetEncapsulation(); - IP_Hdr* inner = 0; - int rslt = sessions->ParseIPPacket(len, data + vxlan_len + eth_len, IPPROTO_IPV4, inner); - - reporter->Info("VXLAN_Analyzer::DeliverPacket"); - reporter->Info("len: %d", len); - printf("Packet hex:\n"); - for (i=0; i < len; i++) - printf("%0x ",data[i]); - printf("\n"); - /* Note: outer Ethernet, IP, UDP layers already skipped */ if ( len < vxlan_len ) - { - Weird("VXLAN_truncated missing VXLAN header"); + { + ProtocolViolation("VXLAN header truncation", (const char*) data, len); return; - } - /* Flags (8 bits): where the I flag MUST be set to 1 for a valid - VXLAN Network ID (VNI). The other 7 bits (designated "R") are - reserved fields and MUST be set to zero on transmission and - ignored on receipt.*/ - if ( ! (data[0] & 0x8) ) - { - Weird("VXLAN_flags packet missing I flag set "); + } + + if ( (data[0] & 0x08) == 0 ) + { + ProtocolViolation("VXLAN 'I' flag not set", (const char*) data, len); return; - } - if ( len < vxlan_len + eth_len ) - { - Weird("VXLAN_truncated missing inner packet header"); + } + + const EncapsulationStack* estack = Conn()->GetEncapsulation(); + + if ( estack && estack->Depth() >= BifConst::Tunnel::max_depth ) + { + reporter->Weird(Conn(), "tunnel_depth"); return; - } - printf("Checking packet ethertype for inner packet:\n"); - uint16 proto_typ = ntohs(*((uint16*)(data+vxlan_len+2*eth_mac))); - switch (proto_typ) - { - case 0x0800: - proto = IPPROTO_IPV4; + } + + int vni = (data[4] << 16) + (data[5] << 8) + (data[6] << 0); + + data += vxlan_len; + caplen -= vxlan_len; + len -= vxlan_len; + + pkt_timeval ts; + ts.tv_sec = (time_t) current_timestamp; + ts.tv_usec = (suseconds_t) ((current_timestamp - (double)ts.tv_sec) * 1000000); + Packet pkt(DLT_EN10MB, &ts, caplen, len, data); + + if ( ! pkt.Layer2Valid() ) + { + ProtocolViolation("VXLAN invalid inner ethernet frame", + (const char*) data, len); + return; + } + + data += pkt.hdr_size; + len -= pkt.hdr_size; + caplen -= pkt.hdr_size; + + IP_Hdr* inner = nullptr; + int res = 0; + + switch ( pkt.l3_proto ) { + case L3_IPV4: + res = sessions->ParseIPPacket(len, data, IPPROTO_IPV4, inner); break; - case 0x86dd: - proto = IPPROTO_IPV6; - break; - case 0x8100: - case 0x9100: - /* 802.1q / 802.1ad */ - proto = proto_typ; - if (len < vxlan_len + eth_len + vlan_len) - { - Weird("VXLAN truncated inner packet VLAN ether header "); - return; - } - /* Set type then to next ethertype ? */ + case L3_IPV6: + res = sessions->ParseIPPacket(len, data, IPPROTO_IPV6, inner); break; default: - Weird("VXLAN_ethertype inner packet should be ethertype: VLAN, IPv4 or IPv6"); - int i; - for (i=0; i < 2; i++) - printf("%02x ",data[vxlan_len+2*eth_mac+i]); return; - } - printf("Packet safety checks done\n"); - vni = (data[4] << 16) + (data[5] << 8) + (data[6] << 0); - printf("VXLAN VNI %d\n",vni); + if ( res < 0 ) + { + delete inner; + ProtocolViolation("Truncated VXLAN or invalid inner IP", + (const char*) data, len); + return; + } + + ProtocolConfirmation(); + + if ( vxlan_packet ) + Conn()->Event(vxlan_packet, 0, inner->BuildPktHdrVal(), + val_mgr->GetCount(vni)); - /* Do we want the inner packet with or without Ethernet header? - data += vxlan_len + udp_len + eth_len; - len -= vxlan_len + udp_len + eth_len; - caplen -= vxlan_len + udp_len + eth_len; -*/ - data += udp_len + vxlan_len; - len -= udp_len + vxlan_len; - caplen -= udp_len + vxlan_len; EncapsulatingConn ec(Conn(), BifEnum::Tunnel::VXLAN); - sessions->DoNextInnerPacket(network_time, 0, inner, e, ec); - } + sessions->DoNextInnerPacket(network_time, &pkt, inner, estack, ec); + } diff --git a/src/analyzer/protocol/vxlan/VXLAN.h b/src/analyzer/protocol/vxlan/VXLAN.h index e0f8dd99aa..f9eb52e0d3 100644 --- a/src/analyzer/protocol/vxlan/VXLAN.h +++ b/src/analyzer/protocol/vxlan/VXLAN.h @@ -9,77 +9,17 @@ namespace analyzer { namespace vxlan { class VXLAN_Analyzer : public analyzer::Analyzer { public: - explicit VXLAN_Analyzer(Connection* conn) : Analyzer("VXLAN", conn), - valid_orig(false), valid_resp(false) - {} - - ~VXLAN_Analyzer() override + explicit VXLAN_Analyzer(Connection* conn) + : Analyzer("VXLAN", conn) {} void Done() override; void DeliverPacket(int len, const u_char* data, bool orig, - uint64 seq, const IP_Hdr* ip, int caplen) override; + uint64 seq, const IP_Hdr* ip, int caplen) override; static analyzer::Analyzer* Instantiate(Connection* conn) { return new VXLAN_Analyzer(conn); } - - /** - * Emits a weird only if the analyzer has previously been able to - * decapsulate a VXLAN packet in both directions or if *force* param is - * set, since otherwise the weirds could happen frequently enough to be less - * than helpful. The *force* param is meant for cases where just one side - * has a valid encapsulation and so the weird would be informative. - */ - void Weird(const char* name, bool force = false) const - { - if ( ProtocolConfirmed() || force ) - reporter->Weird(Conn(), name); - } - - /** - * If the delayed confirmation option is set, then a valid encapsulation - * seen from both end points is required before confirming. - */ -/* copied from Teredo, do we want this too for VXLAN? - void Confirm() - { - if ( ! BifConst::Tunnel::delay_vxlan_confirmation || - ( valid_orig && valid_resp ) ) - ProtocolConfirmation(); - }*/ - -protected: - bool valid_orig; - bool valid_resp; -}; - -class VXLANEncapsulation { -public: - explicit VXLANEncapsulation(const VXLAN_Analyzer* ta) - : inner_ip(0), analyzer(ta) - {} - - /** - * Returns whether input data parsed as a valid VXLAN encapsulation type. - * If it was valid, the len argument is decremented appropriately. - */ - bool Parse(const u_char* data, int& len) - { return DoParse(data, len); } - - const u_char* InnerIP() const - { return inner_ip; } - - RecordVal* BuildVal(const IP_Hdr* inner) const; - -protected: - bool DoParse(const u_char* data, int& len); - - void Weird(const char* name) const - { analyzer->Weird(name); } - - const u_char* inner_ip; - const VXLAN_Analyzer* analyzer; }; } } // namespace analyzer::* diff --git a/src/analyzer/protocol/vxlan/events.bif b/src/analyzer/protocol/vxlan/events.bif index 9ed9fdc52b..d05c74dfbe 100644 --- a/src/analyzer/protocol/vxlan/events.bif +++ b/src/analyzer/protocol/vxlan/events.bif @@ -5,8 +5,8 @@ ## ## inner: The VXLAN-encapsulated Ethernet packet header and transport header. ## -## .. bro:see:: vxlan_authentication vxlan_origin_indication vxlan_bubble +## vni: VXLAN Network Identifier. ## ## .. note:: Since this event may be raised on a per-packet basis, handling ## it may become particularly expensive for real-time analysis. -event vxlan_packet%(outer: connection, inner: vxlan_hdr%); +event vxlan_packet%(outer: connection, inner: pkt_hdr, vni: count%); diff --git a/src/const.bif b/src/const.bif index 468929de05..6d60ac707b 100644 --- a/src/const.bif +++ b/src/const.bif @@ -19,9 +19,9 @@ const Tunnel::enable_ayiya: bool; const Tunnel::enable_teredo: bool; const Tunnel::enable_gtpv1: bool; const Tunnel::enable_gre: bool; -const Tunnel::enable_vxlan: bool; const Tunnel::delay_teredo_confirmation: bool; const Tunnel::delay_gtp_confirmation: bool; const Tunnel::ip_tunnel_timeout: interval; +const Tunnel::validate_vxlan_checksums: bool; const Threading::heartbeat_interval: interval; diff --git a/testing/btest/Baseline/core.print-bpf-filters/conn.log b/testing/btest/Baseline/core.print-bpf-filters/conn.log index e7f8f8714a..f14621c261 100644 --- a/testing/btest/Baseline/core.print-bpf-filters/conn.log +++ b/testing/btest/Baseline/core.print-bpf-filters/conn.log @@ -3,8 +3,8 @@ #empty_field (empty) #unset_field - #path conn -#open 2016-07-13-16-12-58 +#open 2019-03-12-03-25-14 #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig local_resp missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes tunnel_parents #types time string addr port addr port enum string interval count count string bool bool count string count count count count set[string] 1278600802.069419 CHhAvVGS1DHFjwGM9 10.20.80.1 50343 10.0.0.15 80 tcp - 0.004152 9 3429 SF - - 0 ShADadfF 7 381 7 3801 - -#close 2016-07-13-16-12-59 +#close 2019-03-12-03-25-14 diff --git a/testing/btest/Baseline/core.print-bpf-filters/output b/testing/btest/Baseline/core.print-bpf-filters/output index 3da7f62f77..d8067da821 100644 --- a/testing/btest/Baseline/core.print-bpf-filters/output +++ b/testing/btest/Baseline/core.print-bpf-filters/output @@ -3,28 +3,28 @@ #empty_field (empty) #unset_field - #path packet_filter -#open 2016-07-13-16-12-57 +#open 2019-03-12-03-25-12 #fields ts node filter init success #types time string string bool bool -1468426377.846975 bro ip or not ip T T -#close 2016-07-13-16-12-57 +1552361112.763592 bro ip or not ip T T +#close 2019-03-12-03-25-12 #separator \x09 #set_separator , #empty_field (empty) #unset_field - #path packet_filter -#open 2016-07-13-16-12-58 +#open 2019-03-12-03-25-13 #fields ts node filter init success #types time string string bool bool -1468426378.362651 bro port 42 T T -#close 2016-07-13-16-12-58 +1552361113.442916 bro port 42 T T +#close 2019-03-12-03-25-13 #separator \x09 #set_separator , #empty_field (empty) #unset_field - #path packet_filter -#open 2016-07-13-16-12-58 +#open 2019-03-12-03-25-14 #fields ts node filter init success #types time string string bool bool -1468426378.944945 bro (vlan) and (ip or not ip) T T -#close 2016-07-13-16-12-59 +1552361114.111534 bro (vlan) and (ip or not ip) T T +#close 2019-03-12-03-25-14 diff --git a/testing/btest/Baseline/core.print-bpf-filters/output2 b/testing/btest/Baseline/core.print-bpf-filters/output2 index 26a4b5fa85..d46c6b1f1f 100644 --- a/testing/btest/Baseline/core.print-bpf-filters/output2 +++ b/testing/btest/Baseline/core.print-bpf-filters/output2 @@ -21,6 +21,7 @@ 1 4011 2 443 1 445 +1 4789 1 502 1 5060 1 5072 @@ -54,8 +55,8 @@ 1 992 1 993 1 995 -61 and -60 or -61 port +62 and +61 or +62 port 42 tcp -19 udp +20 udp diff --git a/testing/btest/Baseline/core.tunnels.vxlan/conn.log b/testing/btest/Baseline/core.tunnels.vxlan/conn.log index 6531850a0c..3805f6d92f 100644 --- a/testing/btest/Baseline/core.tunnels.vxlan/conn.log +++ b/testing/btest/Baseline/core.tunnels.vxlan/conn.log @@ -3,12 +3,12 @@ #empty_field (empty) #unset_field - #path conn -#open 2018-10-18-11-51-46 +#open 2019-03-12-03-29-46 #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig local_resp missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes tunnel_parents #types time string addr port addr port enum string interval count count string bool bool count string count count count count set[string] -1368908504.882198 CUY3VO38piNbzBWoCf 192.168.202.1 42710 192.168.203.1 4789 udp - - - - S0 - - 0 D 1 78 0 0 - -1368908504.882536 C938WE2Zxjsr1dQt8 192.168.203.1 52102 192.168.202.1 4789 udp - - - - S0 - - 0 D 1 78 0 0 - -1368908504.925960 CPPxeT3vy9lhCeFyzf 192.168.202.1 32894 192.168.203.1 4789 udp - 2.959399 424 0 S0 - - 0 D 4 536 0 0 - -1368908504.837063 CAL8II3MrNKoLygbR 192.168.203.1 45149 192.168.202.1 4789 udp - 3.004913 424 0 S0 - - 0 D 4 536 0 0 - -1368908504.837063 C3MYEy2ilZOiJASuTk 192.168.203.3 8 192.168.203.5 0 icmp - 3.048296 224 224 OTH - - 0 - 4 336 4 336 CAL8II3MrNKoLygbR,CPPxeT3vy9lhCeFyzf -#close 2018-10-18-11-51-46 +1467818432.676047 C4J4Th3PJpwUYZZ6gc 192.168.56.11 48134 192.168.56.12 4789 udp vxlan 3.004434 424 0 S0 - - 0 D 4 536 0 0 - +1467818432.675392 CHhAvVGS1DHFjwGM9 192.168.56.11 39924 192.168.56.12 4789 udp - - - - S0 - - 0 D 1 78 0 0 - +1467818432.675732 ClEkJM2Vm5giqnMf4h 192.168.56.12 40908 192.168.56.11 4789 udp - - - - S0 - - 0 D 1 78 0 0 - +1467818432.676385 CUM0KZ3MLUfNB0cl11 192.168.56.12 38071 192.168.56.11 4789 udp vxlan 3.004278 424 0 S0 - - 0 D 4 536 0 0 - +1467818432.676047 CtPZjS20MLrsMUOJi2 10.0.0.1 8 10.0.0.2 0 icmp - 3.004616 224 224 OTH - - 0 - 4 336 4 336 CUM0KZ3MLUfNB0cl11,C4J4Th3PJpwUYZZ6gc +#close 2019-03-12-03-29-46 diff --git a/testing/btest/Baseline/core.tunnels.vxlan/out b/testing/btest/Baseline/core.tunnels.vxlan/out new file mode 100644 index 0000000000..a8da7f7cf6 --- /dev/null +++ b/testing/btest/Baseline/core.tunnels.vxlan/out @@ -0,0 +1,8 @@ +vxlan_packet, [orig_h=192.168.56.11, orig_p=48134/udp, resp_h=192.168.56.12, resp_p=4789/udp], [ip=[hl=20, tos=0, len=84, id=12111, ttl=64, p=1, src=10.0.0.1, dst=10.0.0.2], ip6=, tcp=, udp=, icmp=[icmp_type=8]], 123 +vxlan_packet, [orig_h=192.168.56.12, orig_p=38071/udp, resp_h=192.168.56.11, resp_p=4789/udp], [ip=[hl=20, tos=0, len=84, id=36913, ttl=64, p=1, src=10.0.0.2, dst=10.0.0.1], ip6=, tcp=, udp=, icmp=[icmp_type=0]], 123 +vxlan_packet, [orig_h=192.168.56.11, orig_p=48134/udp, resp_h=192.168.56.12, resp_p=4789/udp], [ip=[hl=20, tos=0, len=84, id=12341, ttl=64, p=1, src=10.0.0.1, dst=10.0.0.2], ip6=, tcp=, udp=, icmp=[icmp_type=8]], 123 +vxlan_packet, [orig_h=192.168.56.12, orig_p=38071/udp, resp_h=192.168.56.11, resp_p=4789/udp], [ip=[hl=20, tos=0, len=84, id=37030, ttl=64, p=1, src=10.0.0.2, dst=10.0.0.1], ip6=, tcp=, udp=, icmp=[icmp_type=0]], 123 +vxlan_packet, [orig_h=192.168.56.11, orig_p=48134/udp, resp_h=192.168.56.12, resp_p=4789/udp], [ip=[hl=20, tos=0, len=84, id=12507, ttl=64, p=1, src=10.0.0.1, dst=10.0.0.2], ip6=, tcp=, udp=, icmp=[icmp_type=8]], 123 +vxlan_packet, [orig_h=192.168.56.12, orig_p=38071/udp, resp_h=192.168.56.11, resp_p=4789/udp], [ip=[hl=20, tos=0, len=84, id=37208, ttl=64, p=1, src=10.0.0.2, dst=10.0.0.1], ip6=, tcp=, udp=, icmp=[icmp_type=0]], 123 +vxlan_packet, [orig_h=192.168.56.11, orig_p=48134/udp, resp_h=192.168.56.12, resp_p=4789/udp], [ip=[hl=20, tos=0, len=84, id=12684, ttl=64, p=1, src=10.0.0.1, dst=10.0.0.2], ip6=, tcp=, udp=, icmp=[icmp_type=8]], 123 +vxlan_packet, [orig_h=192.168.56.12, orig_p=38071/udp, resp_h=192.168.56.11, resp_p=4789/udp], [ip=[hl=20, tos=0, len=84, id=37295, ttl=64, p=1, src=10.0.0.2, dst=10.0.0.1], ip6=, tcp=, udp=, icmp=[icmp_type=0]], 123 diff --git a/testing/btest/Baseline/core.tunnels.vxlan/tunnel.log b/testing/btest/Baseline/core.tunnels.vxlan/tunnel.log index 0e9523525c..95f062bd67 100644 --- a/testing/btest/Baseline/core.tunnels.vxlan/tunnel.log +++ b/testing/btest/Baseline/core.tunnels.vxlan/tunnel.log @@ -3,11 +3,11 @@ #empty_field (empty) #unset_field - #path tunnel -#open 2018-10-18-11-51-46 +#open 2019-03-12-03-29-46 #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p tunnel_type action #types time string addr port addr port enum enum -1368908504.837063 CAL8II3MrNKoLygbR 192.168.203.1 45149 192.168.202.1 4789 Tunnel::VXLAN Tunnel::DISCOVER -1368908504.925960 CPPxeT3vy9lhCeFyzf 192.168.202.1 32894 192.168.203.1 4789 Tunnel::VXLAN Tunnel::DISCOVER -1368908507.885359 CPPxeT3vy9lhCeFyzf 192.168.202.1 32894 192.168.203.1 4789 Tunnel::VXLAN Tunnel::CLOSE -1368908507.885359 CAL8II3MrNKoLygbR 192.168.203.1 45149 192.168.202.1 4789 Tunnel::VXLAN Tunnel::CLOSE -#close 2018-10-18-11-51-46 +1467818432.676047 C4J4Th3PJpwUYZZ6gc 192.168.56.11 48134 192.168.56.12 4789 Tunnel::VXLAN Tunnel::DISCOVER +1467818432.676385 CUM0KZ3MLUfNB0cl11 192.168.56.12 38071 192.168.56.11 4789 Tunnel::VXLAN Tunnel::DISCOVER +1467818435.680663 C4J4Th3PJpwUYZZ6gc 192.168.56.11 48134 192.168.56.12 4789 Tunnel::VXLAN Tunnel::CLOSE +1467818435.680663 CUM0KZ3MLUfNB0cl11 192.168.56.12 38071 192.168.56.11 4789 Tunnel::VXLAN Tunnel::CLOSE +#close 2019-03-12-03-29-46 diff --git a/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log b/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log index 02e6855308..d7a24b1de7 100644 --- a/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log +++ b/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log @@ -154,6 +154,7 @@ scripts/base/init-frameworks-and-bifs.bro build/scripts/base/bif/plugins/Bro_TCP.functions.bif.bro build/scripts/base/bif/plugins/Bro_Teredo.events.bif.bro build/scripts/base/bif/plugins/Bro_UDP.events.bif.bro + build/scripts/base/bif/plugins/Bro_VXLAN.events.bif.bro build/scripts/base/bif/plugins/Bro_XMPP.events.bif.bro build/scripts/base/bif/plugins/Bro_FileEntropy.events.bif.bro build/scripts/base/bif/plugins/Bro_FileExtract.events.bif.bro diff --git a/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log b/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log index 1df4b007c1..d568205a79 100644 --- a/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log +++ b/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log @@ -154,6 +154,7 @@ scripts/base/init-frameworks-and-bifs.bro build/scripts/base/bif/plugins/Bro_TCP.functions.bif.bro build/scripts/base/bif/plugins/Bro_Teredo.events.bif.bro build/scripts/base/bif/plugins/Bro_UDP.events.bif.bro + build/scripts/base/bif/plugins/Bro_VXLAN.events.bif.bro build/scripts/base/bif/plugins/Bro_XMPP.events.bif.bro build/scripts/base/bif/plugins/Bro_FileEntropy.events.bif.bro build/scripts/base/bif/plugins/Bro_FileExtract.events.bif.bro diff --git a/testing/btest/Baseline/plugins.hooks/output b/testing/btest/Baseline/plugins.hooks/output index ecbb136298..78ac89a4d0 100644 --- a/testing/btest/Baseline/plugins.hooks/output +++ b/testing/btest/Baseline/plugins.hooks/output @@ -61,6 +61,7 @@ 0.000000 MetaHookPost CallFunction(Analyzer::__register_for_port, , (Analyzer::ANALYZER_SSL, 995/tcp)) -> 0.000000 MetaHookPost CallFunction(Analyzer::__register_for_port, , (Analyzer::ANALYZER_SYSLOG, 514/udp)) -> 0.000000 MetaHookPost CallFunction(Analyzer::__register_for_port, , (Analyzer::ANALYZER_TEREDO, 3544/udp)) -> +0.000000 MetaHookPost CallFunction(Analyzer::__register_for_port, , (Analyzer::ANALYZER_VXLAN, 4789/udp)) -> 0.000000 MetaHookPost CallFunction(Analyzer::__register_for_port, , (Analyzer::ANALYZER_XMPP, 5222/tcp)) -> 0.000000 MetaHookPost CallFunction(Analyzer::__register_for_port, , (Analyzer::ANALYZER_XMPP, 5269/tcp)) -> 0.000000 MetaHookPost CallFunction(Analyzer::disable_analyzer, , (Analyzer::ANALYZER_BACKDOOR)) -> @@ -126,6 +127,7 @@ 0.000000 MetaHookPost CallFunction(Analyzer::register_for_port, , (Analyzer::ANALYZER_SSL, 995/tcp)) -> 0.000000 MetaHookPost CallFunction(Analyzer::register_for_port, , (Analyzer::ANALYZER_SYSLOG, 514/udp)) -> 0.000000 MetaHookPost CallFunction(Analyzer::register_for_port, , (Analyzer::ANALYZER_TEREDO, 3544/udp)) -> +0.000000 MetaHookPost CallFunction(Analyzer::register_for_port, , (Analyzer::ANALYZER_VXLAN, 4789/udp)) -> 0.000000 MetaHookPost CallFunction(Analyzer::register_for_port, , (Analyzer::ANALYZER_XMPP, 5222/tcp)) -> 0.000000 MetaHookPost CallFunction(Analyzer::register_for_port, , (Analyzer::ANALYZER_XMPP, 5269/tcp)) -> 0.000000 MetaHookPost CallFunction(Analyzer::register_for_ports, , (Analyzer::ANALYZER_AYIYA, {5072/udp})) -> @@ -154,6 +156,7 @@ 0.000000 MetaHookPost CallFunction(Analyzer::register_for_ports, , (Analyzer::ANALYZER_SSL, {5223<...>/tcp})) -> 0.000000 MetaHookPost CallFunction(Analyzer::register_for_ports, , (Analyzer::ANALYZER_SYSLOG, {514/udp})) -> 0.000000 MetaHookPost CallFunction(Analyzer::register_for_ports, , (Analyzer::ANALYZER_TEREDO, {3544/udp})) -> +0.000000 MetaHookPost CallFunction(Analyzer::register_for_ports, , (Analyzer::ANALYZER_VXLAN, {4789/udp})) -> 0.000000 MetaHookPost CallFunction(Analyzer::register_for_ports, , (Analyzer::ANALYZER_XMPP, {5222<...>/tcp})) -> 0.000000 MetaHookPost CallFunction(Cluster::is_enabled, , ()) -> 0.000000 MetaHookPost CallFunction(Cluster::is_enabled, , ()) -> @@ -274,7 +277,7 @@ 0.000000 MetaHookPost CallFunction(Log::__create_stream, , (Weird::LOG, [columns=Weird::Info, ev=Weird::log_weird, path=weird])) -> 0.000000 MetaHookPost CallFunction(Log::__create_stream, , (X509::LOG, [columns=X509::Info, ev=X509::log_x509, path=x509])) -> 0.000000 MetaHookPost CallFunction(Log::__create_stream, , (mysql::LOG, [columns=MySQL::Info, ev=MySQL::log_mysql, path=mysql])) -> -0.000000 MetaHookPost CallFunction(Log::__write, , (PacketFilter::LOG, [ts=1547686218.444731, node=bro, filter=ip or not ip, init=T, success=T])) -> +0.000000 MetaHookPost CallFunction(Log::__write, , (PacketFilter::LOG, [ts=1552361542.039294, node=bro, filter=ip or not ip, init=T, success=T])) -> 0.000000 MetaHookPost CallFunction(Log::add_default_filter, , (Broker::LOG)) -> 0.000000 MetaHookPost CallFunction(Log::add_default_filter, , (Cluster::LOG)) -> 0.000000 MetaHookPost CallFunction(Log::add_default_filter, , (Config::LOG)) -> @@ -459,7 +462,7 @@ 0.000000 MetaHookPost CallFunction(Log::create_stream, , (Weird::LOG, [columns=Weird::Info, ev=Weird::log_weird, path=weird])) -> 0.000000 MetaHookPost CallFunction(Log::create_stream, , (X509::LOG, [columns=X509::Info, ev=X509::log_x509, path=x509])) -> 0.000000 MetaHookPost CallFunction(Log::create_stream, , (mysql::LOG, [columns=MySQL::Info, ev=MySQL::log_mysql, path=mysql])) -> -0.000000 MetaHookPost CallFunction(Log::write, , (PacketFilter::LOG, [ts=1547686218.444731, node=bro, filter=ip or not ip, init=T, success=T])) -> +0.000000 MetaHookPost CallFunction(Log::write, , (PacketFilter::LOG, [ts=1552361542.039294, node=bro, filter=ip or not ip, init=T, success=T])) -> 0.000000 MetaHookPost CallFunction(NetControl::check_plugins, , ()) -> 0.000000 MetaHookPost CallFunction(NetControl::init, , ()) -> 0.000000 MetaHookPost CallFunction(Notice::want_pp, , ()) -> @@ -683,6 +686,7 @@ 0.000000 MetaHookPost LoadFile(0, .<...>/Bro_UDP.events.bif.bro) -> -1 0.000000 MetaHookPost LoadFile(0, .<...>/Bro_Unified2.events.bif.bro) -> -1 0.000000 MetaHookPost LoadFile(0, .<...>/Bro_Unified2.types.bif.bro) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/Bro_VXLAN.events.bif.bro) -> -1 0.000000 MetaHookPost LoadFile(0, .<...>/Bro_X509.events.bif.bro) -> -1 0.000000 MetaHookPost LoadFile(0, .<...>/Bro_X509.functions.bif.bro) -> -1 0.000000 MetaHookPost LoadFile(0, .<...>/Bro_X509.ocsp_events.bif.bro) -> -1 @@ -956,6 +960,7 @@ 0.000000 MetaHookPre CallFunction(Analyzer::__register_for_port, , (Analyzer::ANALYZER_SSL, 995/tcp)) 0.000000 MetaHookPre CallFunction(Analyzer::__register_for_port, , (Analyzer::ANALYZER_SYSLOG, 514/udp)) 0.000000 MetaHookPre CallFunction(Analyzer::__register_for_port, , (Analyzer::ANALYZER_TEREDO, 3544/udp)) +0.000000 MetaHookPre CallFunction(Analyzer::__register_for_port, , (Analyzer::ANALYZER_VXLAN, 4789/udp)) 0.000000 MetaHookPre CallFunction(Analyzer::__register_for_port, , (Analyzer::ANALYZER_XMPP, 5222/tcp)) 0.000000 MetaHookPre CallFunction(Analyzer::__register_for_port, , (Analyzer::ANALYZER_XMPP, 5269/tcp)) 0.000000 MetaHookPre CallFunction(Analyzer::disable_analyzer, , (Analyzer::ANALYZER_BACKDOOR)) @@ -1021,6 +1026,7 @@ 0.000000 MetaHookPre CallFunction(Analyzer::register_for_port, , (Analyzer::ANALYZER_SSL, 995/tcp)) 0.000000 MetaHookPre CallFunction(Analyzer::register_for_port, , (Analyzer::ANALYZER_SYSLOG, 514/udp)) 0.000000 MetaHookPre CallFunction(Analyzer::register_for_port, , (Analyzer::ANALYZER_TEREDO, 3544/udp)) +0.000000 MetaHookPre CallFunction(Analyzer::register_for_port, , (Analyzer::ANALYZER_VXLAN, 4789/udp)) 0.000000 MetaHookPre CallFunction(Analyzer::register_for_port, , (Analyzer::ANALYZER_XMPP, 5222/tcp)) 0.000000 MetaHookPre CallFunction(Analyzer::register_for_port, , (Analyzer::ANALYZER_XMPP, 5269/tcp)) 0.000000 MetaHookPre CallFunction(Analyzer::register_for_ports, , (Analyzer::ANALYZER_AYIYA, {5072/udp})) @@ -1049,6 +1055,7 @@ 0.000000 MetaHookPre CallFunction(Analyzer::register_for_ports, , (Analyzer::ANALYZER_SSL, {5223<...>/tcp})) 0.000000 MetaHookPre CallFunction(Analyzer::register_for_ports, , (Analyzer::ANALYZER_SYSLOG, {514/udp})) 0.000000 MetaHookPre CallFunction(Analyzer::register_for_ports, , (Analyzer::ANALYZER_TEREDO, {3544/udp})) +0.000000 MetaHookPre CallFunction(Analyzer::register_for_ports, , (Analyzer::ANALYZER_VXLAN, {4789/udp})) 0.000000 MetaHookPre CallFunction(Analyzer::register_for_ports, , (Analyzer::ANALYZER_XMPP, {5222<...>/tcp})) 0.000000 MetaHookPre CallFunction(Cluster::is_enabled, , ()) 0.000000 MetaHookPre CallFunction(Cluster::is_enabled, , ()) @@ -1169,7 +1176,7 @@ 0.000000 MetaHookPre CallFunction(Log::__create_stream, , (Weird::LOG, [columns=Weird::Info, ev=Weird::log_weird, path=weird])) 0.000000 MetaHookPre CallFunction(Log::__create_stream, , (X509::LOG, [columns=X509::Info, ev=X509::log_x509, path=x509])) 0.000000 MetaHookPre CallFunction(Log::__create_stream, , (mysql::LOG, [columns=MySQL::Info, ev=MySQL::log_mysql, path=mysql])) -0.000000 MetaHookPre CallFunction(Log::__write, , (PacketFilter::LOG, [ts=1547686218.444731, node=bro, filter=ip or not ip, init=T, success=T])) +0.000000 MetaHookPre CallFunction(Log::__write, , (PacketFilter::LOG, [ts=1552361542.039294, node=bro, filter=ip or not ip, init=T, success=T])) 0.000000 MetaHookPre CallFunction(Log::add_default_filter, , (Broker::LOG)) 0.000000 MetaHookPre CallFunction(Log::add_default_filter, , (Cluster::LOG)) 0.000000 MetaHookPre CallFunction(Log::add_default_filter, , (Config::LOG)) @@ -1354,7 +1361,7 @@ 0.000000 MetaHookPre CallFunction(Log::create_stream, , (Weird::LOG, [columns=Weird::Info, ev=Weird::log_weird, path=weird])) 0.000000 MetaHookPre CallFunction(Log::create_stream, , (X509::LOG, [columns=X509::Info, ev=X509::log_x509, path=x509])) 0.000000 MetaHookPre CallFunction(Log::create_stream, , (mysql::LOG, [columns=MySQL::Info, ev=MySQL::log_mysql, path=mysql])) -0.000000 MetaHookPre CallFunction(Log::write, , (PacketFilter::LOG, [ts=1547686218.444731, node=bro, filter=ip or not ip, init=T, success=T])) +0.000000 MetaHookPre CallFunction(Log::write, , (PacketFilter::LOG, [ts=1552361542.039294, node=bro, filter=ip or not ip, init=T, success=T])) 0.000000 MetaHookPre CallFunction(NetControl::check_plugins, , ()) 0.000000 MetaHookPre CallFunction(NetControl::init, , ()) 0.000000 MetaHookPre CallFunction(Notice::want_pp, , ()) @@ -1578,6 +1585,7 @@ 0.000000 MetaHookPre LoadFile(0, .<...>/Bro_UDP.events.bif.bro) 0.000000 MetaHookPre LoadFile(0, .<...>/Bro_Unified2.events.bif.bro) 0.000000 MetaHookPre LoadFile(0, .<...>/Bro_Unified2.types.bif.bro) +0.000000 MetaHookPre LoadFile(0, .<...>/Bro_VXLAN.events.bif.bro) 0.000000 MetaHookPre LoadFile(0, .<...>/Bro_X509.events.bif.bro) 0.000000 MetaHookPre LoadFile(0, .<...>/Bro_X509.functions.bif.bro) 0.000000 MetaHookPre LoadFile(0, .<...>/Bro_X509.ocsp_events.bif.bro) @@ -1851,6 +1859,7 @@ 0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_SSL, 995/tcp) 0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_SYSLOG, 514/udp) 0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_TEREDO, 3544/udp) +0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_VXLAN, 4789/udp) 0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_XMPP, 5222/tcp) 0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_XMPP, 5269/tcp) 0.000000 | HookCallFunction Analyzer::disable_analyzer(Analyzer::ANALYZER_BACKDOOR) @@ -1916,6 +1925,7 @@ 0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_SSL, 995/tcp) 0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_SYSLOG, 514/udp) 0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_TEREDO, 3544/udp) +0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_VXLAN, 4789/udp) 0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_XMPP, 5222/tcp) 0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_XMPP, 5269/tcp) 0.000000 | HookCallFunction Analyzer::register_for_ports(Analyzer::ANALYZER_AYIYA, {5072/udp}) @@ -1944,6 +1954,7 @@ 0.000000 | HookCallFunction Analyzer::register_for_ports(Analyzer::ANALYZER_SSL, {5223<...>/tcp}) 0.000000 | HookCallFunction Analyzer::register_for_ports(Analyzer::ANALYZER_SYSLOG, {514/udp}) 0.000000 | HookCallFunction Analyzer::register_for_ports(Analyzer::ANALYZER_TEREDO, {3544/udp}) +0.000000 | HookCallFunction Analyzer::register_for_ports(Analyzer::ANALYZER_VXLAN, {4789/udp}) 0.000000 | HookCallFunction Analyzer::register_for_ports(Analyzer::ANALYZER_XMPP, {5222<...>/tcp}) 0.000000 | HookCallFunction Cluster::is_enabled() 0.000000 | HookCallFunction Cluster::local_node_type() @@ -2063,7 +2074,7 @@ 0.000000 | HookCallFunction Log::__create_stream(Weird::LOG, [columns=Weird::Info, ev=Weird::log_weird, path=weird]) 0.000000 | HookCallFunction Log::__create_stream(X509::LOG, [columns=X509::Info, ev=X509::log_x509, path=x509]) 0.000000 | HookCallFunction Log::__create_stream(mysql::LOG, [columns=MySQL::Info, ev=MySQL::log_mysql, path=mysql]) -0.000000 | HookCallFunction Log::__write(PacketFilter::LOG, [ts=1547686218.444731, node=bro, filter=ip or not ip, init=T, success=T]) +0.000000 | HookCallFunction Log::__write(PacketFilter::LOG, [ts=1552361542.039294, node=bro, filter=ip or not ip, init=T, success=T]) 0.000000 | HookCallFunction Log::add_default_filter(Broker::LOG) 0.000000 | HookCallFunction Log::add_default_filter(Cluster::LOG) 0.000000 | HookCallFunction Log::add_default_filter(Config::LOG) @@ -2248,7 +2259,7 @@ 0.000000 | HookCallFunction Log::create_stream(Weird::LOG, [columns=Weird::Info, ev=Weird::log_weird, path=weird]) 0.000000 | HookCallFunction Log::create_stream(X509::LOG, [columns=X509::Info, ev=X509::log_x509, path=x509]) 0.000000 | HookCallFunction Log::create_stream(mysql::LOG, [columns=MySQL::Info, ev=MySQL::log_mysql, path=mysql]) -0.000000 | HookCallFunction Log::write(PacketFilter::LOG, [ts=1547686218.444731, node=bro, filter=ip or not ip, init=T, success=T]) +0.000000 | HookCallFunction Log::write(PacketFilter::LOG, [ts=1552361542.039294, node=bro, filter=ip or not ip, init=T, success=T]) 0.000000 | HookCallFunction NetControl::check_plugins() 0.000000 | HookCallFunction NetControl::init() 0.000000 | HookCallFunction Notice::want_pp() @@ -2472,6 +2483,7 @@ 0.000000 | HookLoadFile .<...>/Bro_UDP.events.bif.bro 0.000000 | HookLoadFile .<...>/Bro_Unified2.events.bif.bro 0.000000 | HookLoadFile .<...>/Bro_Unified2.types.bif.bro +0.000000 | HookLoadFile .<...>/Bro_VXLAN.events.bif.bro 0.000000 | HookLoadFile .<...>/Bro_X509.events.bif.bro 0.000000 | HookLoadFile .<...>/Bro_X509.functions.bif.bro 0.000000 | HookLoadFile .<...>/Bro_X509.ocsp_events.bif.bro @@ -2678,7 +2690,7 @@ 0.000000 | HookLoadFile base<...>/x509 0.000000 | HookLoadFile base<...>/xmpp 0.000000 | HookLogInit packet_filter 1/1 {ts (time), node (string), filter (string), init (bool), success (bool)} -0.000000 | HookLogWrite packet_filter [ts=1547686218.444731, node=bro, filter=ip or not ip, init=T, success=T] +0.000000 | HookLogWrite packet_filter [ts=1552361542.039294, node=bro, filter=ip or not ip, init=T, success=T] 0.000000 | HookQueueEvent NetControl::init() 0.000000 | HookQueueEvent bro_init() 0.000000 | HookQueueEvent filter_change_tracking() diff --git a/testing/btest/Traces/tunnels/vxlan.pcap b/testing/btest/Traces/tunnels/vxlan.pcap new file mode 100644 index 0000000000000000000000000000000000000000..76c91f7febe83fbbffa5835ab7802c58eb84ac02 GIT binary patch literal 1552 zcmca|c+)~A1{MYcU}0bcatVyEwJ;e(d95V_@W9U;`Qr;d3#7Edip*sG+ySx&WZ(QVsCGe2^{QvIUQ`ITiwVL9*?_PWWY_rsE`}*U zyFnPkUu`#Mg8h{W^Vc3Wpj|}>e?d%z`U?~iA^QG69gN?@LB0an#=+pz#cRvJxVWb# z9B2i@)&`&`5C{kg35$q|iAzXINz2H}$tx%-DXXZescUFzY3u0f=^Gdt8Jn1znS`h=ml5iJ~N6oK5h zp@)QUTm}wDaJq$r<64T`cnIjm;3yO~qJ`tF=^!`erIQejw?X0f^)wmdP3rCO}m7`JIh!&1BEkJHue~kEWoEQNL$E&~+29_QjDRSdspc@sFP~31nIIahUout +# @TEST-EXEC: btest-diff out +# @TEST-EXEC: btest-diff conn.log +# @TEST-EXEC: btest-diff tunnel.log + +event vxlan_packet(c: connection, inner: pkt_hdr, vni: count) + { + print "vxlan_packet", c$id, inner, vni; + } diff --git a/testing/btest/core/tunnels/vxlan.test b/testing/btest/core/tunnels/vxlan.test deleted file mode 100644 index 9a77f9c285..0000000000 --- a/testing/btest/core/tunnels/vxlan.test +++ /dev/null @@ -1,3 +0,0 @@ -# @TEST-EXEC: bro -r $TRACES/tunnels/vxlan-sample.pcap -# @TEST-EXEC: btest-diff conn.log -# @TEST-EXEC: btest-diff tunnel.log From 0f6f6cdb2987332447d48d5d87d0a04b196eec56 Mon Sep 17 00:00:00 2001 From: Michael Dopheide Date: Wed, 13 Mar 2019 14:14:38 -0500 Subject: [PATCH 30/88] Fix geo-data to log remote_location data when auth is successful. --- scripts/policy/protocols/ssh/geo-data.bro | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/scripts/policy/protocols/ssh/geo-data.bro b/scripts/policy/protocols/ssh/geo-data.bro index c8f73b6ac7..d5641e8a85 100644 --- a/scripts/policy/protocols/ssh/geo-data.bro +++ b/scripts/policy/protocols/ssh/geo-data.bro @@ -35,9 +35,6 @@ event ssh_auth_successful(c: connection, auth_method_none: bool) &priority=3 if ( ! c$ssh?$direction ) return; - # Add the location data to the SSH record. - c$ssh$remote_location = get_location(c); - if ( c$ssh$remote_location?$country_code && c$ssh$remote_location$country_code in watched_countries ) { NOTICE([$note=Watched_Country_Login, @@ -48,7 +45,7 @@ event ssh_auth_successful(c: connection, auth_method_none: bool) &priority=3 } } -event ssh_auth_failed(c: connection) &priority=3 +event ssh_auth_attempted(c: connection, authenticated: bool) &priority=3 { if ( ! c$ssh?$direction ) return; From 1f7924754eadb250a96056808faa8a1e6b5bc5df Mon Sep 17 00:00:00 2001 From: ZekeMedley Date: Thu, 14 Mar 2019 09:46:16 -0700 Subject: [PATCH 31/88] Add key-value for loop --- src/Stmt.cc | 44 +++++++++++++- src/Stmt.h | 5 ++ src/parse.y | 59 ++++++++++++++++++- testing/btest/Baseline/language.for/out | 1 + .../btest/Baseline/language.key-value-for/out | 4 ++ testing/btest/language/for.bro | 15 ++++- testing/btest/language/key-value-for.bro | 23 ++++++++ 7 files changed, 145 insertions(+), 6 deletions(-) create mode 100644 testing/btest/Baseline/language.key-value-for/out create mode 100644 testing/btest/language/key-value-for.bro diff --git a/src/Stmt.cc b/src/Stmt.cc index 5e6ac3fb39..036019d9fd 100644 --- a/src/Stmt.cc +++ b/src/Stmt.cc @@ -1421,12 +1421,48 @@ ForStmt::ForStmt(id_list* arg_loop_vars, Expr* loop_expr) e->Error("target to iterate over must be a table, set, vector, or string"); } +ForStmt::ForStmt(id_list* arg_loop_vars, Expr* loop_expr, ID* val_var) + : ForStmt(arg_loop_vars, loop_expr) + { + value_var = val_var; + // Valdate that key-value for loop is being used on a table + if ( e->Type()->Tag() == TYPE_TABLE ) + { + // Type of values table holds + BroType* yield_type = e->Type()->AsTableType()->YieldType(); + + // Verify value_vars type if its already been defined + if ( value_var->Type() ) + { + if ( ! same_type(value_var->Type(), yield_type) ) + { + value_var->Type()->Error("type clash in iteration", yield_type); + } + } + else + { + delete add_local(value_var, + yield_type->Ref(), INIT_NONE, + 0, 0, VAR_REGULAR); + } + } + else + { + e->Error("key value for loops only support iteration over tables"); + } + } + ForStmt::~ForStmt() { loop_over_list(*loop_vars, i) Unref((*loop_vars)[i]); delete loop_vars; + if (value_var) + { + Unref(value_var); + } + Unref(body); } @@ -1443,12 +1479,18 @@ Val* ForStmt::DoExec(Frame* f, Val* v, stmt_flow_type& flow) const return 0; HashKey* k; + TableEntryVal* current_tev; IterCookie* c = loop_vals->InitForIteration(); - while ( loop_vals->NextEntry(k, c) ) + while ( (current_tev = loop_vals->NextEntry(k, c)) ) { ListVal* ind_lv = tv->RecoverIndex(k); delete k; + if (value_var) + { + f->SetElement(value_var->Offset(), current_tev->Value()->Ref()); + } + for ( int i = 0; i < ind_lv->Length(); i++ ) f->SetElement((*loop_vars)[i]->Offset(), ind_lv->Index(i)->Ref()); Unref(ind_lv); diff --git a/src/Stmt.h b/src/Stmt.h index a6676d678d..a9bf7cddf8 100644 --- a/src/Stmt.h +++ b/src/Stmt.h @@ -337,6 +337,8 @@ protected: class ForStmt : public ExprStmt { public: ForStmt(id_list* loop_vars, Expr* loop_expr); + // Special constructor for key value for loop. + ForStmt(id_list* loop_vars, Expr* loop_expr, ID* val_var); ~ForStmt() override; void AddBody(Stmt* arg_body) { body = arg_body; } @@ -361,6 +363,9 @@ protected: id_list* loop_vars; Stmt* body; + // Stores the value variable being used for a key value for loop. + // Always set to nullptr unless special constructor is called. + ID* value_var = nullptr; }; class NextStmt : public Stmt { diff --git a/src/parse.y b/src/parse.y index db7e0f846f..8b09620a24 100644 --- a/src/parse.y +++ b/src/parse.y @@ -1592,7 +1592,7 @@ for_head: if ( loop_var ) { if ( loop_var->IsGlobal() ) - loop_var->Error("global used in for loop"); + loop_var->Error("global variable used in for loop"); } else @@ -1606,8 +1606,61 @@ for_head: } | TOK_FOR '(' '[' local_id_list ']' TOK_IN expr ')' - { $$ = new ForStmt($4, $7); } - ; + { + $$ = new ForStmt($4, $7); + } +| + TOK_FOR '(' TOK_ID ',' TOK_ID TOK_IN expr ')' + { + set_location(@1, @8); + const char* module = current_module.c_str(); + + // Check for previous definitions of key and + // value variables. + ID* key_var = lookup_ID($3, module); + ID* val_var = lookup_ID($5, module); + + // Validate previous definitions as needed. + if ( key_var ) { + if ( key_var->IsGlobal() ) { + key_var->Error("global variable used in for loop"); + } + } else { + key_var = install_ID($3, module, false, false); + } + if ( val_var ) { + if ( val_var->IsGlobal() ) { + val_var->Error("global variable used in for loop"); + } + } else { + val_var = install_ID($5, module, false, false); + } + + id_list* loop_vars = new id_list; + loop_vars->append(key_var); + + $$ = new ForStmt(loop_vars, $7, val_var); + } + | + TOK_FOR '(' '[' local_id_list ']' ',' TOK_ID TOK_IN expr ')' + { + set_location(@1, @10); + const char* module = current_module.c_str(); + + // Validate value variable + ID* val_var = lookup_ID($7, module); + + if ( val_var ) { + if ( val_var->IsGlobal() ) { + val_var->Error("global variable used in for loop"); + } + } else { + val_var = install_ID($7, module, false, false); + } + + $$ = new ForStmt($4, $9, val_var); + } + ; local_id_list: local_id_list ',' local_id diff --git a/testing/btest/Baseline/language.for/out b/testing/btest/Baseline/language.for/out index dccc00ce3e..d7e75c46e1 100644 --- a/testing/btest/Baseline/language.for/out +++ b/testing/btest/Baseline/language.for/out @@ -1,3 +1,4 @@ for loop (PASS) for loop with break (PASS) for loop with next (PASS) +keys that are tuples (PASS) diff --git a/testing/btest/Baseline/language.key-value-for/out b/testing/btest/Baseline/language.key-value-for/out new file mode 100644 index 0000000000..43a5609374 --- /dev/null +++ b/testing/btest/Baseline/language.key-value-for/out @@ -0,0 +1,4 @@ +1, hello +55, goodbye +goodbye, world, 55 +hello, world, 1 diff --git a/testing/btest/language/for.bro b/testing/btest/language/for.bro index eb99a2705d..37d7d2e7c2 100644 --- a/testing/btest/language/for.bro +++ b/testing/btest/language/for.bro @@ -13,7 +13,7 @@ event bro_init() local vv: vector of string = vector( "a", "b", "c" ); local ct: count = 0; - # Test a "for" loop without "break" or "next" + # Test a "for" loop without "break" or "next" ct = 0; for ( i in vv ) ++ct; @@ -40,5 +40,16 @@ event bro_init() test_case("Error: this should not happen", F); } test_case("for loop with next", ct == 3 ); -} + # Test keys that are tuples + + local t: table[count, count] of string = table(); + t[1, 2] = "hi"; + + local s1: string = ""; + for ( [i, j] in t ) + s1 = fmt("%d %d %s", i, j, t[i,j]); + test_case("keys that are tuples", s1 == "1 2 hi"); + + # Tests for key value for loop are in key-value-for.bro +} diff --git a/testing/btest/language/key-value-for.bro b/testing/btest/language/key-value-for.bro new file mode 100644 index 0000000000..3d69a97f06 --- /dev/null +++ b/testing/btest/language/key-value-for.bro @@ -0,0 +1,23 @@ +# @TEST-EXEC: bro -b %INPUT >out +# @TEST-EXEC: btest-diff out + + +event bro_init() { + # Test single keys + + local t: table[count] of string = table(); + t[1] = "hello"; + t[55] = "goodbye"; + for (key, value in t){ + print key, value; + } + + # Test multiple keys + + local tkk: table[string, string] of count = table(); + tkk["hello", "world"] = 1; + tkk["goodbye", "world"] = 55; + for ([k1, k2], val in tkk) { + print k1, k2, val; + } +} From a9771bc0eb5f8e04639acd2bdca223a65970f8e5 Mon Sep 17 00:00:00 2001 From: Jon Siwek Date: Thu, 14 Mar 2019 16:23:30 -0700 Subject: [PATCH 32/88] Fix signed/unsigned comparison compiler warning --- CHANGES | 4 ++++ VERSION | 2 +- src/analyzer/protocol/udp/UDP.cc | 2 +- 3 files changed, 6 insertions(+), 2 deletions(-) diff --git a/CHANGES b/CHANGES index 08597b2422..e3f9dbc5d6 100644 --- a/CHANGES +++ b/CHANGES @@ -1,4 +1,8 @@ +2.6-158 | 2019-03-14 16:23:30 -0700 + + * Fix signed/unsigned comparison compiler warning (Jon Siwek, Corelight) + 2.6-157 | 2019-03-14 16:18:13 +0000 * GH-250: Add VXLAN decapsulation support (Henrik Lund Kramshoej; Jon Siwek, Corelight) diff --git a/VERSION b/VERSION index cb44fc556f..511bef9b6d 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -2.6-157 +2.6-158 diff --git a/src/analyzer/protocol/udp/UDP.cc b/src/analyzer/protocol/udp/UDP.cc index b887eea5c1..ae56d8d22d 100644 --- a/src/analyzer/protocol/udp/UDP.cc +++ b/src/analyzer/protocol/udp/UDP.cc @@ -67,7 +67,7 @@ void UDP_Analyzer::DeliverPacket(int len, const u_char* data, bool is_orig, constexpr auto eth_len = 14; if ( validate_checksum && - len > (sizeof(struct udphdr) + vxlan_len + eth_len) && + len > ((int)sizeof(struct udphdr) + vxlan_len + eth_len) && (data[0] & 0x08) == 0x08 ) { auto& vxlan_ports = analyzer_mgr->GetVxlanPorts(); From 158313875cf1c99add7adb8372fe638a67a57f90 Mon Sep 17 00:00:00 2001 From: Jon Siwek Date: Thu, 14 Mar 2019 16:39:52 -0700 Subject: [PATCH 33/88] Move NEWS file back into main repo from zeek-docs --- CHANGES | 4 + NEWS | 2398 ++++++++++++++++++++++++++++++++++++++++++++++++++++++- VERSION | 2 +- doc | 2 +- 4 files changed, 2403 insertions(+), 3 deletions(-) mode change 120000 => 100644 NEWS diff --git a/CHANGES b/CHANGES index e3f9dbc5d6..c47d9a0c0f 100644 --- a/CHANGES +++ b/CHANGES @@ -1,4 +1,8 @@ +2.6-159 | 2019-03-14 16:39:52 -0700 + + * Move NEWS file back into main repo from zeek-docs (Jon Siwek, Corelight) + 2.6-158 | 2019-03-14 16:23:30 -0700 * Fix signed/unsigned comparison compiler warning (Jon Siwek, Corelight) diff --git a/NEWS b/NEWS deleted file mode 120000 index 318c73d3e5..0000000000 --- a/NEWS +++ /dev/null @@ -1 +0,0 @@ -doc/install/NEWS.rst \ No newline at end of file diff --git a/NEWS b/NEWS new file mode 100644 index 0000000000..e11423109e --- /dev/null +++ b/NEWS @@ -0,0 +1,2397 @@ + +This document summarizes the most important changes in the current Bro +release. For an exhaustive list of changes, see the ``CHANGES`` file +(note that submodules, such as Broker, come with their own ``CHANGES``.) + +Bro 2.7 +======= + +New Functionality +----------------- + +- Added support for DNSSEC resource records RRSIG, DNSKEY, DS, NSEC, and NSEC3. + The associated events are: + + - dns_RRSIG + - dns_DNSKEY + - dns_DS + - dns_NSEC + - dns_NSEC3 + +- Bro's Plugin framework now allows a patch version. If a patch version is not + provided, it will default to 0. To specify this, modify the plugin + Configuration class in your ``src/Plugin.cc`` and set + ``config.version.patch``. Note that the default plugin skeleton + includes a unit test whose Baseline has the plugin version number in + it and that will now fail due to the version number now including a + patch number. For those that want to keep the unit test, simply adapt + the unit test/baseline to include the new plugin patch number. + +- The default http.log not includes a field for the HTTP request Origin header. + +- Support for decapsulating VXLAN tunnels. + +Changed Functionality +--------------------- + +- The for-loop index variable for vectors has been changed from + 'int' to 'count' type. It's unlikely this would alter/break any + script behavior unless they were explicitly inspecting the variable's + type (and there's typically no reason to do that). + +- The startup/initialization behavior has changed such that any errors + encountered while processing the ``bro_init()`` event will cause the + process to terminate rather than continue on the main run loop. + +- The ``dns_state`` field within ``connection`` records has changed: the + ``pending_queries`` and ``pending_replies`` fields are now ``&optional``, + and there is a new field ``pending_query`` that is populated before + ``pending_queries``. If you have scripts that access the ``pending_queries`` + or ``pending_replies`` fields, they will need to be updated. + This change was made to improve performance. + +- The ternary operator (" ? : ") now enforces that + if "" and "" are both records, they are of the same + type. It was always assumed that they were, but code might have + still worked even if not. + +- The "orig_fuids", "orig_filenames", "orig_mime_types" http.log fields + as well as their "resp" counterparts are now limited to having + "HTTP::max_files_orig" or "HTTP::max_files_resp" entries, which are 15 + by default. The limit can also be ignored case-by-case via the + "HTTP::max_files_policy" hook. + +Removed Functionality +--------------------- + +Deprecated Functionality +------------------------ + +Bro 2.6 +======= + +New Functionality +----------------- + +- Bro has switched to using the new Broker library for all its + communication. Broker's API has been completely redesigned (compared + to the version in 2.5), and much of its implementation has been + redone. There's a new script-level "broker" framework that + supersedes the old "communication" framework, which is now + deprecated. All scripts that ship with Bro have been ported to use + Broker. BroControl has likewise been ported to use Broker. + + For more about the new Broker framework, see + https://www.bro.org/sphinx-git/frameworks/broker.html. There's also + a guide there for porting existing Bro scripts to Broker. For more + about Broker itself, including its API for external applications, + see https://bro-broker.readthedocs.io/en/stable + + When using BroControl, the function of proxies has changed with + Broker. If you are upgrading and have configured more than one proxy + currenty, we recommend going back down to a single proxy node now. + That should be fine unless you are using custom scripts doing + significant data distribution through the new cluster framework. + + A side effect of the switch to using Broker is that each Bro node now runs + as a single process instead of two. Also, the number of file descriptors + being polled in Bro's main event loop has been reduced (1 per worker + versus 5). This should increase the number of workers one can + use before reaching the common 1024 file descriptor limitation of + "select()". + +- Bro now has new "is" and "as" script operators for dynamic + type-checking and casting. + + - "v as T" casts a value v into a value of type T, assuming that's + possible (if not, it triggers a runtime error). + + - "v is T" returns a boolean indicating whether value v can be + casted into type T (i.e., if true then "v as T" will succeed). + + This casting supports three cases currently: (1) a value of + declared type "any" can be casted to its actual underlying type; + (2) Broker values can be casted to their corresponding script + types; and (3) all values can be casted to their declared types + (i.e., a no-op). + + Example for "any":: + + # cat a.bro + function check(a: any) + { + local s: string = "default"; + + if ( a is string ) + s = (a as string); + + print fmt("s=%s", s); + } + + event bro_init() + { + check("Foo"); + check(1); + } + + # bro a.bro + s=Foo + s=default + +- The existing "switch" statement got extended to now also support switching by + type rather than value. The new syntax supports two type-based versions + of "case": + + - "case type T: ...": Take branch if operand can be casted to type T. + + - "case type T as x: ... ": Take branch if operand can be casted + to type T, and make the casted value available through ID "x". + + Multiple types can be listed per branch, separated by commas. + However, one cannot mix cases with expressions and types inside a + single switch statement. + + Example:: + + function switch_one(v: any) + { + switch (v) { + case type string: + print "It's a string!"; + break; + + case type count as c: + print "It's a count!", c; + break; + + case type bool, type addr: + print "It's a bool or address!"; + break; + + default: + print "Something else!"; + break; + } + } + +- Bro now comes with a new "configuration framework" that allows + updating script options dynamically at runtime. This functionality + consists of three larger pieces working together: + + - Option variables: The new "option" keyword allows variables to be + declared as runtime options. Such variables cannot be changed + using normal assignments. Instead, they can be changed using the + new function "Config::set_value". This function will automatically + apply the change to all nodes in a cluster. Note that options can also + be changed using the new function "Option::set", but this function will + not send the change to any other nodes, so Config::set_value should + typically be used instead of Option::set. + + Various redef-able constants in the standard Bro scripts have + been converted to runtime options. This change will not affect any + user scripts because the initial value of runtime options can still be + redefined with a "redef" declaration. Example:: + + option testvar = "old value"; + redef testvar = "new value"; + + It is possible to "subscribe" to an option through + "Option::set_change_handler", which will trigger a handler callback + when an option changes. Change handlers can optionally modify + values before they are applied by returning the desired value, or + reject updates by returning the old value. Priorities can be + specified if there are several handlers for one option. + + Example script:: + + option testbool: bool = T; + + function option_changed(ID: string, new_value: bool): bool + { + print fmt("Value of %s changed from %s to %s", ID, testbool, new_value); + return new_value; + } + + event bro_init() + { + print "Old value", testbool; + Option::set_change_handler("testbool", option_changed); + Option::set("testbool", F); + print "New value", testbool; + } + + - Script-level configuration framework: The new script framework + base/framework/config facilitates reading in new option values + from external files at runtime. The format for these files looks + like this:: + + [option name][tab/spaces][new variable value] + + Configuration files to read can be specified by adding them to + "Config::config_files". + + Usage example:: + + redef Config::config_files += { "/path/to/config.dat" }; + + module TestConfig; + + export { + option testbool: bool = F; + } + + The specified file will now be monitored continuously for changes, so + that writing "TestConfig::testbool T" into ``/path/to/config.dat`` will + automatically update the option's value accordingly. + + The configuration framework creates a ``config.log`` that shows all + value changes that took place. + + - Config reader: Internally, the configuration framework uses a new + type of input reader to read such configuration files into Bro. + The reader uses the option name to look up the type that variable + has, converts the read value to the correct type, and then updates + the option's value. Example script use:: + + type Idx: record { + option_name: string; + }; + + type Val: record { + option_val: string; + }; + + global currconfig: table[string] of string = table(); + + event InputConfig::new_value(name: string, source: string, id: string, value: any) + { + print id, value; + } + + event bro_init() + { + Input::add_table([$reader=Input::READER_CONFIG, $source="../configfile", $name="configuration", $idx=Idx, $val=Val, $destination=currconfig, $want_record=F]); + } + +- Support for OCSP and Signed Certificate Timestamp. This adds the + following events and BIFs: + + - Events: + + - ocsp_request + - ocsp_request_certificate + - ocsp_response_status + - ocsp_response_bytes + - ocsp_response_certificate + - ocsp_extension + - x509_ocsp_ext_signed_certificate_timestamp + - ssl_extension_signed_certificate_timestamp + + - Functions: + + - sct_verify + - x509_subject_name_hash + - x509_issuer_name_hash + - x509_spki_hash + +- The SSL scripts provide a new hook "ssl_finishing(c: connection)" + to trigger actions after the handshake has concluded. + +- New functionality has been added to the TLS parser, adding several + events. These events mostly extract information from the server and client + key exchange messages. The new events are: + + - ssl_ecdh_server_params + - ssl_dh_server_params + - ssl_server_signature + - ssl_ecdh_client_params + - ssl_dh_client_params + - ssl_rsa_client_pms + + Since "ssl_ecdh_server_params" contains more information than the old + "ssl_server_curve" event, "ssl_server_curve" is now marked as deprecated. + +- The "ssl_application_data" event was retired and replaced with + "ssl_plaintext_data". + +- Some SSL events were changed and now provide additional data. These events + are: + + - ssl_client_hello + - ssl_server_hello + - ssl_encrypted_data + + If you use these events, you can make your scripts work on old and new + versions of Bro by wrapping the event definition in an "@if", for example:: + + @if ( Version::at_least("2.6") || ( Version::number == 20500 && Version::info$commit >= 944 ) ) + event ssl_client_hello(c: connection, version: count, record_version: count, possible_ts: time, client_random: string, session_id: string, ciphers: index_vec, comp_methods: index_vec) + @else + event ssl_client_hello(c: connection, version: count, possible_ts: time, client_random: string, session_id: string, ciphers: index_vec) + @endif + +- Functions for retrieving files by their ID have been added: + + - Files::file_exists + - Files::lookup_File + +- New functions in the logging API: + + - Log::get_filter_names + - Log::enable_stream + +- HTTP now recognizes and skips upgraded/websocket connections. A new event, + "http_connection_upgrade", is raised in such cases. + +- A new hook, HTTP::sqli_policy, may be used to whitelist requests that + could otherwise be counted as SQL injection attempts. + +- Added a MOUNT3 protocol parser + + - This is not enabled by default (no ports are registered and no + DPD signatures exist, so no connections will end up attaching the + new Mount analyzer). If it were to be activated by users, the + following events are available: + + - mount_proc_null + - mount_proc_mnt + - mount_proc_umnt + - mount_proc_umnt_all + - mount_proc_not_implemented + - mount_reply_status + +- Added new NFS events: + + - nfs_proc_symlink + - nfs_proc_link + - nfs_proc_sattr + +- The SMB scripts in ``policy/protocols/smb`` are now moved into + ``base/protocols/smb`` and loaded/enabled by default. If you previously + loaded these scripts from their ``policy/`` location (in local.bro or + other custom scripts) you may now remove/change those although they + should still work since ``policy/protocols/smb`` is simply a placeholder + script that redirects to the new ``base/`` location. + +- Added new SMB events: + + - smb1_transaction_secondary_request + - smb1_transaction2_secondary_request + - smb1_transaction_response + +- Bro can now decrypt Kerberos tickets, and retrieve the authentication from + them, given a suitable keytab file. + +- Added support for bitwise operations on "count" values. '&', '|' and + '^' are binary "and", "or" and "xor" operators, and '~' is a unary + ones-complement operator. + +- The '&' and '|' operators can apply to patterns, too. p1 & p2 yields + a pattern that represents matching p1 followed by p2, and p1 | p2 yields + a pattern representing matching p1 or p2. The p1 | p2 functionality was + semi-present in previous versions of Bro, but required constants as + its operands; now you can use any pattern-valued expressions. + +- You can now specify that a pattern matches in a case-insensitive + fashion by adding 'i' to the end of its specification. So for example + /fOO/i == "Foo" yields T, as does /fOO/i in "xFoObar". + + You can achieve the same functionality for a subpattern enclosed in + parentheses by adding "?i:" to the open parenthesis. So for example + /foo|(?i:bar)/ will match "BaR", but not "FoO". + + For both ways of specifying case-insensitivity, characters enclosed in + double quotes remain case-sensitive. So for example /"foo"/i will not + match "Foo", but it will match "foo". + +- "make install" now installs Bro's include headers (and more) into + "--prefix" so that compiling plugins no longer needs access to a + source/build tree. For OS distributions, this also facilitates + creating "bro-devel" packages providing all files necessary to build + plugins. + +- Bro now supports PPPoE over QinQ. + +- Bro now supports OpenSSL 1.1. + +- The new connection/conn.log history character 'W' indicates that + the originator ('w' = responder) advertised a TCP zero window + (instructing the peer to not send any data until receiving a + non-zero window). + +- The connection/conn.log history characters 'C' (checksum error seen), + 'T' (retransmission seen), and 'W' (zero window advertised) are now + repeated in a logarithmic fashion upon seeing multiple instances + of the corresponding behavior. Thus a connection with 2 C's in its + history means that the originator sent >= 10 packets with checksum + errors; 3 C's means >= 100, etc. + +- The above connection history behaviors occurring multiple times + (i.e., starting at 10 instances, than again for 100 instances, + etc.) generate corresponding events: + + - tcp_multiple_checksum_errors + - udp_multiple_checksum_errors + - tcp_multiple_zero_windows + - tcp_multiple_retransmissions + + Each has the same form, e.g.:: + + event tcp_multiple_retransmissions(c: connection, is_orig: bool, + threshold: count); + +- Added support for set union, intersection, difference, and comparison + operations. The corresponding operators for the first three are + "s1 | s2", "s1 & s2", and "s1 - s2". Relationals are in terms + of subsets, so "s1 < s2" yields true if s1 is a proper subset of s2 + and "s1 == s2" if the two sets have exactly the same elements. + "s1 <= s2" holds for subsets or equality, and similarly "s1 != s2", + "s1 > s2", and "s1 >= s2" have the expected meanings in terms + of non-equality, proper superset, and superset-or-equal. + +- An expression of the form "v += e" will append the value of the expression + "e" to the end of the vector "v" (of course assuming type-compatibility). + "redef v += { a, b, c }" will similarly extend a vector previously declared + with &redef by appending the result of expressions "a", "b", and "c" to + the vector at initialization-time. + +- A new "@deprecated" directive was added. It marks a script-file as + deprecated. + +Changed Functionality +--------------------- + +- All communication is now handled through Broker, requiring changes + to existing scripts to port them over to the new API. The Broker + framework documentation comes with a porting guide. + +- The DHCP analyzer and its script-layer interface have been rewritten. + + - Supports more DHCP options than before. + + - The DHCP log now represents DHCP sessions based on transaction ID + and works on Bro cluster deployments. + + - Removed the ``policy/protocols/dhcp/known-devices-and-hostnames.bro`` + script since it's generally less relevant now with the updated log. + + - Removed the ``base/protocols/dhcp/utils.bro`` script and thus the + "reverse_ip" function. + + - Replaced all DHCP events with the single "dhcp_message" event. + The list of removed events includes: + + - dhcp_discover + - dhcp_offer + - dhcp_request + - dhcp_decline + - dhcp_ack + - dhcp_nak + - dhcp_release + - dhcp_inform + + - A new script, ``policy/protocols/dhcp/deprecated_events.bro``, may be + loaded to aid those transitioning away from the list of "removed" + events above. The script provides definitions for the old events + and automatically generates them from a "dhcp_message" handler, thus + providing equivalent functionality to the previous Bro release. + Such usage emits deprecation warnings. + +- Removed ``policy/misc/known-devices.bro`` script and thus + ``known_devices.log`` will no longer be created. + +- The "--with-binpac" configure option has changed to mean "path + to the binpac executable" instead of "path to binpac installation root". + +- The MIME types used to identify X.509 certificates in SSL + connections changed from "application/pkix-cert" to + "application/x-x509-user-cert" for host certificates and + "application/x-x509-ca-cert" for CA certificates. + +- The "ssl_server_curve" event is considered deprecated and will be removed + in the future. See the new "ssl_ecdh_server_params" event for a + replacement. + +- The Socks analyzer no longer logs passwords by default. This + brings its behavior in line with the FTP/HTTP analyzers which also + do not log passwords by default. + + To restore the previous behavior and log Socks passwords, use:: + + redef SOCKS::default_capture_password = T; + +- The DNS base scripts no longer generate some noisy and annoying + weirds: + + - dns_unmatched_msg + - dns_unmatched_msg_quantity + - dns_unmatched_reply + +- The "tunnel_parents" field of ``conn.log`` is now marked ``&optional``, so, + in the default configuration of logs, this field will show "-" + instead of "(empty)" for connections that lack any tunneling. + +- SMB event argument changes: + + - "smb1_transaction_request" now has two additional arguments, "parameters" + and "data" strings + + - "smb1_transaction2_request" now has an additional "args" record argument + +- The "SMB::write_cmd_log" option has been removed and the corresponding + logic moving to ``policy/protocols/smb/log-cmds.bro`` which can simply + be loaded to produce the same effect of toggling the old flag on. + +- SSL event argument changes: + + - "ssl_server_signature" now has an additional argument + "signature_and_hashalgorithm". + +- The "dnp3_header_block" event no longer has the "start" parameter. + +- The "string_to_pattern()" and now-deprecated "merge_pattern()" + built-ins are no longer restricted to only be called at initialization time. + +- GeoIP Legacy Database support has been replaced with GeoIP2 MaxMind DB + format support. + + - This updates the "lookup_location" and "lookup_asn" BIFs to use + libmaxminddb. The motivation for this is that MaxMind is discontinuing + GeoLite Legacy databases: no updates after April 1, 2018, no downloads + after January 2, 2019. It's also noted that all GeoIP Legacy databases + may be discontinued as they are superseded by GeoIP2. + +- "Weird" events are now generally suppressed/sampled by default according to + some tunable parameters: + + - Weird::sampling_whitelist + - Weird::sampling_threshold + - Weird::sampling_rate + - Weird::sampling_duration + + Those options can be changed if one needs the previous behavior of + a "net_weird", "flow_weird", or "conn_weird" event being raised for + every single event. + + The original ``weird.log`` may not differ much with these changes, + except in the cases where a particular weird type exceeds the + sampling threshold. + + Otherwise, there is a new ``weird_stats.log`` generated via + ``policy/misc/weird-stats.bro`` which contains concise summaries + of weird counts per type per time period. + +- Improved DCE-RPC analysis via tracking of context identifier mappings + + - These DCE-RPC events now contain an additional context-id argument: + + - dce_rpc_bind + - dce_rpc_request + - dce_rpc_response + + - Added new events: + + - dce_rpc_alter_context + - dce_rpc_alter_context_resp + +- The default value of ``Pcap::snaplen`` changed from 8192 to 9216 bytes + to better accommodate jumbo frames. + +- Improvements to ``ntlm.log`` to fix incorrect reporting of login + success/failure. Also, the "status" field was removed and + "server_nb_computer_name", "server_dns_computer_name", and + "server_tree_name" fields added. + +- BroControl: The output of the broctl "top" command has changed slightly. + The "Proc" column has been removed from the output. This column previously + indicated whether each Bro process was the "parent" or "child", but this + is no longer relevant because each Bro node now runs as a single process. + +- The ``DNP3::function_codes`` name for request 0x21 has been corrected from + "AUTHENTICATE_ERR" to "AUTHENTICATE_REQ_NR". + +- The ``DNS::query_types`` names for resource records 41 and 100 have been + corrected from "EDNS" to "OPT" and "DINFO" to "UINFO", respectively. + +Removed Functionality +--------------------- + +- We no longer maintain any Bro plugins as part of the Bro + distribution. Most of the plugins that used to be in aux/plugins have + been moved over to use the Bro Package Manager instead. See + https://packages.bro.org for a list of Bro packages currently + available. + +- The "ocsp_request" event no longer has "requestorName" parameter. + +- The node-specific ``site/local-*.bro`` scripts have been removed. + +- BroControl: The "IPv6Comm" and "ZoneID" options are no longer + available (though Broker should be able to handle IPv6 automatically). + +Deprecated Functionality +------------------------ + +- The old communication system is now deprecated and scheduled for + removal with the next Bro release. This includes the "communication" + framework, the ``&sychronized`` attributes, and the existing + communication-related BiFs. Use Broker instead. + +- The infrastructure for serializing Bro values into a binary + representation is now deprecated and scheduled for removal with the + next Bro release. This includes the ``&persistent`` attribute, as well + as BIFs like "send_id()". Use Broker data stores and the new + configuration framework instead. + +- Mixing of scalars and vectors, such as "v + e" yielding a vector + corresponding to the vector v with the scalar e added to each of + its elements, has been deprecated. + +- The built-in function "merge_pattern()" has been deprecated. It will + be replaced by the '&' operator for patterns. + +- The undocumented feature of using "&&" and "||" operators for patterns + has been deprecated. + +- BroControl: The "update" command is deprecated and scheduled for + removal with the next Bro release. Bro's new configuration framework + is taking its place. + +Bro 2.5.5 +========= + +Bro 2.5.5 primarily addresses security issues. + +- Fix array bounds checking in BinPAC: for arrays that are fields within + a record, the bounds check was based on a pointer to the start of the + record rather than the start of the array field, potentially resulting + in a buffer over-read. + +- Fix SMTP command string comparisons: the number of bytes compared was + based on the user-supplied string length and can lead to incorrect + matches. e.g. giving a command of "X" incorrectly matched + "X-ANONYMOUSTLS" (and an empty commands match anything). + +The following changes address potential vectors for Denial of Service +reported by Christian Titze & Jan Grashöfer of Karlsruhe Institute of +Technology: + +- "Weird" events are now generally suppressed/sampled by default according + to some tunable parameters: + + - Weird::sampling_whitelist + - Weird::sampling_threshold + - Weird::sampling_rate + - Weird::sampling_duration + + Those options can be changed if one needs the previous behavior of + a "net_weird", "flow_weird", or "conn_weird" event being raised for + every single event. Otherwise, there is a new weird_stats.log which + contains concise summaries of weird counts per type per time period + and the original weird.log may not differ much either, except in + the cases where a particular weird type exceeds the sampling threshold. + These changes help improve performance issues resulting from excessive + numbers of weird events. + +- Improved handling of empty lines in several text protocol analyzers + that can cause performance issues when seen in long sequences. + +- Add 'smtp_excessive_pending_cmds' weird which serves as a notification + for when the "pending command" queue has reached an upper limit and + been cleared to prevent one from attempting to slowly exhaust memory. + +Bro 2.5.4 +========= + +Bro 2.5.4 primarily fixes security issues: + +* Multiple fixes and improvements to BinPAC generated code related to + array parsing, with potential impact to all Bro's BinPAC-generated + analyzers in the form of buffer over-reads or other invalid memory + accesses depending on whether a particular analyzer incorrectly + assumed that the evaulated-array-length expression is actually the + number of elements that were parsed out from the input. + +* The NCP analyzer (not enabled by default and also updated to actually + work with newer Bro APIs in the release) performed a memory allocation + based directly on a field in the input packet and using signed integer + storage. This could result in a signed integer overflow and memory + allocations of negative or very large size, leading to a crash or + memory exhaustion. The new NCP::max_frame_size tuning option now + limits the maximum amount of memory that can be allocated. + +There's also the following bug fixes: + +* A memory leak in the SMBv1 analyzer. + +* The MySQL analyzer was generally not working as intended, for example, + it now is able to parse responses that contain multiple results/rows. + +Bro 2.5.3 +========= + +Bro 2.5.3 fixes a security issue in Binpac generated code. In some cases +the code generated by binpac could lead to an integer overflow which can +lead to out of bound reads and allow a remote attacker to crash Bro; there +is also a possibility that this can be exploited in other ways. + +Bro 2.5.2 +========= + +Bro 2.5.2 fixes a security issue in the ContentLine analyzer. In rare cases +a bug in the ContentLine analyzer can lead to an out of bound write of a single +byte. This allows a remote attacker to crash Bro; there also is a possibility +this can be exploited in other ways. CVE-2017-1000458 has been assigned to this +issue. + +Bro 2.5.1 +========= + +New Functionality +----------------- + +- Bro now includes bifs for rename, unlink, and rmdir. + +- Bro now includes events for two extensions used by TLS 1.3: + ssl_extension_supported_versions and ssl_extension_psk_key_exchange_modes + +- Bro now includes hooks that can be used to interact with log processing + on the C++ level. + +- Bro now supports ERSPAN. Currently this ignores the ethernet header that is + carried over the tunnel; if a MAC is logged currently only the outer MAC + is returned. + +- Added a new BroControl option CrashExpireInterval to enable + "broctl cron" to remove crash directories that are older than the + specified number of days (the default value is 0, which means crash + directories never expire). + +- Added a new BroControl option MailReceivingPackets to control + whether or not "broctl cron" will mail a warning when it notices + that no packets were seen on an interface. + +- There is a new broctl command-line option "--version" which outputs + the BroControl version. + +Changed Functionality +--------------------- + +- The input framework's Ascii reader is now more resilient. If an input + is marked to reread a file when it changes and the file didn't exist + during a check Bro would stop watching the file in previous versions. + The same could happen with bad data in a line of a file. These + situations do not cause Bro to stop watching input files anymore. The + old behavior is available through settings in the Ascii reader. + +- The RADIUS scripts have been reworked. Requests are now logged even if + there is no response. The new framed_addr field in the log indicates + if the radius server is hinting at an address for the client. The ttl + field indicates how quickly the server is replying to the network access + server. + +- With the introduction of the Bro package manager, the Bro plugin repository + is considered deprecated. The af_packet, postgresql, and tcprs plugins have + already been removed and are available via bro-pkg. + +Bro 2.5 +======= + +New Dependencies +---------------- + +- Bro now requires a compiler with C++11 support for building the + source code. + +- Bro now requires Python instead of Perl to compile the source code. + +- When enabling Broker (which is disabled by default), Bro now requires + version 0.14 of the C++ Actor Framework. + +New Functionality +----------------- + +- SMB analyzer. This is the rewrite that has been in development for + several years. The scripts are currently not loaded by default and + must be loaded manually by loading policy/protocols/smb. The next + release will load the smb scripts by default. + + - Implements SMB1+2. + - Fully integrated with the file analysis framework so that files + transferred over SMB can be analyzed. + - Includes GSSAPI and NTLM analyzer and reimplements the DCE-RPC + analyzer. + - New logs: smb_cmd.log, smb_files.log, smb_mapping.log, ntlm.log, + and dce_rpc.log + - Not every possible SMB command or functionality is implemented, but + generally, file handling should work whenever files are transferred. + Please speak up on the mailing list if there is an obvious oversight. + +- Bro now includes the NetControl framework. The framework allows for easy + interaction of Bro with hard- and software switches, firewalls, etc. + New log files: netcontrol.log, netcontrol_catch_release.log, + netcontrol_drop.log, and netcontrol_shunt.log. + +- Bro now includes the OpenFlow framework which exposes the data structures + necessary to interface to OpenFlow capable hardware. + +- Bro's Intelligence Framework was refactored and new functionality + has been added: + + - The framework now supports the new indicator type Intel::SUBNET. + As subnets are matched against seen addresses, the new field 'matched' + in intel.log was introduced to indicate which indicator type(s) caused + the hit. + + - The new function remove() allows to delete intelligence items. + + - The intel framework now supports expiration of intelligence items. + Expiration can be configured using the new Intel::item_expiration constant + and can be handled by using the item_expired() hook. The new script + do_expire.bro removes expired items. + + - The new hook extend_match() allows extending the framework. The new + policy script whitelist.bro uses the hook to implement whitelisting. + + - Intel notices are now suppressible and mails for intel notices now + list the identified services as well as the intel source. + +- There is a new file entropy analyzer for files. + +- Bro now supports the remote framebuffer protocol (RFB) that is used by + VNC servers for remote graphical displays. New log file: rfb.log. + +- Bro now supports the Radiotap header for 802.11 frames. + +- Bro now has rudimentary IMAP and XMPP analyzers examining the initial + phases of the protocol. Right now these analyzers only identify + STARTTLS sessions, handing them over to TLS analysis. These analyzers + do not yet analyze any further IMAP/XMPP content. + +- New funtionality has been added to the SSL/TLS analyzer: + + - Bro now supports (draft) TLS 1.3. + + - The new event ssl_extension_signature_algorithm() allows access to the + TLS signature_algorithms extension that lists client supported signature + and hash algorithm pairs. + + - The new event ssl_extension_key_share gives access to the supported named + groups in TLS 1.3. + + - The new event ssl_application_data gives information about application data + that is exchanged before encryption fully starts. This is used to detect + when encryption starts in TLS 1.3. + +- Bro now tracks VLAN IDs. To record them inside the connection log, + load protocols/conn/vlan-logging.bro. + +- A new dns_CAA_reply() event gives access to DNS Certification Authority + Authorization replies. + +- A new per-packet event raw_packet() provides access to layer 2 + information. Use with care, generating events per packet is + expensive. + +- A new built-in function, decode_base64_conn() for Base64 decoding. + It works like decode_base64() but receives an additional connection + argument that will be used for decoding errors into weird.log + (instead of reporter.log). + +- A new get_current_packet_header() bif returns the headers of the current + packet. + +- Three new built-in functions for handling set[subnet] and table[subnet]: + + - check_subnet(subnet, table) checks if a specific subnet is a member + of a set/table. This is different from the "in" operator, which always + performs a longest prefix match. + + - matching_subnets(subnet, table) returns all subnets of the set or table + that contain the given subnet. + + - filter_subnet_table(subnet, table) works like matching_subnets, but returns + a table containing all matching entries. + +- Several built-in functions for handling IP addresses and subnets were added: + + - is_v4_subnet(subnet) checks whether a subnet specification is IPv4. + + - is_v6_subnet(subnet) checks whether a subnet specification is IPv6. + + - addr_to_subnet(addr) converts an IP address to a /32 subnet. + + - subnet_to_addr(subnet) returns the IP address part of a subnet. + + - subnet_width(subnet) returns the width of a subnet. + +- The IRC analyzer now recognizes StartTLS sessions and enables the SSL + analyzer for them. + +- The misc/stats.bro script is now loaded by default and logs more Bro + execution statistics to the stats.log file than it did previously. It + now also uses the standard Bro log format. + +- A set of new built-in functions for gathering execution statistics: + + get_net_stats(), get_conn_stats(), get_proc_stats(), + get_event_stats(), get_reassembler_stats(), get_dns_stats(), + get_timer_stats(), get_file_analysis_stats(), get_thread_stats(), + get_gap_stats(), get_matcher_stats() + +- Two new functions haversine_distance() and haversine_distance_ip() + for calculating geographic distances. The latter function requires that Bro + be built with libgeoip. + +- Table expiration timeout expressions are evaluated dynamically as + timestamps are updated. + +- The pcap buffer size can be set through the new option Pcap::bufsize. + +- Input framework readers stream types Table and Event can now define a custom + event (specified by the new "error_ev" field) to receive error messages + emitted by the input stream. This can, e.g., be used to raise notices in + case errors occur when reading an important input source. + +- The logging framework now supports user-defined record separators, + renaming of column names, as well as extension data columns that can + be added to specific or all logfiles (e.g., to add new names). + +- The new "bro-config" script can be used to determine the Bro installation + paths. + +- New BroControl functionality in aux/broctl: + + - There is a new node type "logger" that can be specified in + node.cfg (that file has a commented-out example). The purpose of + this new node type is to receive logs from all nodes in a cluster + in order to reduce the load on the manager node. However, if + there is no "logger" node, then the manager node will handle + logging as usual. + + - The post-terminate script will send email if it fails to archive + any log files. These mails can be turned off by changing the + value of the new BroControl option MailArchiveLogFail. + + - Added the ability for "broctl deploy" to reload the BroControl + configuration (both broctl.cfg and node.cfg). This happens + automatically if broctl detects any changes to those config files + since the last time the config was loaded. Note that this feature + is relevant only when using the BroControl shell interactively. + + - The BroControl plugin API has a new function "broctl_config". + This gives plugin authors the ability to add their own script code + to the autogenerated broctl-config.bro script. + + - There is a new BroControl plugin for custom load balancing. This + plugin can be used by setting "lb_method=custom" for your worker + nodes in node.cfg. To support packet source plugins, it allows + configuration of a prefix and suffix for the interface name. + +- New Bro plugins in aux/plugins: + + - af_packet: Native AF_PACKET support. + - kafka : Log writer interfacing to Kafka. + - myricom: Native Myricom SNF v3 support. + - pf_ring: Native PF_RING support. + - postgresql: A PostgreSQL reader/writer. + - redis: An experimental log writer for Redis. + - tcprs: A TCP-level analyzer detecting retransmissions, reordering, and more. + +Changed Functionality +--------------------- + +- Log changes: + + - Connections + + The 'history' field gains two new flags: '^' indicates that + Bro heuristically flipped the direction of the connection. + 't/T' indicates the first TCP payload retransmission from + originator or responder, respectively. + + - Intelligence + + New field 'matched' to indicate which indicator type(s) caused the hit. + + - DNS + + New 'rtt' field to indicate the round trip time between when a + request was sent and when a reply started. + + - SMTP + + New 'cc' field which includes the 'Cc' header from MIME + messages sent over SMTP. + + Changes in 'mailfrom' and 'rcptto' fields to remove some + non-address cruft that will tend to be found. The main + example is the change from ``""`` to + ``"user@domain.com"``. + + - HTTP + + Removed 'filename' field (which was seldomly used). + + New 'orig_filenames' and 'resp_filenames' fields which each + contain a vector of filenames seen in entities transferred. + + - stats.log + + The following fields have been added: active_tcp_conns, + active_udp_conns, active_icmp_conns, tcp_conns, udp_conns, + icmp_conns, timers, active_timers, files, active_files, dns_requests, + active_dns_requests, reassem_tcp_size, reassem_file_size, + reassem_frag_size, reassem_unknown_size. + + The following fields have been renamed: lag -> pkt_lag. + + The following fields have been removed: pkts_recv. + +- The BrokerComm and BrokerStore namespaces were renamed to Broker. + The Broker "print()" function was renamed to Broker::send_print(), and + the "event()" function was renamed to Broker::send_event(). + +- The constant ``SSH::skip_processing_after_detection`` was removed. The + functionality was replaced by the new constant + ``SSH::disable_analyzer_after_detection``. + +- The ``net_stats()`` and ``resource_usage()`` functions have been + removed, and their functionality is now provided by the new execution + statistics functions (see above). + +- Some script-level identifiers have changed their names: + + - snaplen -> Pcap::snaplen + - precompile_pcap_filter() -> Pcap::precompile_pcap_filter() + - install_pcap_filter() -> Pcap::install_pcap_filter() + - pcap_error() -> Pcap::error() + +- TCP analysis was changed to process connections without the initial + SYN packet. In the past, connections without a full handshake were + treated as partial, meaning that most application-layer analyzers + would refuse to inspect the payload. Now, Bro will consider these + connections as complete and all analyzers will process them normally. + +- The ``policy/misc/capture-loss.bro`` script is now loaded by default. + +- The traceroute detection script package ``policy/misc/detect-traceroute`` + is no longer loaded by default. + +- Changed BroControl functionality in aux/broctl: + + - The networks.cfg file now contains private IP space 172.16.0.0/12 + by default. + + - Upon startup, if broctl can't get IP addresses from the "ifconfig" + command for any reason, then broctl will now also try to use the + "ip" command. + + - BroControl will now automatically search the Bro plugin directory + for BroControl plugins (in addition to all the other places where + BroControl searches). This enables automatic loading of + BroControl plugins that are provided by a Bro plugin. + + - Changed the default value of the StatusCmdShowAll option so that + the "broctl status" command runs faster. This also means that + there is no longer a "Peers" column in the status output by + default. + + - Users can now specify a more granular log expiration interval. The + BroControl option LogExpireInterval can be set to an arbitrary + time interval instead of just an integer number of days. The time + interval is specified as an integer followed by a time unit: + "day", "hr", or "min". For backward compatibility, an integer + value without a time unit is still interpreted as a number of + days. + + - Changed the text of crash report emails. Now crash reports tell + the user to forward the mail to the Bro team only when a backtrace + is included in the crash report. If there is no backtrace, then + the crash report includes instructions on how to get backtraces + included in future crash reports. + + - There is a new option SitePolicyScripts that replaces SitePolicyStandalone + (the old option is still available, but will be removed in the next + release). + +Removed Functionality +--------------------- + +- The app-stats scripts have been removed because they weren't + being maintained and they were becoming inaccurate (as a result, the + app_stats.log is also gone). They were also prone to needing more regular + updates as the internet changed and will likely be more relevant if + maintained externally. + +- The event ack_above_hole() has been removed, as it was a subset + of content_gap() and led to plenty of noise. + +- The command line options ``--analyze``, ``--set-seed``, and + ``--md5-hashkey`` have been removed. + +- The packaging scripts pkg/make-\*-packages are gone. They aren't + used anymore for the binary Bro packages that the project + distributes; haven't been supported in a while; and have + problems. + +Deprecated Functionality +------------------------ + +- The built-in functions decode_base64_custom() and + encode_base64_custom() are no longer needed and will be removed + in the future. Their functionality is now provided directly by + decode_base64() and encode_base64(), which take an optional + parameter to change the Base64 alphabet. + +Bro 2.4 +======= + +New Functionality +----------------- + +- Bro now has support for external plugins that can extend its core + functionality, like protocol/file analysis, via shared libraries. + Plugins can be developed and distributed externally, and will be + pulled in dynamically at startup (the environment variables + BRO_PLUGIN_PATH and BRO_PLUGIN_ACTIVATE can be used to specify the + locations and names of plugins to activate). Currently, a plugin + can provide custom protocol analyzers, file analyzers, log writers, + input readers, packet sources and dumpers, and new built-in functions. + A plugin can furthermore hook into Bro's processing at a number of + places to add custom logic. + + See https://www.bro.org/sphinx-git/devel/plugins.html for more + information on writing plugins. + +- Bro now has support for the MySQL wire protocol. Activity gets + logged into mysql.log. + +- Bro now parses DTLS traffic. Activity gets logged into ssl.log. + +- Bro now has support for the Kerberos KRB5 protocol over TCP and + UDP. Activity gets logged into kerberos.log. + +- Bro now has an RDP analyzer. Activity gets logged into rdp.log. + +- Bro now has a file analyzer for Portable Executables. Activity gets + logged into pe.log. + +- Bro now has support for the SIP protocol over UDP. Activity gets + logged into sip.log. + +- Bro now features a completely rewritten, enhanced SSH analyzer. The + new analyzer is able to determine if logins failed or succeeded in + most circumstances, logs a lot more more information about SSH + sessions, supports v1, and introduces the intelligence type + ``Intel::PUBKEY_HASH`` and location ``SSH::IN_SERVER_HOST_KEY``. The + analayzer also generates a set of additional events + (``ssh_auth_successful``, ``ssh_auth_failed``, ``ssh_auth_attempted``, + ``ssh_auth_result``, ``ssh_capabilities``, ``ssh2_server_host_key``, + ``ssh1_server_host_key``, ``ssh_encrypted_packet``, + ``ssh2_dh_server_params``, ``ssh2_gss_error``, ``ssh2_ecc_key``). See + next section for incompatible SSH changes. + +- Bro's file analysis now supports reassembly of files that are not + transferred/seen sequentially. The default file reassembly buffer + size is set with the ``Files::reassembly_buffer_size`` variable. + +- Bro's file type identification has been greatly improved (new file types, + bug fixes, and performance improvements). + +- Bro's scripting language now has a ``while`` statement:: + + while ( i < 5 ) + print ++i; + + ``next`` and ``break`` can be used inside the loop's body just like + with ``for`` loops. + +- Bro now integrates Broker, a new communication library. See + aux/broker/README for more information on Broker, and + doc/frameworks/broker.rst for the corresponding Bro script API. + + With Broker, Bro has the similar capabilities of exchanging events and + logs with remote peers (either another Bro process or some other + application that uses Broker). It also includes a key-value store + API that can be used to share state between peers and optionally + allow data to persist on disk for longer-term storage. + + Broker support is by default off for now; it can be enabled at + configure time with --enable-broker. It requires CAF version 0.13+ + (https://github.com/actor-framework/actor-framework) as well as a + C++11 compiler (e.g. GCC 4.8+ or Clang 3.3+). + + Broker will become a mandatory dependency in future Bro versions and + replace the current communication and serialization system. + +- Add --enable-c++11 configure flag to compile Bro's source code in + C++11 mode with a corresponding compiler. Note that 2.4 will be the + last version of Bro that compiles without C++11 support. + +- The SSL analysis now alerts when encountering SSL connections with + old protocol versions or unsafe cipher suites. It also gained + extended reporting of weak keys, caching of already validated + certificates, and full support for TLS record defragmentation. SSL generally + became much more robust and added several fields to ssl.log (while + removing some others). + +- A new icmp_sent_payload event provides access to ICMP payload. + +- The input framework's raw reader now supports seeking by adding an + option "offset" to the config map. Positive offsets are interpreted + to be from the beginning of the file, negative from the end of the + file (-1 is end of file). + +- One can now raise events when a connection crosses a given size + threshold in terms of packets or bytes. The primary API for that + functionality is in base/protocols/conn/thresholds.bro. + +- There is a new command-line option -Q/--time that prints Bro's execution + time and memory usage to stderr. + +- BroControl now has a new command "deploy" which is equivalent to running + the "check", "install", "stop", and "start" commands (in that order). + +- BroControl now has a new option "StatusCmdShowAll" that controls whether + or not the broctl "status" command gathers all of the status information. + This option can be used to make the "status" command run significantly + faster (in this case, the "Peers" column will not be shown in the output). + +- BroControl now has a new option "StatsLogEnable" that controls whether + or not broctl will record information to the "stats.log" file. This option + can be used to make the "broctl cron" command run slightly faster (in this + case, "broctl cron" will also no longer send email about not seeing any + packets on the monitoring interfaces). + +- BroControl now has a new option "MailHostUpDown" which controls whether or + not the "broctl cron" command will send email when it notices that a host + in the cluster is up or down. + +- BroControl now has a new option "CommandTimeout" which specifies the number + of seconds to wait for a command that broctl ran to return results. + +Changed Functionality +--------------------- + +- bro-cut has been rewritten in C, and is hence much faster. + +- File analysis + + * Removed ``fa_file`` record's ``mime_type`` and ``mime_types`` + fields. The event ``file_sniff`` has been added which provides + the same information. The ``mime_type`` field of ``Files::Info`` + also still has this info. + + * The earliest point that new mime type information is available is + in the ``file_sniff`` event which comes after the ``file_new`` and + ``file_over_new_connection`` events. Scripts which inspected mime + type info within those events will need to be adapted. (Note: for + users that worked w/ versions of Bro from git, for a while there was + also an event called ``file_mime_type`` which is now replaced with + the ``file_sniff`` event). + + * Removed ``Files::add_analyzers_for_mime_type`` function. + + * Removed ``offset`` parameter of the ``file_extraction_limit`` + event. Since file extraction now internally depends on file + reassembly for non-sequential files, "offset" can be obtained + with other information already available -- adding together + ``seen_bytes`` and ``missed_bytes`` fields of the ``fa_file`` + record gives how many bytes have been written so far (i.e. + the "offset"). + +- The SSH changes come with a few incompatibilities. The following + events have been renamed: + + * ``SSH::heuristic_failed_login`` to ``ssh_auth_failed`` + * ``SSH::heuristic_successful_login`` to ``ssh_auth_successful`` + + The ``SSH::Info`` status field has been removed and replaced with + the ``auth_success`` field. This field has been changed from a + string that was previously ``success``, ``failure`` or + ``undetermined`` to a boolean. a boolean that is ``T``, ``F``, or + unset. + +- The has_valid_octets function now uses a string_vec parameter instead of + string_array. + +- conn.log gained a new field local_resp that works like local_orig, + just for the responder address of the connection. + +- GRE tunnels are now identified as ``Tunnel::GRE`` instead of + ``Tunnel::IP``. + +- The default name for extracted files changed from extract-protocol-id + to extract-timestamp-protocol-id. + +- The weird named "unmatched_HTTP_reply" has been removed since it can + be detected at the script-layer and is handled correctly by the + default HTTP scripts. + +- When adding a logging filter to a stream, the filter can now inherit + a default ``path`` field from the associated ``Log::Stream`` record. + +- When adding a logging filter to a stream, the + ``Log::default_path_func`` is now only automatically added to the + filter if it has neither a ``path`` nor a ``path_func`` already + explicitly set. Before, the default path function would always be set + for all filters which didn't specify their own ``path_func``. + +- BroControl now establishes only one ssh connection from the manager to + each remote host in a cluster configuration (previously, there would be + one ssh connection per remote Bro process). + +- BroControl now uses SQLite to record state information instead of a + plain text file (the file "spool/broctl.dat" is no longer used). + On FreeBSD, this means that there is a new dependency on the package + "py27-sqlite3". + +- BroControl now records the expected running state of each Bro node right + before each start or stop. The "broctl cron" command uses this info to + either start or stop Bro nodes as needed so that the actual state matches + the expected state (previously, "broctl cron" could only start nodes in + the "crashed" state, and could never stop a node). + +- BroControl now sends all normal command output (i.e., not error messages) + to stdout. Error messages are still sent to stderr, however. + +- The capability of processing NetFlow input has been removed for the + time being. Therefore, the -y/--flowfile and -Y/--netflow command-line + options have been removed, and the netflow_v5_header and netflow_v5_record + events have been removed. + +- The -D/--dfa-size command-line option has been removed. + +- The -L/--rule-benchmark command-line option has been removed. + +- The -O/--optimize command-line option has been removed. + +- The deprecated fields "hot" and "addl" have been removed from the + connection record. Likewise, the functions append_addl() and + append_addl_marker() have been removed. + +- Log files now escape non-printable characters consistently as "\xXX'. + Furthermore, backslashes are escaped as "\\", making the + representation fully reversible. + +Deprecated Functionality +------------------------ + +- The split* family of functions are to be replaced with alternate + versions that return a vector of strings rather than a table of + strings. This also allows deprecation for some related string + concatenation/extraction functions. Note that the new functions use + 0-based indexing, rather than 1-based. + + The full list of now deprecated functions is: + + * split: use split_string instead. + + * split1: use split_string1 instead. + + * split_all: use split_string_all instead. + + * split_n: use split_string_n instead. + + * cat_string_array: see join_string_vec instead. + + * cat_string_array_n: see join_string_vec instead. + + * join_string_array: see join_string_vec instead. + + * sort_string_array: use sort instead. + + * find_ip_addresses: use extract_ip_addresses instead. + +Bro 2.3 +======= + +Dependencies +------------ + +- Libmagic is no longer a dependency. + +New Functionality +----------------- + +- Support for GRE tunnel decapsulation, including enhanced GRE + headers. GRE tunnels are treated just like IP-in-IP tunnels by + parsing past the GRE header in between the delivery and payload IP + packets. + +- The DNS analyzer now actually generates the dns_SRV_reply() event. + It had been documented before, yet was never raised. + +- Bro now uses "file magic signatures" to identify file types. These + are defined via two new constructs in the signature rule parsing + grammar: "file-magic" gives a regular expression to match against, + and "file-mime" gives the MIME type string of content that matches + the magic and an optional strength value for the match. (See also + "Changed Functionality" below for changes due to switching from + using libmagic to such signatures.) + +- A new built-in function, "file_magic", can be used to get all file + magic matches and their corresponding strength against a given chunk + of data. + +- The SSL analyzer now supports heartbeats as well as a few + extensions, including server_name, alpn, and ec-curves. + +- The SSL analyzer comes with Heartbleed detector script in + protocols/ssl/heartbleed.bro. Note that loading this script changes + the default value of "SSL::disable_analyzer_after_detection" from true + to false to prevent encrypted heartbeats from being ignored. + +- StartTLS is now supported for SMTP and POP3. + +- The X509 analyzer can now perform OSCP validation. + +- Bro now has analyzers for SNMP and Radius, which produce corresponding + snmp.log and radius.log output (as well as various events of course). + +- BroControl has a new option "BroPort" which allows a user to specify + the starting port number for Bro. + +- BroControl has a new option "StatsLogExpireInterval" which allows a + user to specify when entries in the stats.log file expire. + +- BroControl has a new option "PFRINGClusterType" which allows a user + to specify a PF_RING cluster type. + +- BroControl now supports PF_RING+DNA. There is also a new option + "PFRINGFirstAppInstance" that allows a user to specify the starting + application instance number for processes running on a DNA cluster. + See the BroControl documentation for more details. + +- BroControl now warns a user to run "broctl install" if Bro has + been upgraded or if the broctl or node configuration has changed + since the most recent install. + +Changed Functionality +--------------------- + +- string slices now exclude the end index (e.g., "123"[1:2] returns + "2"). Generally, Bro's string slices now behave similar to Python. + +- ssl_client_hello() now receives a vector of ciphers, instead of a + set, to preserve their order. + +- Notice::end_suppression() has been removed. + +- Bro now parses X.509 extensions headers and, as a result, the + corresponding event got a new signature: + + event x509_extension(c: connection, is_orig: bool, cert: X509, ext: X509_extension_info); + +- In addition, there are several new, more specialized events for a + number of x509 extensions. + +- Generally, all x509 events and handling functions have changed their + signatures. + +- X509 certificate verification now returns the complete certificate + chain that was used for verification. + +- Bro no longer special-cases SYN/FIN/RST-filtered traces by not + reporting missing data. Instead, if Bro never sees any data segments + for analyzed TCP connections, the new + base/misc/find-filtered-trace.bro script will log a warning in + reporter.log and to stderr. The old behavior can be reverted by + redef'ing "detect_filtered_trace". + +- We have removed the packet sorter component. + +- Bro no longer uses libmagic to identify file types but instead now + comes with its own signature library (which initially is still + derived from libmagic's database). This leads to a number of further + changes with regards to MIME types: + + * The second parameter of the "identify_data" built-in function + can no longer be used to get verbose file type descriptions, + though it can still be used to get the strongest matching file + magic signature. + + * The "file_transferred" event's "descr" parameter no longer + contains verbose file type descriptions. + + * The BROMAGIC environment variable no longer changes any behavior + in Bro as magic databases are no longer used/installed. + + * Removed "binary" and "octet-stream" mime type detections. They + don't provide any more information than an uninitialized + mime_type field. + + * The "fa_file" record now contains a "mime_types" field that + contains all magic signatures that matched the file content + (where the "mime_type" field is just a shortcut for the + strongest match). + +- dns_TXT_reply() now supports more than one string entry by receiving + a vector of strings. + +- BroControl now runs the "exec" and "df" broctl commands only once + per host, instead of once per Bro node. The output of these + commands has been changed slightly to include both the host and + node names. + +- Several performance improvements were made. Particular emphasis + was put on the File Analysis system, which generally will now emit + far fewer file handle request events due to protocol analyzers now + caching that information internally. + +Bro 2.2 +======= + +New Functionality +----------------- + +- A completely overhauled intelligence framework for consuming + external intelligence data. It provides an abstracted mechanism + for feeding data into the framework to be matched against the + data available. It also provides a function named ``Intel::match`` + which makes any hits on intelligence data available to the + scripting language. + + Using input framework, the intel framework can load data from + text files. It can also update and add data if changes are + made to the file being monitored. Files to monitor for + intelligence can be provided by redef-ing the + ``Intel::read_files`` variable. + + The intel framework is cluster-ready. On a cluster, the + manager is the only node that needs to load in data from disk, + the cluster support will distribute the data across a cluster + automatically. + + Scripts are provided at ``policy/frameworks/intel/seen`` that + provide a broad set of sources of data to feed into the intel + framwork to be matched. + +- A new file analysis framework moves most of the processing of file + content from script-land into the core, where it belongs. See + ``doc/file-analysis.rst``, or the online documentation, for more + information. + + Much of this is an internal change, but the framework also comes + with the following user-visible functionality (some of that was + already available before but is done differently, and more + efficiently, now): + + - HTTP: + + * Identify MIME type of messages. + * Extract messages to disk. + * Compute MD5 for messages. + + - SMTP: + + * Identify MIME type of messages. + * Extract messages to disk. + * Compute MD5 for messages. + * Provide access to start of entity data. + + - FTP data transfers: + + * Identify MIME types of data. + * Record to disk. + + - IRC DCC transfers: Record to disk. + + - Support for analyzing data transferred via HTTP range requests. + + - A binary input reader interfaces the input framework with the + file analysis, allowing to inject files on disk into Bro's + content processing. + +- A new framework for computing a wide array of summary statistics, + such as counters and thresholds checks, standard deviation and mean, + set cardinality, top K, and more. The framework operates in + real-time, independent of the underlying data, and can aggregate + information from many independent monitoring points (including + clusters). It provides a transparent, easy-to-use user interface, + and can optionally deploy a set of probabilistic data structures for + memory-efficient operation. The framework is located in + ``scripts/base/frameworks/sumstats``. + + A number of new applications now ship with Bro that are built on top + of the summary statistics framework: + + * Scan detection: Detectors for port and address scans. See + ``policy/misc/scan.bro`` (these scan detectors used to exist in + Bro versions <2.0; it's now back, but quite different). + + * Tracerouter detector: ``policy/misc/detect-traceroute.bro`` + + * Web application detection/measurement: + ``policy/misc/app-stats/*`` + + * FTP and SSH brute-forcing detector: + ``policy/protocols/ftp/detect-bruteforcing.bro``, + ``policy/protocols/ssh/detect-bruteforcing.bro`` + + * HTTP-based SQL injection detector: + ``policy/protocols/http/detect-sqli.bro`` (existed before, but + now ported to the new framework) + +- GridFTP support. This is an extension to the standard FTP analyzer + and includes: + + - An analyzer for the GSI mechanism of GSSAPI FTP AUTH method. + GSI authentication involves an encoded TLS/SSL handshake over + the FTP control session. For FTP sessions that attempt GSI + authentication, the ``service`` field of the connection log + will include ``gridftp`` (as well as also ``ftp`` and + ``ssl``). + + - An example of a GridFTP data channel detection script. It + relies on the heuristics of GridFTP data channels commonly + default to SSL mutual authentication with a NULL bulk cipher + and that they usually transfer large datasets (default + threshold of script is 1 GB). For identified GridFTP data + channels, the ``services`` fields of the connection log will + include ``gridftp-data``. + +- Modbus and DNP3 support. Script-level support is only basic at this + point but see ``src/analyzer/protocol/{modbus,dnp3}/events.bif``, or + the online documentation, for the events Bro generates. For Modbus, + there are also some example policies in + ``policy/protocols/modbus/*``. + +- The documentation now includes a new introduction to writing Bro + scripts. See ``doc/scripting/index.rst`` or, much better, the online + version. There's also the beginning of a chapter on "Using Bro" in + ``doc/using/index.rst``. + +- GPRS Tunnelling Protocol (GTPv1) decapsulation. + +- The scripting language now provide "hooks", a new flavor of + functions that share characteristics of both standard functions and + events. They are like events in that multiple bodies can be defined + for the same hook identifier. They are more like functions in the + way they are invoked/called, because, unlike events, their execution + is immediate and they do not get scheduled through an event queue. + Also, a unique feature of a hook is that a given hook handler body + can short-circuit the execution of remaining hook handlers simply by + exiting from the body as a result of a ``break`` statement (as + opposed to a ``return`` or just reaching the end of the body). See + ``doc/scripts/builtins.rst``, or the online documentation, for more + informatin. + +- Bro's language now has a working ``switch`` statement that generally + behaves like C-style switches (except that case labels can be + comprised of multiple literal constants delimited by commas). Only + atomic types are allowed for now. Case label bodies that don't + execute a ``return`` or ``break`` statement will fall through to + subsequent cases. A ``default`` case label is supported. + +- Bro's language now has a new set of types ``opaque of X``. Opaque + values can be passed around like other values but they can only be + manipulated with BiF functions, not with other operators. Currently, + the following opaque types are supported:: + + opaque of md5 + opaque of sha1 + opaque of sha256 + opaque of cardinality + opaque of topk + opaque of bloomfilter + + These go along with the corrsponding BiF functions ``md5_*``, + ``sha1_*``, ``sha256_*``, ``entropy_*``, etc. . Note that where + these functions existed before, they have changed their signatures + to work with opaques types rather than global state. + +- The scripting language now supports constructing sets, tables, + vectors, and records by name:: + + type MyRecordType: record { + c: count; + s: string &optional; + }; + + global r: MyRecordType = record($c = 7); + + type MySet: set[MyRec]; + global s = MySet([$c=1], [$c=2]); + +- Strings now support the subscript operator to extract individual + characters and substrings (e.g., ``s[4]``, ``s[1:5]``). The index + expression can take up to two indices for the start and end index of + the substring to return (e.g. ``mystring[1:3]``). + +- Functions now support default parameters, e.g.:: + + global foo: function(s: string, t: string &default="abc", u: count &default=0); + +- Scripts can now use two new "magic constants" ``@DIR`` and + ``@FILENAME`` that expand to the directory path of the current + script and just the script file name without path, respectively. + +- ``ssl.log`` now also records the subject client and issuer + certificates. + +- The ASCII writer can now output CSV files on a per filter basis. + +- New SQLite reader and writer plugins for the logging framework allow + to read/write persistent data from on disk SQLite databases. + +- A new packet filter framework supports BPF-based load-balancing, + shunting, and sampling; plus plugin support to customize filters + dynamically. + +- Bro now provides Bloom filters of two kinds: basic Bloom filters + supporting membership tests, and counting Bloom filters that track + the frequency of elements. The corresponding functions are:: + + bloomfilter_basic_init(fp: double, capacity: count, name: string &default=""): opaque of bloomfilter + bloomfilter_basic_init2(k: count, cells: count, name: string &default=""): opaque of bloomfilter + bloomfilter_counting_init(k: count, cells: count, max: count, name: string &default=""): opaque of bloomfilter + bloomfilter_add(bf: opaque of bloomfilter, x: any) + bloomfilter_lookup(bf: opaque of bloomfilter, x: any): count + bloomfilter_merge(bf1: opaque of bloomfilter, bf2: opaque of bloomfilter): opaque of bloomfilter + bloomfilter_clear(bf: opaque of bloomfilter) + + See ``src/probabilistic/bloom-filter.bif``, or the online + documentation, for full documentation. + +- Bro now provides a probabilistic data structure for computing + "top k" elements. The corresponding functions are:: + + topk_init(size: count): opaque of topk + topk_add(handle: opaque of topk, value: any) + topk_get_top(handle: opaque of topk, k: count) + topk_count(handle: opaque of topk, value: any): count + topk_epsilon(handle: opaque of topk, value: any): count + topk_size(handle: opaque of topk): count + topk_sum(handle: opaque of topk): count + topk_merge(handle1: opaque of topk, handle2: opaque of topk) + topk_merge_prune(handle1: opaque of topk, handle2: opaque of topk) + + See ``src/probabilistic/top-k.bif``, or the online documentation, + for full documentation. + +- Bro now provides a probabilistic data structure for computing set + cardinality, using the HyperLogLog algorithm. The corresponding + functions are:: + + hll_cardinality_init(err: double, confidence: double): opaque of cardinality + hll_cardinality_add(handle: opaque of cardinality, elem: any): bool + hll_cardinality_merge_into(handle1: opaque of cardinality, handle2: opaque of cardinality): bool + hll_cardinality_estimate(handle: opaque of cardinality): double + hll_cardinality_copy(handle: opaque of cardinality): opaque of cardinality + + See ``src/probabilistic/cardinality-counter.bif``, or the online + documentation, for full documentation. + +- ``base/utils/exec.bro`` provides a module to start external + processes asynchronously and retrieve their output on termination. + ``base/utils/dir.bro`` uses it to monitor a directory for changes, + and ``base/utils/active-http.bro`` for providing an interface for + querying remote web servers. + +- BroControl can now pin Bro processes to CPUs on supported platforms: + To use CPU pinning, a new per-node option ``pin_cpus`` can be + specified in node.cfg if the OS is either Linux or FreeBSD. + +- BroControl now returns useful exit codes. Most BroControl commands + return 0 if everything was OK, and 1 otherwise. However, there are + a few exceptions. The "status" and "top" commands return 0 if all Bro + nodes are running, and 1 if not all nodes are running. The "cron" + command always returns 0 (but it still sends email if there were any + problems). Any command provided by a plugin always returns 0. + +- BroControl now has an option "env_vars" to set Bro environment variables. + The value of this option is a comma-separated list of environment variable + assignments (e.g., "VAR1=value, VAR2=another"). The "env_vars" option + can apply to all Bro nodes (by setting it in broctl.cfg), or can be + node-specific (by setting it in node.cfg). Environment variables in + node.cfg have priority over any specified in broctl.cfg. + +- BroControl now supports load balancing with PF_RING while sniffing + multiple interfaces. Rather than assigning the same PF_RING cluster ID + to all workers on a host, cluster ID assignment is now based on which + interface a worker is sniffing (i.e., all workers on a host that sniff + the same interface will share a cluster ID). This is handled by + BroControl automatically. + +- BroControl has several new options: MailConnectionSummary (for + disabling the sending of connection summary report emails), + MailAlarmsInterval (for specifying a different interval to send alarm + summary emails), CompressCmd (if archived log files will be compressed, + this specifies the command that will be used to compress them), + CompressExtension (if archived log files will be compressed, this + specifies the file extension to use). + +- BroControl comes with its own test-suite now. ``make test`` in + ``aux/broctl`` will run it. + +In addition to these, Bro 2.2 comes with a large set of smaller +extensions, tweaks, and fixes across the whole code base, including +most submodules. + +Changed Functionality +--------------------- + +- Previous versions of ``$prefix/share/bro/site/local.bro`` (where + "$prefix" indicates the installation prefix of Bro), aren't compatible + with Bro 2.2. This file won't be overwritten when installing over a + previous Bro installation to prevent clobbering users' modifications, + but an example of the new version is located in + ``$prefix/share/bro/site/local.bro.example``. So if no modification + has been done to the previous local.bro, just copy the new example + version over it, else merge in the differences. For reference, + a common error message when attempting to use an outdated local.bro + looks like:: + + fatal error in /usr/local/bro/share/bro/policy/frameworks/software/vulnerable.bro, line 41: BroType::AsRecordType (table/record) (set[record { min:record { major:count; minor:count; minor2:count; minor3:count; addl:string; }; max:record { major:count; minor:count; minor2:count; minor3:count; addl:string; }; }]) + +- The type of ``Software::vulnerable_versions`` changed to allow + more flexibility and range specifications. An example usage: + + .. code:: bro + + const java_1_6_vuln = Software::VulnerableVersionRange( + $max = Software::Version($major = 1, $minor = 6, $minor2 = 0, $minor3 = 44) + ); + + const java_1_7_vuln = Software::VulnerableVersionRange( + $min = Software::Version($major = 1, $minor = 7), + $max = Software::Version($major = 1, $minor = 7, $minor2 = 0, $minor3 = 20) + ); + + redef Software::vulnerable_versions += { + ["Java"] = set(java_1_6_vuln, java_1_7_vuln) + }; + +- The interface to extracting content from application-layer protocols + (including HTTP, SMTP, FTP) has changed significantly due to the + introduction of the new file analysis framework (see above). + +- Removed the following, already deprecated, functionality: + + * Scripting language: + - ``&disable_print_hook attribute``. + + * BiF functions: + - ``parse_dotted_addr()``, ``dump_config()``, + ``make_connection_persistent()``, ``generate_idmef()``, + ``split_complete()`` + + - ``md5_*``, ``sha1_*``, ``sha256_*``, and ``entropy_*`` have + all changed their signatures to work with opaque types (see + above). + +- Removed a now unused argument from ``do_split`` helper function. + +- ``this`` is no longer a reserved keyword. + +- The Input Framework's ``update_finished`` event has been renamed to + ``end_of_data``. It will now not only fire after table-reads have + been completed, but also after the last event of a whole-file-read + (or whole-db-read, etc.). + +- Renamed the option defining the frequency of alarm summary mails to + ``Logging::default_alarm_mail_interval``. When using BroControl, the + value can now be set with the new broctl.cfg option + ``MailAlarmsInterval``. + +- We have completely rewritten the ``notice_policy`` mechanism. It now + no longer uses a record of policy items but a ``hook``, a new + language element that's roughly equivalent to a function with + multiple bodies (see above). For existing code, the two main changes + are: + + - What used to be a ``redef`` of ``Notice::policy`` now becomes a + hook implementation. Example: + + Old:: + + redef Notice::policy += { + [$pred(n: Notice::Info) = { + return n$note == SSH::Login && n$id$resp_h == 10.0.0.1; + }, + $action = Notice::ACTION_EMAIL] + }; + + New:: + + hook Notice::policy(n: Notice::Info) + { + if ( n$note == SSH::Login && n$id$resp_h == 10.0.0.1 ) + add n$actions[Notice::ACTION_EMAIL]; + } + + - notice() is now likewise a hook, no longer an event. If you + have handlers for that event, you'll likely just need to change + the type accordingly. Example: + + Old:: + + event notice(n: Notice::Info) { ... } + + New:: + + hook notice(n: Notice::Info) { ... } + +- The ``notice_policy.log`` is gone. That's a result of the new notice + policy setup. + +- Removed the ``byte_len()`` and ``length()`` bif functions. Use the + ``|...|`` operator instead. + +- The ``SSH::Login`` notice has been superseded by an corresponding + intelligence framework observation (``SSH::SUCCESSFUL_LOGIN``). + +- ``PacketFilter::all_packets`` has been replaced with + ``PacketFilter::enable_auto_protocol_capture_filters``. + +- We removed the BitTorrent DPD signatures pending further updates to + that analyzer. + +- In previous versions of BroControl, running "broctl cron" would create + a file ``$prefix/logs/stats/www`` (where "$prefix" indicates the + installation prefix of Bro). Now, it is created as a directory. + Therefore, if you perform an upgrade install and you're using BroControl, + then you may see an email (generated by "broctl cron") containing an + error message: "error running update-stats". To fix this problem, + either remove that file (it is not needed) or rename it. + +- Due to lack of maintenance the Ruby bindings for Broccoli are now + deprecated, and the build process no longer includes them by + default. For the time being, they can still be enabled by + configuring with ``--enable-ruby``, however we plan to remove + Broccoli's Ruby support with the next Bro release. + +Bro 2.1 +======= + +New Functionality +----------------- + +- Bro now comes with extensive IPv6 support. Past versions offered + only basic IPv6 functionality that was rarely used in practice as it + had to be enabled explicitly. IPv6 support is now fully integrated + into all parts of Bro including protocol analysis and the scripting + language. It's on by default and no longer requires any special + configuration. + + Some of the most significant enhancements include support for IPv6 + fragment reassembly, support for following IPv6 extension header + chains, and support for tunnel decapsulation (6to4 and Teredo). The + DNS analyzer now handles AAAA records properly, and DNS lookups that + Bro itself performs now include AAAA queries, so that, for example, + the result returned by script-level lookups is a set that can + contain both IPv4 and IPv6 addresses. Support for the most common + ICMPv6 message types has been added. Also, the FTP EPSV and EPRT + commands are now handled properly. Internally, the way IP addresses + are stored has been improved, so Bro can handle both IPv4 + and IPv6 by default without any special configuration. + + In addition to Bro itself, the other Bro components have also been + made IPv6-aware by default. In particular, significant changes were + made to trace-summary, PySubnetTree, and Broccoli to support IPv6. + +- Bro now decapsulates tunnels via its new tunnel framework located in + scripts/base/frameworks/tunnels. It currently supports Teredo, + AYIYA, IP-in-IP (both IPv4 and IPv6), and SOCKS. For all these, it + logs the outer tunnel connections in both conn.log and tunnel.log, + and then proceeds to analyze the inner payload as if it were not + tunneled, including also logging that session in conn.log. For + SOCKS, it generates a new socks.log in addition with more + information. + +- Bro now features a flexible input framework that allows users to + integrate external information in real-time into Bro while it's + processing network traffic. The most direct use-case at the moment + is reading data from ASCII files into Bro tables, with updates + picked up automatically when the file changes during runtime. See + doc/input.rst for more information. + + Internally, the input framework is structured around the notion of + "reader plugins" that make it easy to interface to different data + sources. We will add more in the future. + +- BroControl now has built-in support for host-based load-balancing + when using either PF_RING, Myricom cards, or individual interfaces. + Instead of adding a separate worker entry in node.cfg for each Bro + worker process on each worker host, it is now possible to just + specify the number of worker processes on each host and BroControl + configures everything correctly (including any neccessary enviroment + variables for the balancers). + + This change adds three new keywords to the node.cfg file (to be used + with worker entries): lb_procs (specifies number of workers on a + host), lb_method (specifies what type of load balancing to use: + pf_ring, myricom, or interfaces), and lb_interfaces (used only with + "lb_method=interfaces" to specify which interfaces to load-balance + on). + +- Bro's default ASCII log format is not exactly the most efficient way + for storing and searching large volumes of data. An alternatives, + Bro now comes with experimental support for two alternative output + formats: + + * DataSeries: an efficient binary format for recording structured + bulk data. DataSeries is developed and maintained at HP Labs. + See doc/logging-dataseries for more information. + + * ElasticSearch: a distributed RESTful, storage engine and search + engine built on top of Apache Lucene. It scales very well, both + for distributed indexing and distributed searching. See + doc/logging-elasticsearch.rst for more information. + + Note that at this point, we consider Bro's support for these two + formats as prototypes for collecting experience with alternative + outputs. We do not yet recommend them for production (but welcome + feedback!) + + +Changed Functionality +--------------------- + +The following summarizes the most important differences in existing +functionality. Note that this list is not complete, see CHANGES for +the full set. + +- Changes in dependencies: + + * Bro now requires CMake >= 2.6.3. + + * On Linux, Bro now links in tcmalloc (part of Google perftools) + if found at configure time. Doing so can significantly improve + memory and CPU use. + + On the other platforms, the new configure option + --enable-perftools can be used to enable linking to tcmalloc. + (Note that perftools's support for non-Linux platforms may be + less reliable). + +- The configure switch --enable-brov6 is gone. + +- DNS name lookups performed by Bro now also query AAAA records. The + results of the A and AAAA queries for a given hostname are combined + such that at the scripting layer, the name resolution can yield a + set with both IPv4 and IPv6 addresses. + +- The connection compressor was already deprecated in 2.0 and has now + been removed from the code base. + +- We removed the "match" statement, which was no longer used by any of + the default scripts, nor was it likely to be used by anybody anytime + soon. With that, "match" and "using" are no longer reserved keywords. + +- The syntax for IPv6 literals changed from "2607:f8b0:4009:802::1012" + to "[2607:f8b0:4009:802::1012]". When an IP address variable or IP + address literal is enclosed in pipes (for example, + ``|[fe80::db15]|``) the result is now the size of the address in + bits (32 for IPv4 and 128 for IPv6). + +- Bro now spawns threads for doing its logging. From a user's + perspective not much should change, except that the OS may now show + a bunch of Bro threads. + +- We renamed the configure option --enable-perftools to + --enable-perftools-debug to indicate that the switch is only relevant + for debugging the heap. + +- Bro's ICMP analyzer now handles both IPv4 and IPv6 messages with a + joint set of events. The `icmp_conn` record got a new boolean field + 'v6' that indicates whether the ICMP message is v4 or v6. + +- Log postprocessor scripts get an additional argument indicating the + type of the log writer in use (e.g., "ascii"). + +- BroControl's make-archive-name script also receives the writer + type, but as its 2nd(!) argument. If you're using a custom version + of that script, you need to adapt it. See the shipped version for + details. + +- Signature files can now be loaded via the new "@load-sigs" + directive. In contrast to the existing (and still supported) + signature_files constant, this can be used to load signatures + relative to the current script (e.g., "@load-sigs ./foo.sig"). + +- The options "tunnel_port" and "parse_udp_tunnels" have been removed. + Bro now supports decapsulating tunnels directly for protocols it + understands. + +- ASCII logs now record the time when they were opened/closed at the + beginning and end of the file, respectively (wall clock). The + options LogAscii::header_prefix and LogAscii::include_header have + been renamed to LogAscii::meta_prefix and LogAscii::include_meta, + respectively. + +- The ASCII writers "header_*" options have been renamed to "meta_*" + (because there's now also a footer). + +- Some built-in functions have been removed: "addr_to_count" (use + "addr_to_counts" instead), "bro_has_ipv6" (this is no longer + relevant because Bro now always supports IPv6), "active_connection" + (use "connection_exists" instead), and "connection_record" (use + "lookup_connection" instead). + +- The "NFS3::mode2string" built-in function has been renamed to + "file_mode". + +- Some built-in functions have been changed: "exit" (now takes the + exit code as a parameter), "to_port" (now takes a string as + parameter instead of a count and transport protocol, but + "count_to_port" is still available), "connect" (now takes an + additional string parameter specifying the zone of a non-global IPv6 + address), and "listen" (now takes three additional parameters to + enable listening on IPv6 addresses). + +- Some Bro script variables have been renamed: + "LogAscii::header_prefix" has been renamed to + "LogAscii::meta_prefix", "LogAscii::include_header" has been renamed + to "LogAscii::include_meta". + +- Some Bro script variables have been removed: "tunnel_port", + "parse_udp_tunnels", "use_connection_compressor", + "cc_handle_resets", "cc_handle_only_syns", and + "cc_instantiate_on_data". + +- A couple events have changed: the "icmp_redirect" event now includes + the target and destination addresses and any Neighbor Discovery + options in the message, and the last parameter of the + "dns_AAAA_reply" event has been removed because it was unused. + +- The format of the ASCII log files has changed very slightly. Two + new lines are automatically added, one to record the time when the + log was opened, and the other to record the time when the log was + closed. + +- In BroControl, the option (in broctl.cfg) "CFlowAddr" was renamed to + "CFlowAddress". + + +Bro 2.0 +======= + +As the version number jump from 1.5 suggests, Bro 2.0 is a major +upgrade and lots of things have changed. Most importantly, we have +rewritten almost all of Bro's default scripts from scratch, using +quite different structure now and focusing more on operational +deployment. The result is a system that works much better "out of the +box", even without much initial site-specific configuration. The +down-side is that 1.x configurations will need to be adapted to work +with the new version. The two rules of thumb are: + + (1) If you have written your own Bro scripts + that do not depend on any of the standard scripts formerly + found in ``policy/``, they will most likely just keep working + (although you might want to adapt them to use some of the new + features, like the new logging framework; see below). + + (2) If you have custom code that depends on specifics of 1.x + default scripts (including most configuration tuning), that is + unlikely to work with 2.x. We recommend to start by using just + the new scripts first, and then port over any customizations + incrementally as necessary (they may be much easier to do now, + or even unnecessary). Send mail to the Bro user mailing list + if you need help. + +Below we summarize changes from 1.x to 2.x in more detail. This list +isn't complete, see the ``CHANGES`` file in the distribution. +for the full story. + +Script Organization +------------------- + +In versions before 2.0, Bro scripts were all maintained in a flat +directory called ``policy/`` in the source tree. This directory is now +renamed to ``scripts/`` and contains major subdirectories ``base/``, +``policy/``, and ``site/``, each of which may also be subdivided +further. + +The contents of the new ``scripts/`` directory, like the old/flat +``policy/`` still gets installed under the ``share/bro`` +subdirectory of the installation prefix path just like previous +versions. For example, if Bro was compiled like ``./configure +--prefix=/usr/local/bro && make && make install``, then the script +hierarchy can be found in ``/usr/local/bro/share/bro``. + +The main +subdirectories of that hierarchy are as follows: + +- ``base/`` contains all scripts that are loaded by Bro by default + (unless the ``-b`` command line option is used to run Bro in a + minimal configuration). Note that is a major conceptual change: + rather than not loading anything by default, Bro now uses an + extensive set of default scripts out of the box. + + The scripts under this directory generally either accumulate/log + useful state/protocol information for monitored traffic, configure a + default/recommended mode of operation, or provide extra Bro + scripting-layer functionality that has no significant performance cost. + +- ``policy/`` contains all scripts that a user will need to explicitly + tell Bro to load. These are scripts that implement + functionality/analysis that not all users may want to use and may have + more significant performance costs. For a new installation, you + should go through these and see what appears useful to load. + +- ``site/`` remains a directory that can be used to store locally + developed scripts. It now comes with some preinstalled example + scripts that contain recommended default configurations going beyond + the ``base/`` setup. E.g. ``local.bro`` loads extra scripts from + ``policy/`` and does extra tuning. These files can be customized in + place without being overwritten by upgrades/reinstalls, unlike + scripts in other directories. + +With version 2.0, the default ``BROPATH`` is set to automatically +search for scripts in ``policy/``, ``site/`` and their parent +directory, but **not** ``base/``. Generally, everything under +``base/`` is loaded automatically, but for users of the ``-b`` option, +it's important to know that loading a script in that directory +requires the extra ``base/`` path qualification. For example, the +following two scripts: + +* ``$PREFIX/share/bro/base/protocols/ssl/main.bro`` +* ``$PREFIX/share/bro/policy/protocols/ssl/validate-certs.bro`` + +are referenced from another Bro script like: + +.. code:: bro + + @load base/protocols/ssl/main + @load protocols/ssl/validate-certs + +Notice how ``policy/`` can be omitted as a convenience in the second +case. ``@load`` can now also use relative path, e.g., ``@load +../main``. + + +Logging Framework +----------------- + +- The logs generated by scripts that ship with Bro are entirely redone + to use a standardized, machine parsable format via the new logging + framework. Generally, the log content has been restructured towards + making it more directly useful to operations. Also, several + analyzers have been significantly extended and thus now log more + information. Take a look at ``ssl.log``. + + * A particular format change that may be useful to note is that the + ``conn.log`` ``service`` field is derived from DPD instead of + well-known ports (while that was already possible in 1.5, it was + not the default). + + * Also, ``conn.log`` now reports raw number of packets/bytes per + endpoint. + +- The new logging framework makes it possible to extend, customize, + and filter logs very easily. + +- A common pattern found in the new scripts is to store logging stream + records for protocols inside the ``connection`` records so that + state can be collected until enough is seen to log a coherent unit + of information regarding the activity of that connection. This + state is now frequently seen/accessible in event handlers, for + example, like ``c$`` where ```` is replaced by + the name of the protocol. This field is added to the ``connection`` + record by ``redef``'ing it in a + ``base/protocols//main.bro`` script. + +- The logging code has been rewritten internally, with script-level + interface and output backend now clearly separated. While ASCII + logging is still the default, we will add further output types in + the future (binary format, direct database logging). + + +Notice Framework +---------------- + +The way users interact with "notices" has changed significantly in order +to make it easier to define a site policy and more extensible for adding +customized actions. + + +New Default Settings +-------------------- + +- Dynamic Protocol Detection (DPD) is now enabled/loaded by default. + +- The default packet filter now examines all packets instead of + dynamically building a filter based on which protocol analysis scripts + are loaded. See ``PacketFilter::all_packets`` for how to revert to old + behavior. + +API Changes +----------- + +- The ``@prefixes`` directive works differently now. + Any added prefixes are now searched for and loaded *after* all input + files have been parsed. After all input files are parsed, Bro + searches ``BROPATH`` for prefixed, flattened versions of all of the + parsed input files. For example, if ``lcl`` is in ``@prefixes``, and + ``site.bro`` is loaded, then a file named ``lcl.site.bro`` that's in + ``BROPATH`` would end up being automatically loaded as well. Packages + work similarly, e.g. loading ``protocols/http`` means a file named + ``lcl.protocols.http.bro`` in ``BROPATH`` gets loaded automatically. + +- The ``make_addr`` BIF now returns a ``subnet`` versus an ``addr`` + + +Variable Naming +--------------- + +- ``Module`` is more widely used for namespacing. E.g. the new + ``site.bro`` exports the ``local_nets`` identifier (among other + things) into the ``Site`` module. + +- Identifiers may have been renamed to conform to new `scripting + conventions + `_ + + +Removed Functionality +--------------------- + +We have remove a bunch of functionality that was rarely used and/or +had not been maintained for a while already: + + - The ``net`` script data type. + - The ``alarm`` statement; use the notice framework instead. + - Trace rewriting. + - DFA state expiration in regexp engine. + - Active mapping. + - Native DAG support (may come back eventually) + - ClamAV support. + - The connection compressor is now disabled by default, and will + be removed in the future. + +BroControl Changes +------------------ + +BroControl looks pretty much similar to the version coming with Bro 1.x, +but has been cleaned up and streamlined significantly internally. + +BroControl has a new ``process`` command to process a trace on disk +offline using a similar configuration to what BroControl installs for +live analysis. + +BroControl now has an extensive plugin interface for adding new +commands and options. Note that this is still considered experimental. + +We have removed the ``analysis`` command, and BroControl currently +does not send daily alarm summaries anymore (this may be restored +later). + +Development Infrastructure +-------------------------- + +Bro development has moved from using SVN to Git for revision control. +Users that want to use the latest Bro development snapshot by checking it out +from the source repositories should see the `development process +`_. Note that all the various +sub-components now reside in their own repositories. However, the +top-level Bro repository includes them as git submodules so it's easy +to check them all out simultaneously. + +Bro now uses `CMake `_ for its build system so +that is a new required dependency when building from source. + +Bro now comes with a growing suite of regression tests in +``testing/``. diff --git a/VERSION b/VERSION index 511bef9b6d..00eef08f17 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -2.6-158 +2.6-159 diff --git a/doc b/doc index 0d850d3e7d..5849f875ea 160000 --- a/doc +++ b/doc @@ -1 +1 @@ -Subproject commit 0d850d3e7de829397e61ea50031d34f099813596 +Subproject commit 5849f875ea6cae038d4881eba326256202e711be From be7110f6c09dba2c255cd28cf1454d38cc8ee02f Mon Sep 17 00:00:00 2001 From: Jon Siwek Date: Thu, 14 Mar 2019 18:47:32 -0700 Subject: [PATCH 34/88] Make Syslog analyzer accept messages that omit Priority Essentially, it will now process/parse priority values if they are there, or else just accept whatever remaining data/text is there as the syslog message. Reasoning is that there's syslog producers out there that may have simply forgotten/neglected to send the priority value and technically won't conform to what the standard says, though we can infer the intent (some syslog consumers already may do similarly, but I didn't verify). --- doc | 2 +- scripts/base/protocols/syslog/consts.bro | 4 ++- .../protocol/syslog/syslog-analyzer.pac | 25 +++++++++++++----- .../protocol/syslog/syslog-protocol.pac | 23 +++++++++++++--- .../syslog.log | 10 +++++++ testing/btest/Traces/syslog-missing-pri.trace | Bin 0 -> 143 bytes .../base/protocols/syslog/missing-pri.bro | 4 +++ 7 files changed, 55 insertions(+), 13 deletions(-) create mode 100644 testing/btest/Baseline/scripts.base.protocols.syslog.missing-pri/syslog.log create mode 100755 testing/btest/Traces/syslog-missing-pri.trace create mode 100644 testing/btest/scripts/base/protocols/syslog/missing-pri.bro diff --git a/doc b/doc index 5849f875ea..11db899c89 160000 --- a/doc +++ b/doc @@ -1 +1 @@ -Subproject commit 5849f875ea6cae038d4881eba326256202e711be +Subproject commit 11db899c89686d551b539c069b4d2aec2ffd49c9 diff --git a/scripts/base/protocols/syslog/consts.bro b/scripts/base/protocols/syslog/consts.bro index dce1877ecf..c68cbda658 100644 --- a/scripts/base/protocols/syslog/consts.bro +++ b/scripts/base/protocols/syslog/consts.bro @@ -29,6 +29,7 @@ export { [21] = "LOCAL5", [22] = "LOCAL6", [23] = "LOCAL7", + [999] = "UNSPECIFIED", } &default=function(c: count): string { return fmt("?-%d", c); }; ## Mapping between the constants and string values for syslog severities. @@ -41,5 +42,6 @@ export { [5] = "NOTICE", [6] = "INFO", [7] = "DEBUG", + [999] = "UNSPECIFIED", } &default=function(c: count): string { return fmt("?-%d", c); }; -} \ No newline at end of file +} diff --git a/src/analyzer/protocol/syslog/syslog-analyzer.pac b/src/analyzer/protocol/syslog/syslog-analyzer.pac index 6657a63699..46e2cc171d 100644 --- a/src/analyzer/protocol/syslog/syslog-analyzer.pac +++ b/src/analyzer/protocol/syslog/syslog-analyzer.pac @@ -7,16 +7,27 @@ connection Syslog_Conn(bro_analyzer: BroAnalyzer) flow Syslog_Flow { - datagram = Syslog_Message withcontext(connection, this); + datagram = Syslog_Message_Optional_PRI withcontext(connection, this); function process_syslog_message(m: Syslog_Message): bool %{ - BifEvent::generate_syslog_message(connection()->bro_analyzer(), - connection()->bro_analyzer()->Conn(), - ${m.PRI.facility}, - ${m.PRI.severity}, - new StringVal(${m.msg}.length(), (const char*) ${m.msg}.begin()) - ); + if ( ${m.has_pri} ) + BifEvent::generate_syslog_message( + connection()->bro_analyzer(), + connection()->bro_analyzer()->Conn(), + ${m.PRI.facility}, + ${m.PRI.severity}, + new StringVal(${m.msg}.length(), (const char*)${m.msg}.begin()) + ); + else + BifEvent::generate_syslog_message( + connection()->bro_analyzer(), + connection()->bro_analyzer()->Conn(), + 999, + 999, + new StringVal(${m.msg}.length(), (const char*)${m.msg}.begin()) + ); + return true; %} diff --git a/src/analyzer/protocol/syslog/syslog-protocol.pac b/src/analyzer/protocol/syslog/syslog-protocol.pac index c1502fc534..41c42eba59 100644 --- a/src/analyzer/protocol/syslog/syslog-protocol.pac +++ b/src/analyzer/protocol/syslog/syslog-protocol.pac @@ -1,12 +1,27 @@ -type Syslog_Message = record { - PRI: Syslog_Priority; +type Syslog_Message_Optional_PRI = record { + lt: uint8; + after_lt: bytestring &restofdata &transient; +} +&byteorder = littleendian +&exportsourcedata +&let { + standard: Syslog_Message(true) withinput sourcedata &if(lt == 60); # '<' + nonstandard: Syslog_Message(false) withinput sourcedata &if(lt != 60); +}; + +type Syslog_Message(has_pri: bool) = record { + opt_pri: case has_pri of { + true -> PRI: Syslog_Priority; + false -> nothing: empty; + }; + msg: bytestring &restofdata; } &byteorder = littleendian; type Syslog_Priority = record { - lt : uint8; # &check(lt == 60); # '<' + lt : uint8 &enforce(lt == 60); # '<' val : RE/[[:digit:]]+/; - gt : uint8; # &check(gt == 62); # '>' + gt : uint8 &enforce(gt == 62); # '>' } &let { val_length: int = sizeof(val) - 1; int_val: int = bytestring_to_int(val, 10); diff --git a/testing/btest/Baseline/scripts.base.protocols.syslog.missing-pri/syslog.log b/testing/btest/Baseline/scripts.base.protocols.syslog.missing-pri/syslog.log new file mode 100644 index 0000000000..2a1faf440e --- /dev/null +++ b/testing/btest/Baseline/scripts.base.protocols.syslog.missing-pri/syslog.log @@ -0,0 +1,10 @@ +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path syslog +#open 2019-03-15-01-41-39 +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto facility severity message +#types time string addr port addr port enum string string string +1552584410.781231 CHhAvVGS1DHFjwGM9 192.168.2.118 60786 192.168.2.21 514 udp UNSPECIFIED UNSPECIFIED This is not really a syslog message #173538 1552584410.781186 +#close 2019-03-15-01-41-39 diff --git a/testing/btest/Traces/syslog-missing-pri.trace b/testing/btest/Traces/syslog-missing-pri.trace new file mode 100755 index 0000000000000000000000000000000000000000..625ecddf749c9e3966d3e6f1ac8012e008965bb5 GIT binary patch literal 143 zcmca|c+)~A1{MYcU}0bca&Gl?#jJnL&5#acgYcx~4+AU`K1j@1=qSO#;L5-d`7NG- z!9nm}#DNt|Wk4+Ywup&|!PUzyBqOs}0f_SQOB9My6LWGZ6%rMSD~ogT(-m@4i;EM} fQx%jA&5ccsEffq*O^r+~OiT<7^vo>`4K2(79x5n@ literal 0 HcmV?d00001 diff --git a/testing/btest/scripts/base/protocols/syslog/missing-pri.bro b/testing/btest/scripts/base/protocols/syslog/missing-pri.bro new file mode 100644 index 0000000000..c33eb1638b --- /dev/null +++ b/testing/btest/scripts/base/protocols/syslog/missing-pri.bro @@ -0,0 +1,4 @@ +# @TEST-EXEC: bro -r $TRACES/syslog-missing-pri.trace %INPUT +# @TEST-EXEC: btest-diff syslog.log + +@load base/protocols/syslog From 3f02c0a67ca746f7c9c188221f515f07924a1534 Mon Sep 17 00:00:00 2001 From: Christian Kreibich Date: Wed, 13 Mar 2019 23:14:14 -0700 Subject: [PATCH 35/88] Source file path control for Input and Intel frameworks This introduces the following redefinable string constants, empty by default: - InputAscii::path_prefix - InputBinary::path_prefix - Intel::path_prefix When using ASCII or binary reades in the Input/Intel Framework with an input stream source that does not have an absolute path, these constants cause Zeek to prefix the resulting paths accordingly. For example, in the following the location on disk from which Zeek loads the input becomes "/path/to/input/whitelist.data": redef InputAscii::path_prefix = "/path/to/input"; event bro_init() { Input::add_table([$source="whitelist.data", ...]); } These path prefixes can be absolute or relative. When an input stream source already uses an absolute path, this path is preserved and the new variables have no effect (i.e., we do not affect configurations already using absolute paths). Since the Intel framework builds upon the Input framework, the first two paths also affect Intel file locations. If this is undesirable, the Intel::path_prefix variable allows specifying a separate path: when its value is absolute, the resulting source seen by the Input framework is absolute, therefore no further changes to the paths happen. --- .../base/frameworks/input/readers/ascii.bro | 6 +++ .../base/frameworks/input/readers/binary.bro | 7 +++ scripts/base/frameworks/intel/input.bro | 22 +++++++- src/input/readers/ascii/Ascii.cc | 33 +++++++++--- src/input/readers/ascii/Ascii.h | 6 +++ src/input/readers/ascii/ascii.bif | 1 + src/input/readers/binary/Binary.cc | 17 ++++++ src/input/readers/binary/Binary.h | 1 + src/input/readers/binary/binary.bif | 1 + .../output | 3 ++ .../output | 1 + .../output | 5 ++ .../output | 3 ++ .../output | 1 + .../output | 5 ++ .../output | 3 ++ .../output | 1 + .../output | 5 ++ .../output | 3 ++ .../output | 1 + .../output | 5 ++ .../output | 3 ++ .../output | 3 ++ .../output | 3 ++ .../output | 3 ++ .../input/path-prefix/absolute-prefix.bro | 54 +++++++++++++++++++ .../input/path-prefix/absolute-source.bro | 48 +++++++++++++++++ .../frameworks/input/path-prefix/no-paths.bro | 43 +++++++++++++++ .../path-prefix-common-analysis.bro | 16 ++++++ .../path-prefix/path-prefix-common-event.bro | 21 ++++++++ .../path-prefix/path-prefix-common-table.bro | 21 ++++++++ .../input/path-prefix/relative-prefix.bro | 48 +++++++++++++++++ .../input-intel-absolute-prefixes.bro | 23 ++++++++ .../input-intel-relative-prefixes.bro | 20 +++++++ .../intel/path-prefix/input-prefix.bro | 20 +++++++ .../frameworks/intel/path-prefix/no-paths.bro | 16 ++++++ .../intel/path-prefix/path-prefix-common.bro | 19 +++++++ 37 files changed, 483 insertions(+), 8 deletions(-) create mode 100644 testing/btest/Baseline/scripts.base.frameworks.input.path-prefix.absolute-prefix-2/output create mode 100644 testing/btest/Baseline/scripts.base.frameworks.input.path-prefix.absolute-prefix-3/output create mode 100644 testing/btest/Baseline/scripts.base.frameworks.input.path-prefix.absolute-prefix/output create mode 100644 testing/btest/Baseline/scripts.base.frameworks.input.path-prefix.absolute-source-2/output create mode 100644 testing/btest/Baseline/scripts.base.frameworks.input.path-prefix.absolute-source-3/output create mode 100644 testing/btest/Baseline/scripts.base.frameworks.input.path-prefix.absolute-source/output create mode 100644 testing/btest/Baseline/scripts.base.frameworks.input.path-prefix.no-paths-2/output create mode 100644 testing/btest/Baseline/scripts.base.frameworks.input.path-prefix.no-paths-3/output create mode 100644 testing/btest/Baseline/scripts.base.frameworks.input.path-prefix.no-paths/output create mode 100644 testing/btest/Baseline/scripts.base.frameworks.input.path-prefix.relative-prefix-2/output create mode 100644 testing/btest/Baseline/scripts.base.frameworks.input.path-prefix.relative-prefix-3/output create mode 100644 testing/btest/Baseline/scripts.base.frameworks.input.path-prefix.relative-prefix/output create mode 100644 testing/btest/Baseline/scripts.base.frameworks.intel.path-prefix.input-intel-absolute-prefixes/output create mode 100644 testing/btest/Baseline/scripts.base.frameworks.intel.path-prefix.input-intel-relative-prefixes/output create mode 100644 testing/btest/Baseline/scripts.base.frameworks.intel.path-prefix.input-prefix/output create mode 100644 testing/btest/Baseline/scripts.base.frameworks.intel.path-prefix.no-paths/output create mode 100644 testing/btest/scripts/base/frameworks/input/path-prefix/absolute-prefix.bro create mode 100644 testing/btest/scripts/base/frameworks/input/path-prefix/absolute-source.bro create mode 100644 testing/btest/scripts/base/frameworks/input/path-prefix/no-paths.bro create mode 100644 testing/btest/scripts/base/frameworks/input/path-prefix/path-prefix-common-analysis.bro create mode 100644 testing/btest/scripts/base/frameworks/input/path-prefix/path-prefix-common-event.bro create mode 100644 testing/btest/scripts/base/frameworks/input/path-prefix/path-prefix-common-table.bro create mode 100644 testing/btest/scripts/base/frameworks/input/path-prefix/relative-prefix.bro create mode 100644 testing/btest/scripts/base/frameworks/intel/path-prefix/input-intel-absolute-prefixes.bro create mode 100644 testing/btest/scripts/base/frameworks/intel/path-prefix/input-intel-relative-prefixes.bro create mode 100644 testing/btest/scripts/base/frameworks/intel/path-prefix/input-prefix.bro create mode 100644 testing/btest/scripts/base/frameworks/intel/path-prefix/no-paths.bro create mode 100644 testing/btest/scripts/base/frameworks/intel/path-prefix/path-prefix-common.bro diff --git a/scripts/base/frameworks/input/readers/ascii.bro b/scripts/base/frameworks/input/readers/ascii.bro index ff1d30f3a9..c757718d53 100644 --- a/scripts/base/frameworks/input/readers/ascii.bro +++ b/scripts/base/frameworks/input/readers/ascii.bro @@ -47,4 +47,10 @@ export { ## fail_on_file_problem = T was the default behavior ## until Bro 2.6. const fail_on_file_problem = F &redef; + + ## On input streams with a pathless or relative-path source filename, + ## prefix the following path. This prefix can, but need not be, absolute. + ## The default is to leave any filenames unchanged. This prefix has no + ## effect if the source already is an absolute path. + const path_prefix = "" &redef; } diff --git a/scripts/base/frameworks/input/readers/binary.bro b/scripts/base/frameworks/input/readers/binary.bro index abd7944ff2..9b00017c9d 100644 --- a/scripts/base/frameworks/input/readers/binary.bro +++ b/scripts/base/frameworks/input/readers/binary.bro @@ -5,4 +5,11 @@ module InputBinary; export { ## Size of data chunks to read from the input file at a time. const chunk_size = 1024 &redef; + + ## On input streams with a pathless or relative-path source filename, + ## prefix the following path. This prefix can, but need not be, absolute. + ## The default is to leave any filenames unchanged. This prefix has no + ## effect if the source already is an absolute path. + const path_prefix = "" &redef; + } diff --git a/scripts/base/frameworks/intel/input.bro b/scripts/base/frameworks/intel/input.bro index 9c4d033627..aea3ac9a35 100644 --- a/scripts/base/frameworks/intel/input.bro +++ b/scripts/base/frameworks/intel/input.bro @@ -10,6 +10,16 @@ export { ## reread every time they are updated so updates must be atomic ## with "mv" instead of writing the file in place. const read_files: set[string] = {} &redef; + + ## An optional path prefix for intel files. This prefix can, but + ## need not be, absolute. The default is to leave any filenames + ## unchanged. This prefix has no effect if a read_file entry is + ## an absolute path. This prefix gets applied _before_ entering + ## the input framework, so if the prefix is absolute, the input + ## framework won't munge it further. If it is relative, then + ## any path_prefix specified in the input framework will apply + ## additionally. + const path_prefix = "" &redef; } event Intel::read_entry(desc: Input::EventDescription, tpe: Input::Event, item: Intel::Item) @@ -24,7 +34,17 @@ event bro_init() &priority=5 { for ( a_file in read_files ) { - Input::add_event([$source=a_file, + # Handle prefixing of the source file name. Note + # that this currently always uses the ASCII reader, + # so we know we're dealing with filenames. + local source = a_file; + + # If we have a path prefix and the file doesn't + # already have an absolute path, prepend the prefix. + if ( |path_prefix| > 0 && sub_bytes(a_file, 0, 1) != "/" ) + source = cat(rstrip(path_prefix, "/"), "/", a_file); + + Input::add_event([$source=source, $reader=Input::READER_ASCII, $mode=Input::REREAD, $name=cat("intel-", a_file), diff --git a/src/input/readers/ascii/Ascii.cc b/src/input/readers/ascii/Ascii.cc index 30eff2669d..48fedec85b 100644 --- a/src/input/readers/ascii/Ascii.cc +++ b/src/input/readers/ascii/Ascii.cc @@ -82,6 +82,9 @@ bool Ascii::DoInit(const ReaderInfo& info, int num_fields, const Field* const* f fail_on_invalid_lines = BifConst::InputAscii::fail_on_invalid_lines; fail_on_file_problem = BifConst::InputAscii::fail_on_file_problem; + path_prefix.assign( (const char*) BifConst::InputAscii::path_prefix->Bytes(), + BifConst::InputAscii::path_prefix->Len()); + // Set per-filter configuration options. for ( ReaderInfo::config_map::const_iterator i = info.config.begin(); i != info.config.end(); i++ ) { @@ -137,18 +140,34 @@ bool Ascii::OpenFile() if ( file.is_open() ) return true; - file.open(Info().source); + // Handle path-prefixing. See similar logic in Binary::DoInit(). + fname = Info().source; + + if ( fname.front() != '/' && ! path_prefix.empty() ) + { + string path = path_prefix; + std::size_t last = path.find_last_not_of("/"); + + if ( last == string::npos ) // Nothing but slashes -- weird but ok... + path = "/"; + else + path.erase(last + 1); + + fname = path + "/" + fname; + } + + file.open(fname); if ( ! file.is_open() ) { - FailWarn(fail_on_file_problem, Fmt("Init: cannot open %s", Info().source), true); + FailWarn(fail_on_file_problem, Fmt("Init: cannot open %s", fname.c_str()), true); return ! fail_on_file_problem; } if ( ReadHeader(false) == false ) { - FailWarn(fail_on_file_problem, Fmt("Init: cannot open %s; problem reading file header", Info().source), true); + FailWarn(fail_on_file_problem, Fmt("Init: cannot open %s; problem reading file header", fname.c_str()), true); file.close(); return ! fail_on_file_problem; @@ -169,7 +188,7 @@ bool Ascii::ReadHeader(bool useCached) if ( ! GetLine(line) ) { FailWarn(fail_on_file_problem, Fmt("Could not read input data file %s; first line could not be read", - Info().source), true); + fname.c_str()), true); return false; } @@ -212,7 +231,7 @@ bool Ascii::ReadHeader(bool useCached) } FailWarn(fail_on_file_problem, Fmt("Did not find requested field %s in input data file %s.", - field->name, Info().source), true); + field->name, fname.c_str()), true); return false; } @@ -274,9 +293,9 @@ bool Ascii::DoUpdate() { // check if the file has changed struct stat sb; - if ( stat(Info().source, &sb) == -1 ) + if ( stat(fname.c_str(), &sb) == -1 ) { - FailWarn(fail_on_file_problem, Fmt("Could not get stat for %s", Info().source), true); + FailWarn(fail_on_file_problem, Fmt("Could not get stat for %s", fname.c_str()), true); file.close(); return ! fail_on_file_problem; diff --git a/src/input/readers/ascii/Ascii.h b/src/input/readers/ascii/Ascii.h index 4fd236761e..91177519bc 100644 --- a/src/input/readers/ascii/Ascii.h +++ b/src/input/readers/ascii/Ascii.h @@ -66,6 +66,11 @@ private: time_t mtime; ino_t ino; + // The name using which we actually load the file -- compared + // to the input source name, this one may have a path_prefix + // attached to it. + string fname; + // map columns in the file to columns to send back to the manager vector columnMap; @@ -79,6 +84,7 @@ private: string unset_field; bool fail_on_invalid_lines; bool fail_on_file_problem; + string path_prefix; // this is an internal indicator in case the read is currently in a failed state // it's used to suppress duplicate error messages. diff --git a/src/input/readers/ascii/ascii.bif b/src/input/readers/ascii/ascii.bif index 80ff4611e7..0fe6ddb73d 100644 --- a/src/input/readers/ascii/ascii.bif +++ b/src/input/readers/ascii/ascii.bif @@ -7,3 +7,4 @@ const empty_field: string; const unset_field: string; const fail_on_invalid_lines: bool; const fail_on_file_problem: bool; +const path_prefix: string; diff --git a/src/input/readers/binary/Binary.cc b/src/input/readers/binary/Binary.cc index 5ae3cc7c15..b23760a762 100644 --- a/src/input/readers/binary/Binary.cc +++ b/src/input/readers/binary/Binary.cc @@ -81,6 +81,9 @@ bool Binary::DoInit(const ReaderInfo& info, int num_fields, ino = 0; firstrun = true; + path_prefix.assign( (const char*) BifConst::InputBinary::path_prefix->Bytes(), + BifConst::InputBinary::path_prefix->Len()); + if ( ! info.source || strlen(info.source) == 0 ) { Error("No source path provided"); @@ -104,6 +107,20 @@ bool Binary::DoInit(const ReaderInfo& info, int num_fields, // do initialization fname = info.source; + // Handle path-prefixing. See similar logic in Ascii::OpenFile(). + if ( fname.front() != '/' && ! path_prefix.empty() ) + { + string path = path_prefix; + std::size_t last = path.find_last_not_of("/"); + + if ( last == string::npos ) // Nothing but slashes -- weird but ok... + path = "/"; + else + path.erase(last + 1); + + fname = path + "/" + fname; + } + if ( ! OpenInput() ) return false; diff --git a/src/input/readers/binary/Binary.h b/src/input/readers/binary/Binary.h index 796640bfb4..414c748a73 100644 --- a/src/input/readers/binary/Binary.h +++ b/src/input/readers/binary/Binary.h @@ -42,6 +42,7 @@ private: // options set from the script-level. static streamsize chunk_size; + string path_prefix; }; } diff --git a/src/input/readers/binary/binary.bif b/src/input/readers/binary/binary.bif index 54e32ff453..6fdfcf3f0e 100644 --- a/src/input/readers/binary/binary.bif +++ b/src/input/readers/binary/binary.bif @@ -2,3 +2,4 @@ module InputBinary; const chunk_size: count; +const path_prefix: string; diff --git a/testing/btest/Baseline/scripts.base.frameworks.input.path-prefix.absolute-prefix-2/output b/testing/btest/Baseline/scripts.base.frameworks.input.path-prefix.absolute-prefix-2/output new file mode 100644 index 0000000000..9fa63b93c3 --- /dev/null +++ b/testing/btest/Baseline/scripts.base.frameworks.input.path-prefix.absolute-prefix-2/output @@ -0,0 +1,3 @@ +[ip=127.0.3.1, tag=just] +[ip=127.0.3.2, tag=some] +[ip=127.0.3.3, tag=value] diff --git a/testing/btest/Baseline/scripts.base.frameworks.input.path-prefix.absolute-prefix-3/output b/testing/btest/Baseline/scripts.base.frameworks.input.path-prefix.absolute-prefix-3/output new file mode 100644 index 0000000000..a5d17c8e71 --- /dev/null +++ b/testing/btest/Baseline/scripts.base.frameworks.input.path-prefix.absolute-prefix-3/output @@ -0,0 +1 @@ +file_hash, md5, ad8f8274b0e9fedb79093b1d1b6d6d73 diff --git a/testing/btest/Baseline/scripts.base.frameworks.input.path-prefix.absolute-prefix/output b/testing/btest/Baseline/scripts.base.frameworks.input.path-prefix.absolute-prefix/output new file mode 100644 index 0000000000..cb63569a66 --- /dev/null +++ b/testing/btest/Baseline/scripts.base.frameworks.input.path-prefix.absolute-prefix/output @@ -0,0 +1,5 @@ +{ +[127.0.3.2] = some, +[127.0.3.3] = value, +[127.0.3.1] = just +} diff --git a/testing/btest/Baseline/scripts.base.frameworks.input.path-prefix.absolute-source-2/output b/testing/btest/Baseline/scripts.base.frameworks.input.path-prefix.absolute-source-2/output new file mode 100644 index 0000000000..6384276457 --- /dev/null +++ b/testing/btest/Baseline/scripts.base.frameworks.input.path-prefix.absolute-source-2/output @@ -0,0 +1,3 @@ +[ip=127.0.4.1, tag=just] +[ip=127.0.4.2, tag=some] +[ip=127.0.4.3, tag=value] diff --git a/testing/btest/Baseline/scripts.base.frameworks.input.path-prefix.absolute-source-3/output b/testing/btest/Baseline/scripts.base.frameworks.input.path-prefix.absolute-source-3/output new file mode 100644 index 0000000000..884334bf29 --- /dev/null +++ b/testing/btest/Baseline/scripts.base.frameworks.input.path-prefix.absolute-source-3/output @@ -0,0 +1 @@ +file_hash, md5, cacc0ee959be71cbe287c5554b4e83b0 diff --git a/testing/btest/Baseline/scripts.base.frameworks.input.path-prefix.absolute-source/output b/testing/btest/Baseline/scripts.base.frameworks.input.path-prefix.absolute-source/output new file mode 100644 index 0000000000..ebcacaef18 --- /dev/null +++ b/testing/btest/Baseline/scripts.base.frameworks.input.path-prefix.absolute-source/output @@ -0,0 +1,5 @@ +{ +[127.0.4.1] = just, +[127.0.4.2] = some, +[127.0.4.3] = value +} diff --git a/testing/btest/Baseline/scripts.base.frameworks.input.path-prefix.no-paths-2/output b/testing/btest/Baseline/scripts.base.frameworks.input.path-prefix.no-paths-2/output new file mode 100644 index 0000000000..4ad0a8a25d --- /dev/null +++ b/testing/btest/Baseline/scripts.base.frameworks.input.path-prefix.no-paths-2/output @@ -0,0 +1,3 @@ +[ip=127.0.0.1, tag=just] +[ip=127.0.0.2, tag=some] +[ip=127.0.0.3, tag=value] diff --git a/testing/btest/Baseline/scripts.base.frameworks.input.path-prefix.no-paths-3/output b/testing/btest/Baseline/scripts.base.frameworks.input.path-prefix.no-paths-3/output new file mode 100644 index 0000000000..afb64f34cc --- /dev/null +++ b/testing/btest/Baseline/scripts.base.frameworks.input.path-prefix.no-paths-3/output @@ -0,0 +1 @@ +file_hash, md5, f78b90a215f8decb59cf672df57ab134 diff --git a/testing/btest/Baseline/scripts.base.frameworks.input.path-prefix.no-paths/output b/testing/btest/Baseline/scripts.base.frameworks.input.path-prefix.no-paths/output new file mode 100644 index 0000000000..3b186de28f --- /dev/null +++ b/testing/btest/Baseline/scripts.base.frameworks.input.path-prefix.no-paths/output @@ -0,0 +1,5 @@ +{ +[127.0.0.2] = some, +[127.0.0.1] = just, +[127.0.0.3] = value +} diff --git a/testing/btest/Baseline/scripts.base.frameworks.input.path-prefix.relative-prefix-2/output b/testing/btest/Baseline/scripts.base.frameworks.input.path-prefix.relative-prefix-2/output new file mode 100644 index 0000000000..709ed78cb8 --- /dev/null +++ b/testing/btest/Baseline/scripts.base.frameworks.input.path-prefix.relative-prefix-2/output @@ -0,0 +1,3 @@ +[ip=127.0.1.1, tag=just] +[ip=127.0.1.2, tag=some] +[ip=127.0.1.3, tag=value] diff --git a/testing/btest/Baseline/scripts.base.frameworks.input.path-prefix.relative-prefix-3/output b/testing/btest/Baseline/scripts.base.frameworks.input.path-prefix.relative-prefix-3/output new file mode 100644 index 0000000000..8a10f2127b --- /dev/null +++ b/testing/btest/Baseline/scripts.base.frameworks.input.path-prefix.relative-prefix-3/output @@ -0,0 +1 @@ +file_hash, md5, 6a87477e9c8e269ac9cc0cb70464ea1f diff --git a/testing/btest/Baseline/scripts.base.frameworks.input.path-prefix.relative-prefix/output b/testing/btest/Baseline/scripts.base.frameworks.input.path-prefix.relative-prefix/output new file mode 100644 index 0000000000..c2e80a8281 --- /dev/null +++ b/testing/btest/Baseline/scripts.base.frameworks.input.path-prefix.relative-prefix/output @@ -0,0 +1,5 @@ +{ +[127.0.1.1] = just, +[127.0.1.2] = some, +[127.0.1.3] = value +} diff --git a/testing/btest/Baseline/scripts.base.frameworks.intel.path-prefix.input-intel-absolute-prefixes/output b/testing/btest/Baseline/scripts.base.frameworks.intel.path-prefix.input-intel-absolute-prefixes/output new file mode 100644 index 0000000000..c9b56b9a7d --- /dev/null +++ b/testing/btest/Baseline/scripts.base.frameworks.intel.path-prefix.input-intel-absolute-prefixes/output @@ -0,0 +1,3 @@ +127.0.2.1 Intel::ADDR +127.0.2.2 Intel::ADDR +127.0.2.3 Intel::ADDR diff --git a/testing/btest/Baseline/scripts.base.frameworks.intel.path-prefix.input-intel-relative-prefixes/output b/testing/btest/Baseline/scripts.base.frameworks.intel.path-prefix.input-intel-relative-prefixes/output new file mode 100644 index 0000000000..2022340d06 --- /dev/null +++ b/testing/btest/Baseline/scripts.base.frameworks.intel.path-prefix.input-intel-relative-prefixes/output @@ -0,0 +1,3 @@ +127.0.1.1 Intel::ADDR +127.0.1.2 Intel::ADDR +127.0.1.3 Intel::ADDR diff --git a/testing/btest/Baseline/scripts.base.frameworks.intel.path-prefix.input-prefix/output b/testing/btest/Baseline/scripts.base.frameworks.intel.path-prefix.input-prefix/output new file mode 100644 index 0000000000..ff5c709f0d --- /dev/null +++ b/testing/btest/Baseline/scripts.base.frameworks.intel.path-prefix.input-prefix/output @@ -0,0 +1,3 @@ +127.0.0.1 Intel::ADDR +127.0.0.2 Intel::ADDR +127.0.0.3 Intel::ADDR diff --git a/testing/btest/Baseline/scripts.base.frameworks.intel.path-prefix.no-paths/output b/testing/btest/Baseline/scripts.base.frameworks.intel.path-prefix.no-paths/output new file mode 100644 index 0000000000..ff5c709f0d --- /dev/null +++ b/testing/btest/Baseline/scripts.base.frameworks.intel.path-prefix.no-paths/output @@ -0,0 +1,3 @@ +127.0.0.1 Intel::ADDR +127.0.0.2 Intel::ADDR +127.0.0.3 Intel::ADDR diff --git a/testing/btest/scripts/base/frameworks/input/path-prefix/absolute-prefix.bro b/testing/btest/scripts/base/frameworks/input/path-prefix/absolute-prefix.bro new file mode 100644 index 0000000000..df8a68613d --- /dev/null +++ b/testing/btest/scripts/base/frameworks/input/path-prefix/absolute-prefix.bro @@ -0,0 +1,54 @@ +# These tests set the InputAscii::path_prefix / InputBinary::path_prefix +# variables to verify that an absolute path prefix gets added correctly +# to relative/path-less input sources. +# +# @TEST-EXEC: cat %INPUT | sed "s|@path_prefix@|$PWD/subdir|" >input.bro +# @TEST-EXEC: mkdir -p subdir +# +# Note, in the following we'd ideally use %DIR to express the +# additional path, but there's currently a problem in btest with using +# %DIR after TEST-START-NEXT. +# +# @TEST-EXEC: BROPATH=$BROPATH:$TEST_BASE/scripts/base/frameworks/input/path-prefix bro -b input.bro >output +# @TEST-EXEC: btest-diff output + +@TEST-START-FILE subdir/input.data +#fields ip tag +127.0.3.1 just +127.0.3.2 some +127.0.3.3 value +@TEST-END-FILE + +@load path-prefix-common-table.bro +redef InputAscii::path_prefix = "@path_prefix@"; + +event bro_init() + { + Input::add_table([$source="input.data", $name="input", $idx=Idx, $val=Val, + $destination=destination, $want_record=F]); + } + +# @TEST-START-NEXT +# +# The same test, but using event streams for input. + +@load path-prefix-common-event.bro +redef InputAscii::path_prefix = "@path_prefix@"; + +event bro_init() + { + Input::add_event([$source="input.data", $name="input", + $fields=Val, $ev=inputev]); + } + +# @TEST-START-NEXT +# +# The same test again, but using file analysis w/ binary readers. + +@load path-prefix-common-analysis.bro +redef InputBinary::path_prefix = "@path_prefix@"; + +event bro_init() + { + Input::add_analysis([$source="input.data", $name="input"]); + } diff --git a/testing/btest/scripts/base/frameworks/input/path-prefix/absolute-source.bro b/testing/btest/scripts/base/frameworks/input/path-prefix/absolute-source.bro new file mode 100644 index 0000000000..06d711a5e8 --- /dev/null +++ b/testing/btest/scripts/base/frameworks/input/path-prefix/absolute-source.bro @@ -0,0 +1,48 @@ +# These tests set the InputAscii::path_prefix / InputBinary::path_prefix +# variables to verify that setting these prefixes has no effect when +# an input file uses an absolute-path source. +# +# @TEST-EXEC: cat %INPUT | sed "s|@path_prefix@|$PWD|" >input.bro +# @TEST-EXEC: BROPATH=$BROPATH:$TEST_BASE/scripts/base/frameworks/input/path-prefix bro -b input.bro >output +# @TEST-EXEC: btest-diff output + +@TEST-START-FILE input.data +#fields ip tag +127.0.4.1 just +127.0.4.2 some +127.0.4.3 value +@TEST-END-FILE + +@load path-prefix-common-table.bro +redef InputAscii::path_prefix = "/this/does/not/exist"; + +event bro_init() + { + Input::add_table([$source="@path_prefix@/input.data", $name="input", $idx=Idx, $val=Val, + $destination=destination, $want_record=F]); + } + +# @TEST-START-NEXT +# +# The same test, but using event streams for input. + +@load path-prefix-common-event.bro +redef InputAscii::path_prefix = "/this/does/not/exist"; + +event bro_init() + { + Input::add_event([$source="@path_prefix@/input.data", $name="input", + $fields=Val, $ev=inputev]); + } + +# @TEST-START-NEXT +# +# The same test again, but using file analysis w/ binary readers. + +@load path-prefix-common-analysis.bro +redef InputBinary::path_prefix = "/this/does/not/exist"; + +event bro_init() + { + Input::add_analysis([$source="@path_prefix@/input.data", $name="input"]); + } diff --git a/testing/btest/scripts/base/frameworks/input/path-prefix/no-paths.bro b/testing/btest/scripts/base/frameworks/input/path-prefix/no-paths.bro new file mode 100644 index 0000000000..dd38fd7796 --- /dev/null +++ b/testing/btest/scripts/base/frameworks/input/path-prefix/no-paths.bro @@ -0,0 +1,43 @@ +# These tests verify that when setting neither InputAscii::path_prefix +# nor InputBinary::path_prefix, Zeek correctly locates local input files. +# +# @TEST-EXEC: BROPATH=$BROPATH:$TEST_BASE/scripts/base/frameworks/input/path-prefix bro -b %INPUT >output +# @TEST-EXEC: btest-diff output + +@TEST-START-FILE input.data +#fields ip tag +127.0.0.1 just +127.0.0.2 some +127.0.0.3 value +@TEST-END-FILE + +@load path-prefix-common-table.bro + +event bro_init() + { + Input::add_table([$source="input.data", $name="input", $idx=Idx, $val=Val, + $destination=destination, $want_record=F]); + } + +# @TEST-START-NEXT +# +# The same test, but using event streams for input. + +@load path-prefix-common-event.bro + +event bro_init() + { + Input::add_event([$source="input.data", $name="input", + $fields=Val, $ev=inputev]); + } + +# @TEST-START-NEXT +# +# The same test again, but using file analysis w/ binary readers. + +@load path-prefix-common-analysis.bro + +event bro_init() + { + Input::add_analysis([$source="input.data", $name="input"]); + } diff --git a/testing/btest/scripts/base/frameworks/input/path-prefix/path-prefix-common-analysis.bro b/testing/btest/scripts/base/frameworks/input/path-prefix/path-prefix-common-analysis.bro new file mode 100644 index 0000000000..9e57c9e6ba --- /dev/null +++ b/testing/btest/scripts/base/frameworks/input/path-prefix/path-prefix-common-analysis.bro @@ -0,0 +1,16 @@ +# @TEST-IGNORE +# +# This file contains code used by the file analysis path-prefix tests. + +redef exit_only_after_terminate = T; + +event file_new(f: fa_file) + { + Files::add_analyzer(f, Files::ANALYZER_MD5); + } + +event file_hash(f: fa_file, kind: string, hash: string) + { + print "file_hash", kind, hash; + terminate(); + } diff --git a/testing/btest/scripts/base/frameworks/input/path-prefix/path-prefix-common-event.bro b/testing/btest/scripts/base/frameworks/input/path-prefix/path-prefix-common-event.bro new file mode 100644 index 0000000000..e023f5f24b --- /dev/null +++ b/testing/btest/scripts/base/frameworks/input/path-prefix/path-prefix-common-event.bro @@ -0,0 +1,21 @@ +# @TEST-IGNORE +# +# This file contains code used by the event-driven path-prefix tests. + +redef exit_only_after_terminate = T; + +type Val: record { + ip: addr; + tag: string; +}; + +event inputev(description: Input::EventDescription, + t: Input::Event, data: Val) + { + print data; + } + +event Input::end_of_data(name: string, source: string) + { + terminate(); + } diff --git a/testing/btest/scripts/base/frameworks/input/path-prefix/path-prefix-common-table.bro b/testing/btest/scripts/base/frameworks/input/path-prefix/path-prefix-common-table.bro new file mode 100644 index 0000000000..836b746202 --- /dev/null +++ b/testing/btest/scripts/base/frameworks/input/path-prefix/path-prefix-common-table.bro @@ -0,0 +1,21 @@ +# @TEST-IGNORE +# +# This file contains code used by the table-driven path-prefix tests. + +redef exit_only_after_terminate = T; + +type Idx: record { + ip: addr; +}; + +type Val: record { + tag: string; +}; + +global destination: table[addr] of string = table(); + +event Input::end_of_data(name: string, source: string) + { + print destination; + terminate(); + } diff --git a/testing/btest/scripts/base/frameworks/input/path-prefix/relative-prefix.bro b/testing/btest/scripts/base/frameworks/input/path-prefix/relative-prefix.bro new file mode 100644 index 0000000000..52ae233289 --- /dev/null +++ b/testing/btest/scripts/base/frameworks/input/path-prefix/relative-prefix.bro @@ -0,0 +1,48 @@ +# This test sets the InputAscii::path_prefix / InputBinary::path_prefix +# variables to verify that a relative path prefix applies correctly +# from the current working directory. +# +# @TEST-EXEC: mkdir -p alternative +# @TEST-EXEC: BROPATH=$BROPATH:$TEST_BASE/scripts/base/frameworks/input/path-prefix bro -b %INPUT >output +# @TEST-EXEC: btest-diff output + +@TEST-START-FILE alternative/input.data +#fields ip tag +127.0.1.1 just +127.0.1.2 some +127.0.1.3 value +@TEST-END-FILE + +@load path-prefix-common-table.bro +redef InputAscii::path_prefix = "alternative"; + +event bro_init() + { + Input::add_table([$source="input.data", $name="input", $idx=Idx, $val=Val, + $destination=destination, $want_record=F]); + } + +# @TEST-START-NEXT +# +# The same test, but using event streams for input. + +@load path-prefix-common-event.bro +redef InputAscii::path_prefix = "alternative"; + +event bro_init() + { + Input::add_event([$source="input.data", $name="input", + $fields=Val, $ev=inputev]); + } + +# @TEST-START-NEXT +# +# The same test again, but using file analysis w/ binary readers. + +@load path-prefix-common-analysis.bro +redef InputBinary::path_prefix = "alternative"; + +event bro_init() + { + Input::add_analysis([$source="input.data", $name="input"]); + } diff --git a/testing/btest/scripts/base/frameworks/intel/path-prefix/input-intel-absolute-prefixes.bro b/testing/btest/scripts/base/frameworks/intel/path-prefix/input-intel-absolute-prefixes.bro new file mode 100644 index 0000000000..14ce01d32e --- /dev/null +++ b/testing/btest/scripts/base/frameworks/intel/path-prefix/input-intel-absolute-prefixes.bro @@ -0,0 +1,23 @@ +# This test verifies that an absolute Intel::path_prefix overrides any +# set for the Input framework. We still want the Intel framework to +# "break out" of any file system location specified for the input +# framework, e.g. when their paths live side-by-side (/foo/bar/input, +# /foo/bar/intel). +# +# @TEST-EXEC: mkdir -p intel +# @TEST-EXEC: cat %INPUT | sed "s|@path_prefix@|$PWD/intel|" >input.bro +# @TEST-EXEC: BROPATH=$BROPATH:$TEST_BASE/scripts/base/frameworks/intel/path-prefix bro -b input.bro >output +# @TEST-EXEC: btest-diff output + +@TEST-START-FILE intel/test.data +#fields indicator indicator_type meta.source +127.0.2.1 Intel::ADDR this btest +127.0.2.2 Intel::ADDR this btest +127.0.2.3 Intel::ADDR this btest +@TEST-END-FILE + +@load path-prefix-common.bro + +redef Intel::read_files += { "test.data" }; +redef InputAscii::path_prefix = "/this/does/not/exist"; +redef Intel::path_prefix = "@path_prefix@"; diff --git a/testing/btest/scripts/base/frameworks/intel/path-prefix/input-intel-relative-prefixes.bro b/testing/btest/scripts/base/frameworks/intel/path-prefix/input-intel-relative-prefixes.bro new file mode 100644 index 0000000000..346f3bad81 --- /dev/null +++ b/testing/btest/scripts/base/frameworks/intel/path-prefix/input-intel-relative-prefixes.bro @@ -0,0 +1,20 @@ +# This test verifies that combining Input::path_prefix and +# Intel::path_prefix works as intended: the intel path gets +# prepended first, then the input framework one. +# +# @TEST-EXEC: mkdir -p input/intel +# @TEST-EXEC: BROPATH=$BROPATH:$TEST_BASE/scripts/base/frameworks/intel/path-prefix bro -b %INPUT >output +# @TEST-EXEC: btest-diff output + +@TEST-START-FILE input/intel/test.data +#fields indicator indicator_type meta.source +127.0.1.1 Intel::ADDR this btest +127.0.1.2 Intel::ADDR this btest +127.0.1.3 Intel::ADDR this btest +@TEST-END-FILE + +@load path-prefix-common.bro + +redef Intel::read_files += { "test.data" }; +redef InputAscii::path_prefix = "input"; +redef Intel::path_prefix = "intel"; diff --git a/testing/btest/scripts/base/frameworks/intel/path-prefix/input-prefix.bro b/testing/btest/scripts/base/frameworks/intel/path-prefix/input-prefix.bro new file mode 100644 index 0000000000..19828ea8af --- /dev/null +++ b/testing/btest/scripts/base/frameworks/intel/path-prefix/input-prefix.bro @@ -0,0 +1,20 @@ +# This test verifies that specifying an Input::path_prefix +# also affects the Intel framework since it relies on the +# former for loading data. (Note that this also tests the +# Input::REREAD ingestion mode.) +# +# @TEST-EXEC: mkdir -p alternative +# @TEST-EXEC: BROPATH=$BROPATH:$TEST_BASE/scripts/base/frameworks/intel/path-prefix bro -b %INPUT >output +# @TEST-EXEC: btest-diff output + +@TEST-START-FILE alternative/test.data +#fields indicator indicator_type meta.source +127.0.0.1 Intel::ADDR this btest +127.0.0.2 Intel::ADDR this btest +127.0.0.3 Intel::ADDR this btest +@TEST-END-FILE + +@load path-prefix-common.bro + +redef Intel::read_files += { "test.data" }; +redef InputAscii::path_prefix = "alternative"; diff --git a/testing/btest/scripts/base/frameworks/intel/path-prefix/no-paths.bro b/testing/btest/scripts/base/frameworks/intel/path-prefix/no-paths.bro new file mode 100644 index 0000000000..7148c1e857 --- /dev/null +++ b/testing/btest/scripts/base/frameworks/intel/path-prefix/no-paths.bro @@ -0,0 +1,16 @@ +# This test verifies that when setting neither InputAscii::path_prefix +# nor Intel::path_prefix, Zeek correctly locates local intel files. +# +# @TEST-EXEC: BROPATH=$BROPATH:$TEST_BASE/scripts/base/frameworks/intel/path-prefix bro -b %INPUT >output +# @TEST-EXEC: btest-diff output + +@TEST-START-FILE test.data +#fields indicator indicator_type meta.source +127.0.0.1 Intel::ADDR this btest +127.0.0.2 Intel::ADDR this btest +127.0.0.3 Intel::ADDR this btest +@TEST-END-FILE + +@load path-prefix-common.bro + +redef Intel::read_files += { "test.data" }; diff --git a/testing/btest/scripts/base/frameworks/intel/path-prefix/path-prefix-common.bro b/testing/btest/scripts/base/frameworks/intel/path-prefix/path-prefix-common.bro new file mode 100644 index 0000000000..75e67b8a7c --- /dev/null +++ b/testing/btest/scripts/base/frameworks/intel/path-prefix/path-prefix-common.bro @@ -0,0 +1,19 @@ +# @TEST-IGNORE +# +# This file contains code used by the intel framework path-prefix tests. + +@load base/frameworks/intel + +redef exit_only_after_terminate = T; + +module Intel; + +event Intel::new_item(item: Intel::Item) + { + print fmt("%s %s", item$indicator, item$indicator_type); + } + +event Input::end_of_data(name: string, source: string) + { + terminate(); + } From 01d303b4800503c718523b2e7bba0418b4c6b0c6 Mon Sep 17 00:00:00 2001 From: Jon Siwek Date: Fri, 15 Mar 2019 19:45:48 -0700 Subject: [PATCH 36/88] Migrate table-based for-loops to key-value iteration --- CHANGES | 6 ++ NEWS | 11 ++++ VERSION | 2 +- scripts/base/files/unified2/main.bro | 4 +- scripts/base/frameworks/cluster/main.bro | 4 +- scripts/base/frameworks/cluster/pools.bro | 8 +-- scripts/base/frameworks/config/main.bro | 4 +- scripts/base/frameworks/intel/files.bro | 4 +- scripts/base/frameworks/intel/main.bro | 27 ++++---- scripts/base/frameworks/notice/main.bro | 4 +- .../base/frameworks/packet-filter/main.bro | 22 +++---- scripts/base/frameworks/sumstats/main.bro | 10 +-- .../base/frameworks/sumstats/non-cluster.bro | 8 +-- scripts/base/protocols/dce-rpc/main.bro | 3 +- scripts/base/protocols/dns/main.bro | 8 +-- scripts/base/protocols/ftp/files.bro | 6 +- scripts/base/protocols/ftp/main.bro | 4 +- scripts/base/protocols/ftp/utils-commands.bro | 3 +- scripts/base/protocols/http/files.bro | 6 +- scripts/base/protocols/http/main.bro | 4 +- scripts/base/protocols/irc/dcc-send.bro | 4 +- scripts/base/protocols/krb/files.bro | 5 +- scripts/base/protocols/sip/main.bro | 8 +-- scripts/base/protocols/smb/files.bro | 7 +-- scripts/base/protocols/smb/main.bro | 3 +- scripts/base/protocols/smtp/files.bro | 3 +- scripts/base/protocols/ssl/files.bro | 15 +++-- scripts/base/utils/json.bro | 7 +-- .../intel/seen/smtp-url-extraction.bro | 3 +- .../policy/frameworks/software/vulnerable.bro | 4 +- scripts/policy/misc/weird-stats.bro | 8 +-- .../protocols/smtp/entities-excerpt.bro | 4 +- .../protocols/ssl/log-hostcerts-only.bro | 10 +-- scripts/policy/protocols/ssl/validate-sct.bro | 10 +-- testing/btest/Baseline/plugins.hooks/output | 62 +++++++++---------- .../output | 2 +- 36 files changed, 150 insertions(+), 153 deletions(-) diff --git a/CHANGES b/CHANGES index e04b3b91d9..15d1ab96b3 100644 --- a/CHANGES +++ b/CHANGES @@ -1,4 +1,10 @@ +2.6-164 | 2019-03-15 19:45:48 -0700 + + * Migrate table-based for-loops to key-value iteration (Jon Siwek, Corelight) + + * GH-154: Extend for-loops to allow iteration over a table's key-value pairs (Zeke Medley) + 2.6-161 | 2019-03-15 12:59:31 -0700 * Fix SSH remote_location geo-data not being logged for successful authNs. (Michael Dopheide) diff --git a/NEWS b/NEWS index e11423109e..e28c17b7dc 100644 --- a/NEWS +++ b/NEWS @@ -31,6 +31,17 @@ New Functionality - Support for decapsulating VXLAN tunnels. +- The for-loop syntax now allows for iterating over key-value pairs of tables. + Previously, a separate lookup within the loop was required to obtain the + value at a given index/key, but now this works:: + + local t: table[count] of string = table(); + t[1] = "hello"; + t[55] = "goodbye"; + + for ( key, value in t ) + print key, value; + Changed Functionality --------------------- diff --git a/VERSION b/VERSION index b7ffe7a8c7..241ffcb800 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -2.6-161 +2.6-164 diff --git a/scripts/base/files/unified2/main.bro b/scripts/base/files/unified2/main.bro index 9d9ef15d79..4670ff35c1 100644 --- a/scripts/base/files/unified2/main.bro +++ b/scripts/base/files/unified2/main.bro @@ -289,9 +289,9 @@ event file_state_remove(f: fa_file) { # In case any events never had matching packets, flush # the extras to the log. - for ( i in f$u2_events ) + for ( i, ev in f$u2_events ) { - Log::write(LOG, create_info(f$u2_events[i])); + Log::write(LOG, create_info(ev)); } } } diff --git a/scripts/base/frameworks/cluster/main.bro b/scripts/base/frameworks/cluster/main.bro index c23a123cfd..2d492454d4 100644 --- a/scripts/base/frameworks/cluster/main.bro +++ b/scripts/base/frameworks/cluster/main.bro @@ -340,10 +340,8 @@ event Broker::peer_added(endpoint: Broker::EndpointInfo, msg: string) &priority= event Broker::peer_lost(endpoint: Broker::EndpointInfo, msg: string) &priority=10 { - for ( node_name in nodes ) + for ( node_name, n in nodes ) { - local n = nodes[node_name]; - if ( n?$id && n$id == endpoint$id ) { Cluster::log(fmt("node down: %s", node_name)); diff --git a/scripts/base/frameworks/cluster/pools.bro b/scripts/base/frameworks/cluster/pools.bro index a027fac818..8f4e92b922 100644 --- a/scripts/base/frameworks/cluster/pools.bro +++ b/scripts/base/frameworks/cluster/pools.bro @@ -246,10 +246,8 @@ event Cluster::node_down(name: string, id: string) &priority=10 function site_id_in_pool(pool: Pool, site_id: count): bool { - for ( i in pool$nodes ) + for ( i, pn in pool$nodes ) { - local pn = pool$nodes[i]; - if ( pn$site_id == site_id ) return T; } @@ -395,10 +393,8 @@ event bro_init() &priority=-5 pet$excluded += pool$spec$max_nodes; } - for ( nt in pool_eligibility ) + for ( nt, pet in pool_eligibility ) { - pet = pool_eligibility[nt]; - if ( pet$excluded > |pet$eligible_nodes| ) Reporter::fatal(fmt("not enough %s nodes to satisfy pool exclusivity requirements: need %d nodes", nt, pet$excluded)); } diff --git a/scripts/base/frameworks/config/main.bro b/scripts/base/frameworks/config/main.bro index dc7e71ecdf..2f9dbfc720 100644 --- a/scripts/base/frameworks/config/main.bro +++ b/scripts/base/frameworks/config/main.bro @@ -159,9 +159,9 @@ event bro_init() &priority=10 # Iterate over all existing options and add ourselves as change handlers # with a low priority so that we can log the changes. local gids = global_ids(); - for ( i in gids ) + for ( i, gid in gids ) { - if ( ! gids[i]$option_value ) + if ( ! gid$option_value ) next; Option::set_change_handler(i, config_option_changed, -100); diff --git a/scripts/base/frameworks/intel/files.bro b/scripts/base/frameworks/intel/files.bro index 74fd156520..d292693d66 100644 --- a/scripts/base/frameworks/intel/files.bro +++ b/scripts/base/frameworks/intel/files.bro @@ -53,8 +53,8 @@ hook extend_match(info: Info, s: Seen, items: set[Item]) &priority=6 if ( s$f?$conns && |s$f$conns| == 1 ) { - for ( cid in s$f$conns ) - s$conn = s$f$conns[cid]; + for ( cid, c in s$f$conns ) + s$conn = c; } if ( ! info?$file_mime_type && s$f?$info && s$f$info?$mime_type ) diff --git a/scripts/base/frameworks/intel/main.bro b/scripts/base/frameworks/intel/main.bro index 1f4f7afe23..592d2b1027 100644 --- a/scripts/base/frameworks/intel/main.bro +++ b/scripts/base/frameworks/intel/main.bro @@ -235,8 +235,8 @@ function expire_host_data(data: table[addr] of MetaDataTable, idx: addr): interv { local meta_tbl: MetaDataTable = data[idx]; local metas: set[MetaData]; - for ( src in meta_tbl ) - add metas[meta_tbl[src]]; + for ( src, md in meta_tbl ) + add metas[md]; return expire_item(cat(idx), ADDR, metas); } @@ -245,8 +245,8 @@ function expire_subnet_data(data: table[subnet] of MetaDataTable, idx: subnet): { local meta_tbl: MetaDataTable = data[idx]; local metas: set[MetaData]; - for ( src in meta_tbl ) - add metas[meta_tbl[src]]; + for ( src, md in meta_tbl ) + add metas[md]; return expire_item(cat(idx), SUBNET, metas); } @@ -259,8 +259,8 @@ function expire_string_data(data: table[string, Type] of MetaDataTable, idx: any local meta_tbl: MetaDataTable = data[indicator, indicator_type]; local metas: set[MetaData]; - for ( src in meta_tbl ) - add metas[meta_tbl[src]]; + for ( src, md in meta_tbl ) + add metas[md]; return expire_item(indicator, indicator_type, metas); } @@ -306,20 +306,19 @@ function get_items(s: Seen): set[Item] if ( s$host in data_store$host_data ) { mt = data_store$host_data[s$host]; - for ( m in mt ) + for ( m, md in mt ) { - add return_data[Item($indicator=cat(s$host), $indicator_type=ADDR, $meta=mt[m])]; + add return_data[Item($indicator=cat(s$host), $indicator_type=ADDR, $meta=md)]; } } # See if the host is part of a known subnet, which has meta values local nets: table[subnet] of MetaDataTable; nets = filter_subnet_table(addr_to_subnet(s$host), data_store$subnet_data); - for ( n in nets ) + for ( n, mt in nets ) { - mt = nets[n]; - for ( m in mt ) + for ( m, md in mt ) { - add return_data[Item($indicator=cat(n), $indicator_type=SUBNET, $meta=mt[m])]; + add return_data[Item($indicator=cat(n), $indicator_type=SUBNET, $meta=md)]; } } } @@ -330,9 +329,9 @@ function get_items(s: Seen): set[Item] if ( [lower_indicator, s$indicator_type] in data_store$string_data ) { mt = data_store$string_data[lower_indicator, s$indicator_type]; - for ( m in mt ) + for ( m, md in mt ) { - add return_data[Item($indicator=s$indicator, $indicator_type=s$indicator_type, $meta=mt[m])]; + add return_data[Item($indicator=s$indicator, $indicator_type=s$indicator_type, $meta=md)]; } } } diff --git a/scripts/base/frameworks/notice/main.bro b/scripts/base/frameworks/notice/main.bro index f4c3f64b42..881e5d7467 100644 --- a/scripts/base/frameworks/notice/main.bro +++ b/scripts/base/frameworks/notice/main.bro @@ -569,10 +569,10 @@ function create_file_info(f: fa_file): Notice::FileInfo fi$mime = f$info$mime_type; if ( f?$conns && |f$conns| == 1 ) - for ( id in f$conns ) + for ( id, c in f$conns ) { fi$cid = id; - fi$cuid = f$conns[id]$uid; + fi$cuid = c$uid; } return fi; diff --git a/scripts/base/frameworks/packet-filter/main.bro b/scripts/base/frameworks/packet-filter/main.bro index 8a9cb4eb98..9657f14c44 100644 --- a/scripts/base/frameworks/packet-filter/main.bro +++ b/scripts/base/frameworks/packet-filter/main.bro @@ -162,16 +162,16 @@ event bro_init() &priority=5 Log::create_stream(PacketFilter::LOG, [$columns=Info, $path="packet_filter"]); # Preverify the capture and restrict filters to give more granular failure messages. - for ( id in capture_filters ) + for ( id, cf in capture_filters ) { - if ( ! test_filter(capture_filters[id]) ) - Reporter::fatal(fmt("Invalid capture_filter named '%s' - '%s'", id, capture_filters[id])); + if ( ! test_filter(cf) ) + Reporter::fatal(fmt("Invalid capture_filter named '%s' - '%s'", id, cf)); } - for ( id in restrict_filters ) + for ( id, rf in restrict_filters ) { if ( ! test_filter(restrict_filters[id]) ) - Reporter::fatal(fmt("Invalid restrict filter named '%s' - '%s'", id, restrict_filters[id])); + Reporter::fatal(fmt("Invalid restrict filter named '%s' - '%s'", id, rf)); } } @@ -234,20 +234,20 @@ function build(): string if ( |capture_filters| == 0 && ! enable_auto_protocol_capture_filters ) cfilter = default_capture_filter; - for ( id in capture_filters ) - cfilter = combine_filters(cfilter, "or", capture_filters[id]); + for ( id, cf in capture_filters ) + cfilter = combine_filters(cfilter, "or", cf); if ( enable_auto_protocol_capture_filters ) cfilter = combine_filters(cfilter, "or", Analyzer::get_bpf()); # Apply the restriction filters. local rfilter = ""; - for ( id in restrict_filters ) - rfilter = combine_filters(rfilter, "and", restrict_filters[id]); + for ( id, rf in restrict_filters ) + rfilter = combine_filters(rfilter, "and", rf); # Apply the dynamic restriction filters. - for ( filt in dynamic_restrict_filters ) - rfilter = combine_filters(rfilter, "and", string_cat("not (", dynamic_restrict_filters[filt], ")")); + for ( filt, drf in dynamic_restrict_filters ) + rfilter = combine_filters(rfilter, "and", string_cat("not (", drf, ")")); # Finally, join them into one filter. local filter = combine_filters(cfilter, "and", rfilter); diff --git a/scripts/base/frameworks/sumstats/main.bro b/scripts/base/frameworks/sumstats/main.bro index 69a853fd5a..a37877f7e8 100644 --- a/scripts/base/frameworks/sumstats/main.bro +++ b/scripts/base/frameworks/sumstats/main.bro @@ -300,17 +300,17 @@ function compose_results(r1: Result, r2: Result): Result { local result: Result = table(); - for ( id in r1 ) + for ( id, rv in r1 ) { - result[id] = r1[id]; + result[id] = rv; } - for ( id in r2 ) + for ( id, rv in r2 ) { if ( id in r1 ) - result[id] = compose_resultvals(r1[id], r2[id]); + result[id] = compose_resultvals(r1[id], rv); else - result[id] = r2[id]; + result[id] = rv; } return result; diff --git a/scripts/base/frameworks/sumstats/non-cluster.bro b/scripts/base/frameworks/sumstats/non-cluster.bro index 100e8dad4a..b4292431c5 100644 --- a/scripts/base/frameworks/sumstats/non-cluster.bro +++ b/scripts/base/frameworks/sumstats/non-cluster.bro @@ -8,9 +8,9 @@ event SumStats::process_epoch_result(ss: SumStat, now: time, data: ResultTable) local i = 50; local keys_to_delete: vector of SumStats::Key = vector(); - for ( key in data ) + for ( key, res in data ) { - ss$epoch_result(now, key, data[key]); + ss$epoch_result(now, key, res); keys_to_delete += key; if ( --i == 0 ) @@ -37,8 +37,8 @@ event SumStats::finish_epoch(ss: SumStat) local now = network_time(); if ( bro_is_terminating() ) { - for ( key in data ) - ss$epoch_result(now, key, data[key]); + for ( key, val in data ) + ss$epoch_result(now, key, val); if ( ss?$epoch_finished ) ss$epoch_finished(now); diff --git a/scripts/base/protocols/dce-rpc/main.bro b/scripts/base/protocols/dce-rpc/main.bro index e73bfa4b2b..7013ae15e9 100644 --- a/scripts/base/protocols/dce-rpc/main.bro +++ b/scripts/base/protocols/dce-rpc/main.bro @@ -215,9 +215,8 @@ event connection_state_remove(c: connection) return; # TODO: Go through any remaining dce_rpc requests that haven't been processed with replies. - for ( i in c$dce_rpc_backing ) + for ( i, x in c$dce_rpc_backing ) { - local x = c$dce_rpc_backing[i]; set_state(c, x); # In the event that the binding wasn't seen, but the pipe diff --git a/scripts/base/protocols/dns/main.bro b/scripts/base/protocols/dns/main.bro index 2a49e332d7..f8e655d826 100644 --- a/scripts/base/protocols/dns/main.bro +++ b/scripts/base/protocols/dns/main.bro @@ -184,9 +184,9 @@ function log_unmatched_msgs_queue(q: Queue::Queue) function log_unmatched_msgs(msgs: PendingMessages) { - for ( trans_id in msgs ) + for ( trans_id, q in msgs ) { - log_unmatched_msgs_queue(msgs[trans_id]); + log_unmatched_msgs_queue(q); } clear_table(msgs); @@ -285,8 +285,8 @@ hook set_session(c: connection, msg: dns_msg, is_query: bool) &priority=5 else { # Just pick an arbitrary, unpaired query. - for ( trans_id in c$dns_state$pending_queries ) - if ( Queue::len(c$dns_state$pending_queries[trans_id]) > 0 ) + for ( trans_id, q in c$dns_state$pending_queries ) + if ( Queue::len(q) > 0 ) { c$dns_state$pending_query = pop_msg(c$dns_state$pending_queries, trans_id); break; diff --git a/scripts/base/protocols/ftp/files.bro b/scripts/base/protocols/ftp/files.bro index c114f11c8d..e84eda7a5a 100644 --- a/scripts/base/protocols/ftp/files.bro +++ b/scripts/base/protocols/ftp/files.bro @@ -37,10 +37,10 @@ function describe_file(f: fa_file): string if ( f$source != "FTP" ) return ""; - for ( cid in f$conns ) + for ( cid, c in f$conns ) { - if ( f$conns[cid]?$ftp ) - return FTP::describe(f$conns[cid]$ftp); + if ( c?$ftp ) + return FTP::describe(c$ftp); } return ""; } diff --git a/scripts/base/protocols/ftp/main.bro b/scripts/base/protocols/ftp/main.bro index b3eaf79370..9b64345a12 100644 --- a/scripts/base/protocols/ftp/main.bro +++ b/scripts/base/protocols/ftp/main.bro @@ -295,9 +295,9 @@ event connection_state_remove(c: connection) &priority=-5 { if ( ! c?$ftp ) return; - for ( ca in c$ftp$pending_commands ) + for ( ca, cmdarg in c$ftp$pending_commands ) { - c$ftp$cmdarg = c$ftp$pending_commands[ca]; + c$ftp$cmdarg = cmdarg; ftp_message(c$ftp); } } diff --git a/scripts/base/protocols/ftp/utils-commands.bro b/scripts/base/protocols/ftp/utils-commands.bro index 0ee1635b4a..67c52e62e4 100644 --- a/scripts/base/protocols/ftp/utils-commands.bro +++ b/scripts/base/protocols/ftp/utils-commands.bro @@ -91,9 +91,8 @@ function get_pending_cmd(pc: PendingCmds, reply_code: count, reply_msg: string): local best_seq = 0; local best_score: int = -1; - for ( cmd_seq in pc ) + for ( cmd_seq, cmd in pc ) { - local cmd = pc[cmd_seq]; local score: int = 0; # if the command is compatible with the reply code diff --git a/scripts/base/protocols/http/files.bro b/scripts/base/protocols/http/files.bro index 840b5a2372..078c6d2e66 100644 --- a/scripts/base/protocols/http/files.bro +++ b/scripts/base/protocols/http/files.bro @@ -40,10 +40,10 @@ function describe_file(f: fa_file): string if ( f$source != "HTTP" ) return ""; - for ( cid in f$conns ) + for ( cid, c in f$conns ) { - if ( f$conns[cid]?$http ) - return build_url_http(f$conns[cid]$http); + if ( c?$http ) + return build_url_http(c$http); } return ""; } diff --git a/scripts/base/protocols/http/main.bro b/scripts/base/protocols/http/main.bro index 215ad61fc3..ea86367bb1 100644 --- a/scripts/base/protocols/http/main.bro +++ b/scripts/base/protocols/http/main.bro @@ -326,11 +326,11 @@ event connection_state_remove(c: connection) &priority=-5 # Flush all pending but incomplete request/response pairs. if ( c?$http_state ) { - for ( r in c$http_state$pending ) + for ( r, info in c$http_state$pending ) { # We don't use pending elements at index 0. if ( r == 0 ) next; - Log::write(HTTP::LOG, c$http_state$pending[r]); + Log::write(HTTP::LOG, info); } } } diff --git a/scripts/base/protocols/irc/dcc-send.bro b/scripts/base/protocols/irc/dcc-send.bro index 44d939209e..bf5094a4f2 100644 --- a/scripts/base/protocols/irc/dcc-send.bro +++ b/scripts/base/protocols/irc/dcc-send.bro @@ -65,10 +65,8 @@ function log_dcc(f: fa_file) { if ( ! f?$conns ) return; - for ( cid in f$conns ) + for ( cid, c in f$conns ) { - local c: connection = f$conns[cid]; - if ( [cid$resp_h, cid$resp_p] !in dcc_expected_transfers ) next; local irc = dcc_expected_transfers[cid$resp_h, cid$resp_p]; diff --git a/scripts/base/protocols/krb/files.bro b/scripts/base/protocols/krb/files.bro index 5a155d9184..18ee4da83f 100644 --- a/scripts/base/protocols/krb/files.bro +++ b/scripts/base/protocols/krb/files.bro @@ -48,11 +48,10 @@ function describe_file(f: fa_file): string # are already populated). # # Just return a bit of our connection information and hope that that is good enough. - for ( cid in f$conns ) + for ( cid, c in f$conns ) { - if ( f$conns[cid]?$krb ) + if ( c?$krb ) { - local c = f$conns[cid]; return cat(c$id$resp_h, ":", c$id$resp_p); } } diff --git a/scripts/base/protocols/sip/main.bro b/scripts/base/protocols/sip/main.bro index 1089f0c1a4..68ebb9b222 100644 --- a/scripts/base/protocols/sip/main.bro +++ b/scripts/base/protocols/sip/main.bro @@ -149,13 +149,13 @@ function flush_pending(c: connection) # Flush all pending but incomplete request/response pairs. if ( c?$sip_state ) { - for ( r in c$sip_state$pending ) + for ( r, info in c$sip_state$pending ) { # We don't use pending elements at index 0. if ( r == 0 ) next; - Log::write(SIP::LOG, c$sip_state$pending[r]); + Log::write(SIP::LOG, info); } } } @@ -293,9 +293,9 @@ event connection_state_remove(c: connection) &priority=-5 { if ( c?$sip_state ) { - for ( r in c$sip_state$pending ) + for ( r, info in c$sip_state$pending ) { - Log::write(SIP::LOG, c$sip_state$pending[r]); + Log::write(SIP::LOG, info); } } } diff --git a/scripts/base/protocols/smb/files.bro b/scripts/base/protocols/smb/files.bro index d01aa815a5..0ee4d0a873 100644 --- a/scripts/base/protocols/smb/files.bro +++ b/scripts/base/protocols/smb/files.bro @@ -38,11 +38,10 @@ function describe_file(f: fa_file): string if ( f$source != "SMB" ) return ""; - for ( cid in f$conns ) + for ( cid, c in f$conns ) { - local info = f$conns[cid]; - if ( info?$smb_state && info$smb_state?$current_file && info$smb_state$current_file?$name ) - return info$smb_state$current_file$name; + if ( c?$smb_state && c$smb_state?$current_file && c$smb_state$current_file?$name ) + return c$smb_state$current_file$name; } return ""; } diff --git a/scripts/base/protocols/smb/main.bro b/scripts/base/protocols/smb/main.bro index 14ecbecf46..07225548be 100644 --- a/scripts/base/protocols/smb/main.bro +++ b/scripts/base/protocols/smb/main.bro @@ -238,9 +238,8 @@ event file_state_remove(f: fa_file) &priority=-5 if ( f$source != "SMB" ) return; - for ( id in f$conns ) + for ( id, c in f$conns ) { - local c = f$conns[id]; if ( c?$smb_state && c$smb_state?$current_file) { write_file_log(c$smb_state); diff --git a/scripts/base/protocols/smtp/files.bro b/scripts/base/protocols/smtp/files.bro index a65b90b528..bf410fa201 100644 --- a/scripts/base/protocols/smtp/files.bro +++ b/scripts/base/protocols/smtp/files.bro @@ -31,9 +31,8 @@ function describe_file(f: fa_file): string if ( f$source != "SMTP" ) return ""; - for ( cid in f$conns ) + for ( cid, c in f$conns ) { - local c = f$conns[cid]; return SMTP::describe(c$smtp); } return ""; diff --git a/scripts/base/protocols/ssl/files.bro b/scripts/base/protocols/ssl/files.bro index d0d89561e3..ae13147d8e 100644 --- a/scripts/base/protocols/ssl/files.bro +++ b/scripts/base/protocols/ssl/files.bro @@ -66,11 +66,10 @@ function describe_file(f: fa_file): string # are already populated). # # Just return a bit of our connection information and hope that that is good enough. - for ( cid in f$conns ) + for ( cid, c in f$conns ) { - if ( f$conns[cid]?$ssl ) + if ( c?$ssl ) { - local c = f$conns[cid]; return cat(c$id$resp_h, ":", c$id$resp_p); } } @@ -103,12 +102,12 @@ event file_sniff(f: fa_file, meta: fa_metadata) &priority=5 || f$info$mime_type == "application/pkix-cert" ) ) return; - for ( cid in f$conns ) - { - if ( ! f$conns[cid]?$ssl ) - return; + local c: connection; - local c = f$conns[cid]; + for ( cid, c in f$conns ) + { + if ( ! c?$ssl ) + return; } if ( ! c$ssl?$cert_chain ) diff --git a/scripts/base/utils/json.bro b/scripts/base/utils/json.bro index 45248e3ea2..ead214f93e 100644 --- a/scripts/base/utils/json.bro +++ b/scripts/base/utils/json.bro @@ -57,9 +57,8 @@ function to_json(v: any, only_loggable: bool &default=F, field_escape_pattern: p local rec_parts: string_vec = vector(); local ft = record_fields(v); - for ( field in ft ) + for ( field, field_desc in ft ) { - local field_desc = ft[field]; # replace the escape pattern in the field. if( field_escape_pattern in field ) field = cat(sub(field, field_escape_pattern, "")); @@ -87,11 +86,11 @@ function to_json(v: any, only_loggable: bool &default=F, field_escape_pattern: p { local tab_parts: vector of string = vector(); local ta: table[bool] of any = v; - for ( ti in ta ) + for ( ti, tv in ta ) { local ts = to_json(ti); local if_quotes = (ts[0] == "\"") ? "" : "\""; - tab_parts += cat(if_quotes, ts, if_quotes, ": ", to_json(ta[ti], only_loggable)); + tab_parts += cat(if_quotes, ts, if_quotes, ": ", to_json(tv, only_loggable)); } return cat("{", join_string_vec(tab_parts, ", "), "}"); } diff --git a/scripts/policy/frameworks/intel/seen/smtp-url-extraction.bro b/scripts/policy/frameworks/intel/seen/smtp-url-extraction.bro index aa9c322bcf..343beb277e 100644 --- a/scripts/policy/frameworks/intel/seen/smtp-url-extraction.bro +++ b/scripts/policy/frameworks/intel/seen/smtp-url-extraction.bro @@ -8,9 +8,8 @@ event intel_mime_data(f: fa_file, data: string) if ( ! f?$conns ) return; - for ( cid in f$conns ) + for ( cid, c in f$conns ) { - local c: connection = f$conns[cid]; local urls = find_all_urls_without_scheme(data); for ( url in urls ) { diff --git a/scripts/policy/frameworks/software/vulnerable.bro b/scripts/policy/frameworks/software/vulnerable.bro index 13de1c9cf8..92a6698af3 100644 --- a/scripts/policy/frameworks/software/vulnerable.bro +++ b/scripts/policy/frameworks/software/vulnerable.bro @@ -111,8 +111,8 @@ function update_vulnerable_sw() internal_vulnerable_versions = table(); # Copy the const vulnerable versions into the global modifiable one. - for ( sw in vulnerable_versions ) - internal_vulnerable_versions[sw] = vulnerable_versions[sw]; + for ( sw, vuln_range_set in vulnerable_versions ) + internal_vulnerable_versions[sw] = vuln_range_set; event grab_vulnerable_versions(1); } diff --git a/scripts/policy/misc/weird-stats.bro b/scripts/policy/misc/weird-stats.bro index d08ce9381d..50e29dd010 100644 --- a/scripts/policy/misc/weird-stats.bro +++ b/scripts/policy/misc/weird-stats.bro @@ -33,14 +33,14 @@ function weird_epoch_results(ts: time, key: SumStats::Key, result: SumStats::Res function weird_epoch_finished(ts: time) { - for ( n in this_epoch_weirds ) + for ( n, v in this_epoch_weirds ) { local last_count: double = 0.0; if ( n in last_epoch_weirds ) last_count = last_epoch_weirds[n]; - local num_seen: double = this_epoch_weirds[n] - last_count; + local num_seen: double = v - last_count; if ( num_seen > 0.0 ) Log::write(LOG, Info($ts = ts, $name = n, @@ -70,9 +70,9 @@ function observe_weird_stats() { local rs = get_reporter_stats(); - for ( n in rs$weirds_by_type ) + for ( n, v in rs$weirds_by_type ) SumStats::observe("weirds.encountered", SumStats::Key($str = n), - SumStats::Observation($dbl=rs$weirds_by_type[n]+0.0)); + SumStats::Observation($dbl=(v + 0.0))); } @if ( Cluster::is_enabled() ) diff --git a/scripts/policy/protocols/smtp/entities-excerpt.bro b/scripts/policy/protocols/smtp/entities-excerpt.bro index a3c35507ca..f4ee2b07d5 100644 --- a/scripts/policy/protocols/smtp/entities-excerpt.bro +++ b/scripts/policy/protocols/smtp/entities-excerpt.bro @@ -24,10 +24,8 @@ event file_new(f: fa_file) &priority=5 if ( ! f?$bof_buffer ) return; if ( ! f?$conns ) return; - for ( cid in f$conns ) + for ( cid, c in f$conns ) { - local c: connection = f$conns[cid]; - if ( ! c?$smtp ) next; if ( default_entity_excerpt_len > 0 ) diff --git a/scripts/policy/protocols/ssl/log-hostcerts-only.bro b/scripts/policy/protocols/ssl/log-hostcerts-only.bro index 7f07c2b069..258820664f 100644 --- a/scripts/policy/protocols/ssl/log-hostcerts-only.bro +++ b/scripts/policy/protocols/ssl/log-hostcerts-only.bro @@ -51,12 +51,12 @@ event file_sniff(f: fa_file, meta: fa_metadata) &priority=4 || f$info$mime_type == "application/pkix-cert" ) ) return; - for ( cid in f$conns ) - { - if ( ! f$conns[cid]?$ssl ) - return; + local c: connection; - local c = f$conns[cid]; + for ( cid, c in f$conns ) + { + if ( ! c?$ssl ) + return; } local chain: vector of string; diff --git a/scripts/policy/protocols/ssl/validate-sct.bro b/scripts/policy/protocols/ssl/validate-sct.bro index 0ce11b63ff..4d79bfd7ad 100644 --- a/scripts/policy/protocols/ssl/validate-sct.bro +++ b/scripts/policy/protocols/ssl/validate-sct.bro @@ -95,12 +95,12 @@ event x509_ocsp_ext_signed_certificate_timestamp(f: fa_file, version: count, log if ( |f$conns| != 1 ) return; - for ( cid in f$conns ) - { - if ( ! f$conns[cid]?$ssl ) - return; + local c: connection; - local c = f$conns[cid]; + for ( cid, c in f$conns ) + { + if ( ! c?$ssl ) + return; } c$ssl$ct_proofs += SctInfo($version=version, $logid=logid, $timestamp=timestamp, $sig_alg=signature_algorithm, $hash_alg=hash_algorithm, $signature=signature, $source=src); diff --git a/testing/btest/Baseline/plugins.hooks/output b/testing/btest/Baseline/plugins.hooks/output index 594d814175..7799ecbcee 100644 --- a/testing/btest/Baseline/plugins.hooks/output +++ b/testing/btest/Baseline/plugins.hooks/output @@ -176,15 +176,15 @@ 0.000000 MetaHookPost CallFunction(Files::register_for_mime_type, , (Files::ANALYZER_X509, application/x-x509-ca-cert)) -> 0.000000 MetaHookPost CallFunction(Files::register_for_mime_type, , (Files::ANALYZER_X509, application/x-x509-user-cert)) -> 0.000000 MetaHookPost CallFunction(Files::register_for_mime_types, , (Files::ANALYZER_PE, {application/x-dosexec})) -> -0.000000 MetaHookPost CallFunction(Files::register_protocol, , (Analyzer::ANALYZER_DTLS, [get_file_handle=SSL::get_file_handle{ return ()}, describe=SSL::describe_file{ SSL::cid{ if (SSL::f$source != SSL || !SSL::f?$info || !SSL::f$info?$x509 || !SSL::f$info$x509?$certificate) return ()for ([SSL::cid] in SSL::f$conns) { if (SSL::f$conns[SSL::cid]?$ssl) { SSL::c = SSL::f$conns[SSL::cid]return (cat(SSL::c$id$resp_h, :, SSL::c$id$resp_p))}}return (cat(Serial: , SSL::f$info$x509$certificate$serial, Subject: , SSL::f$info$x509$certificate$subject, Issuer: , SSL::f$info$x509$certificate$issuer))}}])) -> -0.000000 MetaHookPost CallFunction(Files::register_protocol, , (Analyzer::ANALYZER_FTP_DATA, [get_file_handle=FTP::get_file_handle{ if (!FTP::c$id$resp_h, FTP::c$id$resp_p in FTP::ftp_data_expected) return ()return (cat(Analyzer::ANALYZER_FTP_DATA, FTP::c$start_time, FTP::c$id, FTP::is_orig))}, describe=FTP::describe_file{ FTP::cid{ if (FTP::f$source != FTP) return ()for ([FTP::cid] in FTP::f$conns) { if (FTP::f$conns[FTP::cid]?$ftp) return (FTP::describe(FTP::f$conns[FTP::cid]$ftp))}return ()}}])) -> -0.000000 MetaHookPost CallFunction(Files::register_protocol, , (Analyzer::ANALYZER_HTTP, [get_file_handle=HTTP::get_file_handle{ if (!HTTP::c?$http) return ()if (HTTP::c$http$range_request && !HTTP::is_orig) { return (cat(Analyzer::ANALYZER_HTTP, HTTP::is_orig, HTTP::c$id$orig_h, HTTP::build_url(HTTP::c$http)))}else{ HTTP::mime_depth = HTTP::is_orig ? HTTP::c$http$orig_mime_depth : HTTP::c$http$resp_mime_depthreturn (cat(Analyzer::ANALYZER_HTTP, HTTP::c$start_time, HTTP::is_orig, HTTP::c$http$trans_depth, HTTP::mime_depth, id_string(HTTP::c$id)))}}, describe=HTTP::describe_file{ HTTP::cid{ if (HTTP::f$source != HTTP) return ()for ([HTTP::cid] in HTTP::f$conns) { if (HTTP::f$conns[HTTP::cid]?$http) return (HTTP::build_url_http(HTTP::f$conns[HTTP::cid]$http))}return ()}}])) -> +0.000000 MetaHookPost CallFunction(Files::register_protocol, , (Analyzer::ANALYZER_DTLS, [get_file_handle=SSL::get_file_handle{ return ()}, describe=SSL::describe_file{ SSL::cid, SSL::c{ if (SSL::f$source != SSL || !SSL::f?$info || !SSL::f$info?$x509 || !SSL::f$info$x509?$certificate) return ()for ([SSL::cid] in SSL::f$conns) { if (SSL::c?$ssl) { return (cat(SSL::c$id$resp_h, :, SSL::c$id$resp_p))}}return (cat(Serial: , SSL::f$info$x509$certificate$serial, Subject: , SSL::f$info$x509$certificate$subject, Issuer: , SSL::f$info$x509$certificate$issuer))}}])) -> +0.000000 MetaHookPost CallFunction(Files::register_protocol, , (Analyzer::ANALYZER_FTP_DATA, [get_file_handle=FTP::get_file_handle{ if (!FTP::c$id$resp_h, FTP::c$id$resp_p in FTP::ftp_data_expected) return ()return (cat(Analyzer::ANALYZER_FTP_DATA, FTP::c$start_time, FTP::c$id, FTP::is_orig))}, describe=FTP::describe_file{ FTP::cid, FTP::c{ if (FTP::f$source != FTP) return ()for ([FTP::cid] in FTP::f$conns) { if (FTP::c?$ftp) return (FTP::describe(FTP::c$ftp))}return ()}}])) -> +0.000000 MetaHookPost CallFunction(Files::register_protocol, , (Analyzer::ANALYZER_HTTP, [get_file_handle=HTTP::get_file_handle{ if (!HTTP::c?$http) return ()if (HTTP::c$http$range_request && !HTTP::is_orig) { return (cat(Analyzer::ANALYZER_HTTP, HTTP::is_orig, HTTP::c$id$orig_h, HTTP::build_url(HTTP::c$http)))}else{ HTTP::mime_depth = HTTP::is_orig ? HTTP::c$http$orig_mime_depth : HTTP::c$http$resp_mime_depthreturn (cat(Analyzer::ANALYZER_HTTP, HTTP::c$start_time, HTTP::is_orig, HTTP::c$http$trans_depth, HTTP::mime_depth, id_string(HTTP::c$id)))}}, describe=HTTP::describe_file{ HTTP::cid, HTTP::c{ if (HTTP::f$source != HTTP) return ()for ([HTTP::cid] in HTTP::f$conns) { if (HTTP::c?$http) return (HTTP::build_url_http(HTTP::c$http))}return ()}}])) -> 0.000000 MetaHookPost CallFunction(Files::register_protocol, , (Analyzer::ANALYZER_IRC_DATA, [get_file_handle=IRC::get_file_handle{ return (cat(Analyzer::ANALYZER_IRC_DATA, IRC::c$start_time, IRC::c$id, IRC::is_orig))}, describe=anonymous-function{ return ()}])) -> -0.000000 MetaHookPost CallFunction(Files::register_protocol, , (Analyzer::ANALYZER_KRB, [get_file_handle=KRB::get_file_handle{ return ()}, describe=KRB::describe_file{ KRB::cid{ if (KRB::f$source != KRB_TCP && KRB::f$source != KRB) return ()if (!KRB::f?$info || !KRB::f$info?$x509 || !KRB::f$info$x509?$certificate) return ()for ([KRB::cid] in KRB::f$conns) { if (KRB::f$conns[KRB::cid]?$krb) { KRB::c = KRB::f$conns[KRB::cid]return (cat(KRB::c$id$resp_h, :, KRB::c$id$resp_p))}}return (cat(Serial: , KRB::f$info$x509$certificate$serial, Subject: , KRB::f$info$x509$certificate$subject, Issuer: , KRB::f$info$x509$certificate$issuer))}}])) -> -0.000000 MetaHookPost CallFunction(Files::register_protocol, , (Analyzer::ANALYZER_KRB_TCP, [get_file_handle=KRB::get_file_handle{ return ()}, describe=KRB::describe_file{ KRB::cid{ if (KRB::f$source != KRB_TCP && KRB::f$source != KRB) return ()if (!KRB::f?$info || !KRB::f$info?$x509 || !KRB::f$info$x509?$certificate) return ()for ([KRB::cid] in KRB::f$conns) { if (KRB::f$conns[KRB::cid]?$krb) { KRB::c = KRB::f$conns[KRB::cid]return (cat(KRB::c$id$resp_h, :, KRB::c$id$resp_p))}}return (cat(Serial: , KRB::f$info$x509$certificate$serial, Subject: , KRB::f$info$x509$certificate$subject, Issuer: , KRB::f$info$x509$certificate$issuer))}}])) -> -0.000000 MetaHookPost CallFunction(Files::register_protocol, , (Analyzer::ANALYZER_SMB, [get_file_handle=SMB::get_file_handle{ if (!(SMB::c$smb_state?$current_file && (SMB::c$smb_state$current_file?$name || SMB::c$smb_state$current_file?$path))) { return ()}SMB::current_file = SMB::c$smb_state$current_fileSMB::path_name = SMB::current_file?$path ? SMB::current_file$path : SMB::file_name = SMB::current_file?$name ? SMB::current_file$name : SMB::last_mod = cat(SMB::current_file?$times ? SMB::current_file$times$modified : double_to_time(0.0))return (hexdump(cat(Analyzer::ANALYZER_SMB, SMB::c$id$orig_h, SMB::c$id$resp_h, SMB::path_name, SMB::file_name, SMB::last_mod)))}, describe=SMB::describe_file{ SMB::cid{ if (SMB::f$source != SMB) return ()for ([SMB::cid] in SMB::f$conns) { SMB::info = SMB::f$conns[SMB::cid]if (SMB::info?$smb_state && SMB::info$smb_state?$current_file && SMB::info$smb_state$current_file?$name) return (SMB::info$smb_state$current_file$name)}return ()}}])) -> -0.000000 MetaHookPost CallFunction(Files::register_protocol, , (Analyzer::ANALYZER_SMTP, [get_file_handle=SMTP::get_file_handle{ return (cat(Analyzer::ANALYZER_SMTP, SMTP::c$start_time, SMTP::c$smtp$trans_depth, SMTP::c$smtp_state$mime_depth))}, describe=SMTP::describe_file{ SMTP::cid{ if (SMTP::f$source != SMTP) return ()for ([SMTP::cid] in SMTP::f$conns) { SMTP::c = SMTP::f$conns[SMTP::cid]return (SMTP::describe(SMTP::c$smtp))}return ()}}])) -> -0.000000 MetaHookPost CallFunction(Files::register_protocol, , (Analyzer::ANALYZER_SSL, [get_file_handle=SSL::get_file_handle{ return ()}, describe=SSL::describe_file{ SSL::cid{ if (SSL::f$source != SSL || !SSL::f?$info || !SSL::f$info?$x509 || !SSL::f$info$x509?$certificate) return ()for ([SSL::cid] in SSL::f$conns) { if (SSL::f$conns[SSL::cid]?$ssl) { SSL::c = SSL::f$conns[SSL::cid]return (cat(SSL::c$id$resp_h, :, SSL::c$id$resp_p))}}return (cat(Serial: , SSL::f$info$x509$certificate$serial, Subject: , SSL::f$info$x509$certificate$subject, Issuer: , SSL::f$info$x509$certificate$issuer))}}])) -> +0.000000 MetaHookPost CallFunction(Files::register_protocol, , (Analyzer::ANALYZER_KRB, [get_file_handle=KRB::get_file_handle{ return ()}, describe=KRB::describe_file{ KRB::cid, KRB::c{ if (KRB::f$source != KRB_TCP && KRB::f$source != KRB) return ()if (!KRB::f?$info || !KRB::f$info?$x509 || !KRB::f$info$x509?$certificate) return ()for ([KRB::cid] in KRB::f$conns) { if (KRB::c?$krb) { return (cat(KRB::c$id$resp_h, :, KRB::c$id$resp_p))}}return (cat(Serial: , KRB::f$info$x509$certificate$serial, Subject: , KRB::f$info$x509$certificate$subject, Issuer: , KRB::f$info$x509$certificate$issuer))}}])) -> +0.000000 MetaHookPost CallFunction(Files::register_protocol, , (Analyzer::ANALYZER_KRB_TCP, [get_file_handle=KRB::get_file_handle{ return ()}, describe=KRB::describe_file{ KRB::cid, KRB::c{ if (KRB::f$source != KRB_TCP && KRB::f$source != KRB) return ()if (!KRB::f?$info || !KRB::f$info?$x509 || !KRB::f$info$x509?$certificate) return ()for ([KRB::cid] in KRB::f$conns) { if (KRB::c?$krb) { return (cat(KRB::c$id$resp_h, :, KRB::c$id$resp_p))}}return (cat(Serial: , KRB::f$info$x509$certificate$serial, Subject: , KRB::f$info$x509$certificate$subject, Issuer: , KRB::f$info$x509$certificate$issuer))}}])) -> +0.000000 MetaHookPost CallFunction(Files::register_protocol, , (Analyzer::ANALYZER_SMB, [get_file_handle=SMB::get_file_handle{ if (!(SMB::c$smb_state?$current_file && (SMB::c$smb_state$current_file?$name || SMB::c$smb_state$current_file?$path))) { return ()}SMB::current_file = SMB::c$smb_state$current_fileSMB::path_name = SMB::current_file?$path ? SMB::current_file$path : SMB::file_name = SMB::current_file?$name ? SMB::current_file$name : SMB::last_mod = cat(SMB::current_file?$times ? SMB::current_file$times$modified : double_to_time(0.0))return (hexdump(cat(Analyzer::ANALYZER_SMB, SMB::c$id$orig_h, SMB::c$id$resp_h, SMB::path_name, SMB::file_name, SMB::last_mod)))}, describe=SMB::describe_file{ SMB::cid, SMB::c{ if (SMB::f$source != SMB) return ()for ([SMB::cid] in SMB::f$conns) { if (SMB::c?$smb_state && SMB::c$smb_state?$current_file && SMB::c$smb_state$current_file?$name) return (SMB::c$smb_state$current_file$name)}return ()}}])) -> +0.000000 MetaHookPost CallFunction(Files::register_protocol, , (Analyzer::ANALYZER_SMTP, [get_file_handle=SMTP::get_file_handle{ return (cat(Analyzer::ANALYZER_SMTP, SMTP::c$start_time, SMTP::c$smtp$trans_depth, SMTP::c$smtp_state$mime_depth))}, describe=SMTP::describe_file{ SMTP::cid, SMTP::c{ if (SMTP::f$source != SMTP) return ()for ([SMTP::cid] in SMTP::f$conns) { return (SMTP::describe(SMTP::c$smtp))}return ()}}])) -> +0.000000 MetaHookPost CallFunction(Files::register_protocol, , (Analyzer::ANALYZER_SSL, [get_file_handle=SSL::get_file_handle{ return ()}, describe=SSL::describe_file{ SSL::cid, SSL::c{ if (SSL::f$source != SSL || !SSL::f?$info || !SSL::f$info?$x509 || !SSL::f$info$x509?$certificate) return ()for ([SSL::cid] in SSL::f$conns) { if (SSL::c?$ssl) { return (cat(SSL::c$id$resp_h, :, SSL::c$id$resp_p))}}return (cat(Serial: , SSL::f$info$x509$certificate$serial, Subject: , SSL::f$info$x509$certificate$subject, Issuer: , SSL::f$info$x509$certificate$issuer))}}])) -> 0.000000 MetaHookPost CallFunction(Log::__add_filter, , (Broker::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=broker, path_func=, include=, exclude=, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=, config={}])) -> 0.000000 MetaHookPost CallFunction(Log::__add_filter, , (Cluster::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=cluster, path_func=, include=, exclude=, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=, config={}])) -> 0.000000 MetaHookPost CallFunction(Log::__add_filter, , (Config::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=config, path_func=, include=, exclude=, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=, config={}])) -> @@ -277,7 +277,7 @@ 0.000000 MetaHookPost CallFunction(Log::__create_stream, , (Weird::LOG, [columns=Weird::Info, ev=Weird::log_weird, path=weird])) -> 0.000000 MetaHookPost CallFunction(Log::__create_stream, , (X509::LOG, [columns=X509::Info, ev=X509::log_x509, path=x509])) -> 0.000000 MetaHookPost CallFunction(Log::__create_stream, , (mysql::LOG, [columns=MySQL::Info, ev=MySQL::log_mysql, path=mysql])) -> -0.000000 MetaHookPost CallFunction(Log::__write, , (PacketFilter::LOG, [ts=1552582539.91497, node=bro, filter=ip or not ip, init=T, success=T])) -> +0.000000 MetaHookPost CallFunction(Log::__write, , (PacketFilter::LOG, [ts=1552701731.192609, node=bro, filter=ip or not ip, init=T, success=T])) -> 0.000000 MetaHookPost CallFunction(Log::add_default_filter, , (Broker::LOG)) -> 0.000000 MetaHookPost CallFunction(Log::add_default_filter, , (Cluster::LOG)) -> 0.000000 MetaHookPost CallFunction(Log::add_default_filter, , (Config::LOG)) -> @@ -462,7 +462,7 @@ 0.000000 MetaHookPost CallFunction(Log::create_stream, , (Weird::LOG, [columns=Weird::Info, ev=Weird::log_weird, path=weird])) -> 0.000000 MetaHookPost CallFunction(Log::create_stream, , (X509::LOG, [columns=X509::Info, ev=X509::log_x509, path=x509])) -> 0.000000 MetaHookPost CallFunction(Log::create_stream, , (mysql::LOG, [columns=MySQL::Info, ev=MySQL::log_mysql, path=mysql])) -> -0.000000 MetaHookPost CallFunction(Log::write, , (PacketFilter::LOG, [ts=1552582539.91497, node=bro, filter=ip or not ip, init=T, success=T])) -> +0.000000 MetaHookPost CallFunction(Log::write, , (PacketFilter::LOG, [ts=1552701731.192609, node=bro, filter=ip or not ip, init=T, success=T])) -> 0.000000 MetaHookPost CallFunction(NetControl::check_plugins, , ()) -> 0.000000 MetaHookPost CallFunction(NetControl::init, , ()) -> 0.000000 MetaHookPost CallFunction(Notice::want_pp, , ()) -> @@ -1077,15 +1077,15 @@ 0.000000 MetaHookPre CallFunction(Files::register_for_mime_type, , (Files::ANALYZER_X509, application/x-x509-ca-cert)) 0.000000 MetaHookPre CallFunction(Files::register_for_mime_type, , (Files::ANALYZER_X509, application/x-x509-user-cert)) 0.000000 MetaHookPre CallFunction(Files::register_for_mime_types, , (Files::ANALYZER_PE, {application/x-dosexec})) -0.000000 MetaHookPre CallFunction(Files::register_protocol, , (Analyzer::ANALYZER_DTLS, [get_file_handle=SSL::get_file_handle{ return ()}, describe=SSL::describe_file{ SSL::cid{ if (SSL::f$source != SSL || !SSL::f?$info || !SSL::f$info?$x509 || !SSL::f$info$x509?$certificate) return ()for ([SSL::cid] in SSL::f$conns) { if (SSL::f$conns[SSL::cid]?$ssl) { SSL::c = SSL::f$conns[SSL::cid]return (cat(SSL::c$id$resp_h, :, SSL::c$id$resp_p))}}return (cat(Serial: , SSL::f$info$x509$certificate$serial, Subject: , SSL::f$info$x509$certificate$subject, Issuer: , SSL::f$info$x509$certificate$issuer))}}])) -0.000000 MetaHookPre CallFunction(Files::register_protocol, , (Analyzer::ANALYZER_FTP_DATA, [get_file_handle=FTP::get_file_handle{ if (!FTP::c$id$resp_h, FTP::c$id$resp_p in FTP::ftp_data_expected) return ()return (cat(Analyzer::ANALYZER_FTP_DATA, FTP::c$start_time, FTP::c$id, FTP::is_orig))}, describe=FTP::describe_file{ FTP::cid{ if (FTP::f$source != FTP) return ()for ([FTP::cid] in FTP::f$conns) { if (FTP::f$conns[FTP::cid]?$ftp) return (FTP::describe(FTP::f$conns[FTP::cid]$ftp))}return ()}}])) -0.000000 MetaHookPre CallFunction(Files::register_protocol, , (Analyzer::ANALYZER_HTTP, [get_file_handle=HTTP::get_file_handle{ if (!HTTP::c?$http) return ()if (HTTP::c$http$range_request && !HTTP::is_orig) { return (cat(Analyzer::ANALYZER_HTTP, HTTP::is_orig, HTTP::c$id$orig_h, HTTP::build_url(HTTP::c$http)))}else{ HTTP::mime_depth = HTTP::is_orig ? HTTP::c$http$orig_mime_depth : HTTP::c$http$resp_mime_depthreturn (cat(Analyzer::ANALYZER_HTTP, HTTP::c$start_time, HTTP::is_orig, HTTP::c$http$trans_depth, HTTP::mime_depth, id_string(HTTP::c$id)))}}, describe=HTTP::describe_file{ HTTP::cid{ if (HTTP::f$source != HTTP) return ()for ([HTTP::cid] in HTTP::f$conns) { if (HTTP::f$conns[HTTP::cid]?$http) return (HTTP::build_url_http(HTTP::f$conns[HTTP::cid]$http))}return ()}}])) +0.000000 MetaHookPre CallFunction(Files::register_protocol, , (Analyzer::ANALYZER_DTLS, [get_file_handle=SSL::get_file_handle{ return ()}, describe=SSL::describe_file{ SSL::cid, SSL::c{ if (SSL::f$source != SSL || !SSL::f?$info || !SSL::f$info?$x509 || !SSL::f$info$x509?$certificate) return ()for ([SSL::cid] in SSL::f$conns) { if (SSL::c?$ssl) { return (cat(SSL::c$id$resp_h, :, SSL::c$id$resp_p))}}return (cat(Serial: , SSL::f$info$x509$certificate$serial, Subject: , SSL::f$info$x509$certificate$subject, Issuer: , SSL::f$info$x509$certificate$issuer))}}])) +0.000000 MetaHookPre CallFunction(Files::register_protocol, , (Analyzer::ANALYZER_FTP_DATA, [get_file_handle=FTP::get_file_handle{ if (!FTP::c$id$resp_h, FTP::c$id$resp_p in FTP::ftp_data_expected) return ()return (cat(Analyzer::ANALYZER_FTP_DATA, FTP::c$start_time, FTP::c$id, FTP::is_orig))}, describe=FTP::describe_file{ FTP::cid, FTP::c{ if (FTP::f$source != FTP) return ()for ([FTP::cid] in FTP::f$conns) { if (FTP::c?$ftp) return (FTP::describe(FTP::c$ftp))}return ()}}])) +0.000000 MetaHookPre CallFunction(Files::register_protocol, , (Analyzer::ANALYZER_HTTP, [get_file_handle=HTTP::get_file_handle{ if (!HTTP::c?$http) return ()if (HTTP::c$http$range_request && !HTTP::is_orig) { return (cat(Analyzer::ANALYZER_HTTP, HTTP::is_orig, HTTP::c$id$orig_h, HTTP::build_url(HTTP::c$http)))}else{ HTTP::mime_depth = HTTP::is_orig ? HTTP::c$http$orig_mime_depth : HTTP::c$http$resp_mime_depthreturn (cat(Analyzer::ANALYZER_HTTP, HTTP::c$start_time, HTTP::is_orig, HTTP::c$http$trans_depth, HTTP::mime_depth, id_string(HTTP::c$id)))}}, describe=HTTP::describe_file{ HTTP::cid, HTTP::c{ if (HTTP::f$source != HTTP) return ()for ([HTTP::cid] in HTTP::f$conns) { if (HTTP::c?$http) return (HTTP::build_url_http(HTTP::c$http))}return ()}}])) 0.000000 MetaHookPre CallFunction(Files::register_protocol, , (Analyzer::ANALYZER_IRC_DATA, [get_file_handle=IRC::get_file_handle{ return (cat(Analyzer::ANALYZER_IRC_DATA, IRC::c$start_time, IRC::c$id, IRC::is_orig))}, describe=anonymous-function{ return ()}])) -0.000000 MetaHookPre CallFunction(Files::register_protocol, , (Analyzer::ANALYZER_KRB, [get_file_handle=KRB::get_file_handle{ return ()}, describe=KRB::describe_file{ KRB::cid{ if (KRB::f$source != KRB_TCP && KRB::f$source != KRB) return ()if (!KRB::f?$info || !KRB::f$info?$x509 || !KRB::f$info$x509?$certificate) return ()for ([KRB::cid] in KRB::f$conns) { if (KRB::f$conns[KRB::cid]?$krb) { KRB::c = KRB::f$conns[KRB::cid]return (cat(KRB::c$id$resp_h, :, KRB::c$id$resp_p))}}return (cat(Serial: , KRB::f$info$x509$certificate$serial, Subject: , KRB::f$info$x509$certificate$subject, Issuer: , KRB::f$info$x509$certificate$issuer))}}])) -0.000000 MetaHookPre CallFunction(Files::register_protocol, , (Analyzer::ANALYZER_KRB_TCP, [get_file_handle=KRB::get_file_handle{ return ()}, describe=KRB::describe_file{ KRB::cid{ if (KRB::f$source != KRB_TCP && KRB::f$source != KRB) return ()if (!KRB::f?$info || !KRB::f$info?$x509 || !KRB::f$info$x509?$certificate) return ()for ([KRB::cid] in KRB::f$conns) { if (KRB::f$conns[KRB::cid]?$krb) { KRB::c = KRB::f$conns[KRB::cid]return (cat(KRB::c$id$resp_h, :, KRB::c$id$resp_p))}}return (cat(Serial: , KRB::f$info$x509$certificate$serial, Subject: , KRB::f$info$x509$certificate$subject, Issuer: , KRB::f$info$x509$certificate$issuer))}}])) -0.000000 MetaHookPre CallFunction(Files::register_protocol, , (Analyzer::ANALYZER_SMB, [get_file_handle=SMB::get_file_handle{ if (!(SMB::c$smb_state?$current_file && (SMB::c$smb_state$current_file?$name || SMB::c$smb_state$current_file?$path))) { return ()}SMB::current_file = SMB::c$smb_state$current_fileSMB::path_name = SMB::current_file?$path ? SMB::current_file$path : SMB::file_name = SMB::current_file?$name ? SMB::current_file$name : SMB::last_mod = cat(SMB::current_file?$times ? SMB::current_file$times$modified : double_to_time(0.0))return (hexdump(cat(Analyzer::ANALYZER_SMB, SMB::c$id$orig_h, SMB::c$id$resp_h, SMB::path_name, SMB::file_name, SMB::last_mod)))}, describe=SMB::describe_file{ SMB::cid{ if (SMB::f$source != SMB) return ()for ([SMB::cid] in SMB::f$conns) { SMB::info = SMB::f$conns[SMB::cid]if (SMB::info?$smb_state && SMB::info$smb_state?$current_file && SMB::info$smb_state$current_file?$name) return (SMB::info$smb_state$current_file$name)}return ()}}])) -0.000000 MetaHookPre CallFunction(Files::register_protocol, , (Analyzer::ANALYZER_SMTP, [get_file_handle=SMTP::get_file_handle{ return (cat(Analyzer::ANALYZER_SMTP, SMTP::c$start_time, SMTP::c$smtp$trans_depth, SMTP::c$smtp_state$mime_depth))}, describe=SMTP::describe_file{ SMTP::cid{ if (SMTP::f$source != SMTP) return ()for ([SMTP::cid] in SMTP::f$conns) { SMTP::c = SMTP::f$conns[SMTP::cid]return (SMTP::describe(SMTP::c$smtp))}return ()}}])) -0.000000 MetaHookPre CallFunction(Files::register_protocol, , (Analyzer::ANALYZER_SSL, [get_file_handle=SSL::get_file_handle{ return ()}, describe=SSL::describe_file{ SSL::cid{ if (SSL::f$source != SSL || !SSL::f?$info || !SSL::f$info?$x509 || !SSL::f$info$x509?$certificate) return ()for ([SSL::cid] in SSL::f$conns) { if (SSL::f$conns[SSL::cid]?$ssl) { SSL::c = SSL::f$conns[SSL::cid]return (cat(SSL::c$id$resp_h, :, SSL::c$id$resp_p))}}return (cat(Serial: , SSL::f$info$x509$certificate$serial, Subject: , SSL::f$info$x509$certificate$subject, Issuer: , SSL::f$info$x509$certificate$issuer))}}])) +0.000000 MetaHookPre CallFunction(Files::register_protocol, , (Analyzer::ANALYZER_KRB, [get_file_handle=KRB::get_file_handle{ return ()}, describe=KRB::describe_file{ KRB::cid, KRB::c{ if (KRB::f$source != KRB_TCP && KRB::f$source != KRB) return ()if (!KRB::f?$info || !KRB::f$info?$x509 || !KRB::f$info$x509?$certificate) return ()for ([KRB::cid] in KRB::f$conns) { if (KRB::c?$krb) { return (cat(KRB::c$id$resp_h, :, KRB::c$id$resp_p))}}return (cat(Serial: , KRB::f$info$x509$certificate$serial, Subject: , KRB::f$info$x509$certificate$subject, Issuer: , KRB::f$info$x509$certificate$issuer))}}])) +0.000000 MetaHookPre CallFunction(Files::register_protocol, , (Analyzer::ANALYZER_KRB_TCP, [get_file_handle=KRB::get_file_handle{ return ()}, describe=KRB::describe_file{ KRB::cid, KRB::c{ if (KRB::f$source != KRB_TCP && KRB::f$source != KRB) return ()if (!KRB::f?$info || !KRB::f$info?$x509 || !KRB::f$info$x509?$certificate) return ()for ([KRB::cid] in KRB::f$conns) { if (KRB::c?$krb) { return (cat(KRB::c$id$resp_h, :, KRB::c$id$resp_p))}}return (cat(Serial: , KRB::f$info$x509$certificate$serial, Subject: , KRB::f$info$x509$certificate$subject, Issuer: , KRB::f$info$x509$certificate$issuer))}}])) +0.000000 MetaHookPre CallFunction(Files::register_protocol, , (Analyzer::ANALYZER_SMB, [get_file_handle=SMB::get_file_handle{ if (!(SMB::c$smb_state?$current_file && (SMB::c$smb_state$current_file?$name || SMB::c$smb_state$current_file?$path))) { return ()}SMB::current_file = SMB::c$smb_state$current_fileSMB::path_name = SMB::current_file?$path ? SMB::current_file$path : SMB::file_name = SMB::current_file?$name ? SMB::current_file$name : SMB::last_mod = cat(SMB::current_file?$times ? SMB::current_file$times$modified : double_to_time(0.0))return (hexdump(cat(Analyzer::ANALYZER_SMB, SMB::c$id$orig_h, SMB::c$id$resp_h, SMB::path_name, SMB::file_name, SMB::last_mod)))}, describe=SMB::describe_file{ SMB::cid, SMB::c{ if (SMB::f$source != SMB) return ()for ([SMB::cid] in SMB::f$conns) { if (SMB::c?$smb_state && SMB::c$smb_state?$current_file && SMB::c$smb_state$current_file?$name) return (SMB::c$smb_state$current_file$name)}return ()}}])) +0.000000 MetaHookPre CallFunction(Files::register_protocol, , (Analyzer::ANALYZER_SMTP, [get_file_handle=SMTP::get_file_handle{ return (cat(Analyzer::ANALYZER_SMTP, SMTP::c$start_time, SMTP::c$smtp$trans_depth, SMTP::c$smtp_state$mime_depth))}, describe=SMTP::describe_file{ SMTP::cid, SMTP::c{ if (SMTP::f$source != SMTP) return ()for ([SMTP::cid] in SMTP::f$conns) { return (SMTP::describe(SMTP::c$smtp))}return ()}}])) +0.000000 MetaHookPre CallFunction(Files::register_protocol, , (Analyzer::ANALYZER_SSL, [get_file_handle=SSL::get_file_handle{ return ()}, describe=SSL::describe_file{ SSL::cid, SSL::c{ if (SSL::f$source != SSL || !SSL::f?$info || !SSL::f$info?$x509 || !SSL::f$info$x509?$certificate) return ()for ([SSL::cid] in SSL::f$conns) { if (SSL::c?$ssl) { return (cat(SSL::c$id$resp_h, :, SSL::c$id$resp_p))}}return (cat(Serial: , SSL::f$info$x509$certificate$serial, Subject: , SSL::f$info$x509$certificate$subject, Issuer: , SSL::f$info$x509$certificate$issuer))}}])) 0.000000 MetaHookPre CallFunction(Log::__add_filter, , (Broker::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=broker, path_func=, include=, exclude=, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=, config={}])) 0.000000 MetaHookPre CallFunction(Log::__add_filter, , (Cluster::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=cluster, path_func=, include=, exclude=, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=, config={}])) 0.000000 MetaHookPre CallFunction(Log::__add_filter, , (Config::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=config, path_func=, include=, exclude=, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=, config={}])) @@ -1178,7 +1178,7 @@ 0.000000 MetaHookPre CallFunction(Log::__create_stream, , (Weird::LOG, [columns=Weird::Info, ev=Weird::log_weird, path=weird])) 0.000000 MetaHookPre CallFunction(Log::__create_stream, , (X509::LOG, [columns=X509::Info, ev=X509::log_x509, path=x509])) 0.000000 MetaHookPre CallFunction(Log::__create_stream, , (mysql::LOG, [columns=MySQL::Info, ev=MySQL::log_mysql, path=mysql])) -0.000000 MetaHookPre CallFunction(Log::__write, , (PacketFilter::LOG, [ts=1552582539.91497, node=bro, filter=ip or not ip, init=T, success=T])) +0.000000 MetaHookPre CallFunction(Log::__write, , (PacketFilter::LOG, [ts=1552701731.192609, node=bro, filter=ip or not ip, init=T, success=T])) 0.000000 MetaHookPre CallFunction(Log::add_default_filter, , (Broker::LOG)) 0.000000 MetaHookPre CallFunction(Log::add_default_filter, , (Cluster::LOG)) 0.000000 MetaHookPre CallFunction(Log::add_default_filter, , (Config::LOG)) @@ -1363,7 +1363,7 @@ 0.000000 MetaHookPre CallFunction(Log::create_stream, , (Weird::LOG, [columns=Weird::Info, ev=Weird::log_weird, path=weird])) 0.000000 MetaHookPre CallFunction(Log::create_stream, , (X509::LOG, [columns=X509::Info, ev=X509::log_x509, path=x509])) 0.000000 MetaHookPre CallFunction(Log::create_stream, , (mysql::LOG, [columns=MySQL::Info, ev=MySQL::log_mysql, path=mysql])) -0.000000 MetaHookPre CallFunction(Log::write, , (PacketFilter::LOG, [ts=1552582539.91497, node=bro, filter=ip or not ip, init=T, success=T])) +0.000000 MetaHookPre CallFunction(Log::write, , (PacketFilter::LOG, [ts=1552701731.192609, node=bro, filter=ip or not ip, init=T, success=T])) 0.000000 MetaHookPre CallFunction(NetControl::check_plugins, , ()) 0.000000 MetaHookPre CallFunction(NetControl::init, , ()) 0.000000 MetaHookPre CallFunction(Notice::want_pp, , ()) @@ -1977,15 +1977,15 @@ 0.000000 | HookCallFunction Files::register_for_mime_type(Files::ANALYZER_X509, application/x-x509-ca-cert) 0.000000 | HookCallFunction Files::register_for_mime_type(Files::ANALYZER_X509, application/x-x509-user-cert) 0.000000 | HookCallFunction Files::register_for_mime_types(Files::ANALYZER_PE, {application/x-dosexec}) -0.000000 | HookCallFunction Files::register_protocol(Analyzer::ANALYZER_DTLS, [get_file_handle=SSL::get_file_handle{ return ()}, describe=SSL::describe_file{ SSL::cid{ if (SSL::f$source != SSL || !SSL::f?$info || !SSL::f$info?$x509 || !SSL::f$info$x509?$certificate) return ()for ([SSL::cid] in SSL::f$conns) { if (SSL::f$conns[SSL::cid]?$ssl) { SSL::c = SSL::f$conns[SSL::cid]return (cat(SSL::c$id$resp_h, :, SSL::c$id$resp_p))}}return (cat(Serial: , SSL::f$info$x509$certificate$serial, Subject: , SSL::f$info$x509$certificate$subject, Issuer: , SSL::f$info$x509$certificate$issuer))}}]) -0.000000 | HookCallFunction Files::register_protocol(Analyzer::ANALYZER_FTP_DATA, [get_file_handle=FTP::get_file_handle{ if (!FTP::c$id$resp_h, FTP::c$id$resp_p in FTP::ftp_data_expected) return ()return (cat(Analyzer::ANALYZER_FTP_DATA, FTP::c$start_time, FTP::c$id, FTP::is_orig))}, describe=FTP::describe_file{ FTP::cid{ if (FTP::f$source != FTP) return ()for ([FTP::cid] in FTP::f$conns) { if (FTP::f$conns[FTP::cid]?$ftp) return (FTP::describe(FTP::f$conns[FTP::cid]$ftp))}return ()}}]) -0.000000 | HookCallFunction Files::register_protocol(Analyzer::ANALYZER_HTTP, [get_file_handle=HTTP::get_file_handle{ if (!HTTP::c?$http) return ()if (HTTP::c$http$range_request && !HTTP::is_orig) { return (cat(Analyzer::ANALYZER_HTTP, HTTP::is_orig, HTTP::c$id$orig_h, HTTP::build_url(HTTP::c$http)))}else{ HTTP::mime_depth = HTTP::is_orig ? HTTP::c$http$orig_mime_depth : HTTP::c$http$resp_mime_depthreturn (cat(Analyzer::ANALYZER_HTTP, HTTP::c$start_time, HTTP::is_orig, HTTP::c$http$trans_depth, HTTP::mime_depth, id_string(HTTP::c$id)))}}, describe=HTTP::describe_file{ HTTP::cid{ if (HTTP::f$source != HTTP) return ()for ([HTTP::cid] in HTTP::f$conns) { if (HTTP::f$conns[HTTP::cid]?$http) return (HTTP::build_url_http(HTTP::f$conns[HTTP::cid]$http))}return ()}}]) +0.000000 | HookCallFunction Files::register_protocol(Analyzer::ANALYZER_DTLS, [get_file_handle=SSL::get_file_handle{ return ()}, describe=SSL::describe_file{ SSL::cid, SSL::c{ if (SSL::f$source != SSL || !SSL::f?$info || !SSL::f$info?$x509 || !SSL::f$info$x509?$certificate) return ()for ([SSL::cid] in SSL::f$conns) { if (SSL::c?$ssl) { return (cat(SSL::c$id$resp_h, :, SSL::c$id$resp_p))}}return (cat(Serial: , SSL::f$info$x509$certificate$serial, Subject: , SSL::f$info$x509$certificate$subject, Issuer: , SSL::f$info$x509$certificate$issuer))}}]) +0.000000 | HookCallFunction Files::register_protocol(Analyzer::ANALYZER_FTP_DATA, [get_file_handle=FTP::get_file_handle{ if (!FTP::c$id$resp_h, FTP::c$id$resp_p in FTP::ftp_data_expected) return ()return (cat(Analyzer::ANALYZER_FTP_DATA, FTP::c$start_time, FTP::c$id, FTP::is_orig))}, describe=FTP::describe_file{ FTP::cid, FTP::c{ if (FTP::f$source != FTP) return ()for ([FTP::cid] in FTP::f$conns) { if (FTP::c?$ftp) return (FTP::describe(FTP::c$ftp))}return ()}}]) +0.000000 | HookCallFunction Files::register_protocol(Analyzer::ANALYZER_HTTP, [get_file_handle=HTTP::get_file_handle{ if (!HTTP::c?$http) return ()if (HTTP::c$http$range_request && !HTTP::is_orig) { return (cat(Analyzer::ANALYZER_HTTP, HTTP::is_orig, HTTP::c$id$orig_h, HTTP::build_url(HTTP::c$http)))}else{ HTTP::mime_depth = HTTP::is_orig ? HTTP::c$http$orig_mime_depth : HTTP::c$http$resp_mime_depthreturn (cat(Analyzer::ANALYZER_HTTP, HTTP::c$start_time, HTTP::is_orig, HTTP::c$http$trans_depth, HTTP::mime_depth, id_string(HTTP::c$id)))}}, describe=HTTP::describe_file{ HTTP::cid, HTTP::c{ if (HTTP::f$source != HTTP) return ()for ([HTTP::cid] in HTTP::f$conns) { if (HTTP::c?$http) return (HTTP::build_url_http(HTTP::c$http))}return ()}}]) 0.000000 | HookCallFunction Files::register_protocol(Analyzer::ANALYZER_IRC_DATA, [get_file_handle=IRC::get_file_handle{ return (cat(Analyzer::ANALYZER_IRC_DATA, IRC::c$start_time, IRC::c$id, IRC::is_orig))}, describe=anonymous-function{ return ()}]) -0.000000 | HookCallFunction Files::register_protocol(Analyzer::ANALYZER_KRB, [get_file_handle=KRB::get_file_handle{ return ()}, describe=KRB::describe_file{ KRB::cid{ if (KRB::f$source != KRB_TCP && KRB::f$source != KRB) return ()if (!KRB::f?$info || !KRB::f$info?$x509 || !KRB::f$info$x509?$certificate) return ()for ([KRB::cid] in KRB::f$conns) { if (KRB::f$conns[KRB::cid]?$krb) { KRB::c = KRB::f$conns[KRB::cid]return (cat(KRB::c$id$resp_h, :, KRB::c$id$resp_p))}}return (cat(Serial: , KRB::f$info$x509$certificate$serial, Subject: , KRB::f$info$x509$certificate$subject, Issuer: , KRB::f$info$x509$certificate$issuer))}}]) -0.000000 | HookCallFunction Files::register_protocol(Analyzer::ANALYZER_KRB_TCP, [get_file_handle=KRB::get_file_handle{ return ()}, describe=KRB::describe_file{ KRB::cid{ if (KRB::f$source != KRB_TCP && KRB::f$source != KRB) return ()if (!KRB::f?$info || !KRB::f$info?$x509 || !KRB::f$info$x509?$certificate) return ()for ([KRB::cid] in KRB::f$conns) { if (KRB::f$conns[KRB::cid]?$krb) { KRB::c = KRB::f$conns[KRB::cid]return (cat(KRB::c$id$resp_h, :, KRB::c$id$resp_p))}}return (cat(Serial: , KRB::f$info$x509$certificate$serial, Subject: , KRB::f$info$x509$certificate$subject, Issuer: , KRB::f$info$x509$certificate$issuer))}}]) -0.000000 | HookCallFunction Files::register_protocol(Analyzer::ANALYZER_SMB, [get_file_handle=SMB::get_file_handle{ if (!(SMB::c$smb_state?$current_file && (SMB::c$smb_state$current_file?$name || SMB::c$smb_state$current_file?$path))) { return ()}SMB::current_file = SMB::c$smb_state$current_fileSMB::path_name = SMB::current_file?$path ? SMB::current_file$path : SMB::file_name = SMB::current_file?$name ? SMB::current_file$name : SMB::last_mod = cat(SMB::current_file?$times ? SMB::current_file$times$modified : double_to_time(0.0))return (hexdump(cat(Analyzer::ANALYZER_SMB, SMB::c$id$orig_h, SMB::c$id$resp_h, SMB::path_name, SMB::file_name, SMB::last_mod)))}, describe=SMB::describe_file{ SMB::cid{ if (SMB::f$source != SMB) return ()for ([SMB::cid] in SMB::f$conns) { SMB::info = SMB::f$conns[SMB::cid]if (SMB::info?$smb_state && SMB::info$smb_state?$current_file && SMB::info$smb_state$current_file?$name) return (SMB::info$smb_state$current_file$name)}return ()}}]) -0.000000 | HookCallFunction Files::register_protocol(Analyzer::ANALYZER_SMTP, [get_file_handle=SMTP::get_file_handle{ return (cat(Analyzer::ANALYZER_SMTP, SMTP::c$start_time, SMTP::c$smtp$trans_depth, SMTP::c$smtp_state$mime_depth))}, describe=SMTP::describe_file{ SMTP::cid{ if (SMTP::f$source != SMTP) return ()for ([SMTP::cid] in SMTP::f$conns) { SMTP::c = SMTP::f$conns[SMTP::cid]return (SMTP::describe(SMTP::c$smtp))}return ()}}]) -0.000000 | HookCallFunction Files::register_protocol(Analyzer::ANALYZER_SSL, [get_file_handle=SSL::get_file_handle{ return ()}, describe=SSL::describe_file{ SSL::cid{ if (SSL::f$source != SSL || !SSL::f?$info || !SSL::f$info?$x509 || !SSL::f$info$x509?$certificate) return ()for ([SSL::cid] in SSL::f$conns) { if (SSL::f$conns[SSL::cid]?$ssl) { SSL::c = SSL::f$conns[SSL::cid]return (cat(SSL::c$id$resp_h, :, SSL::c$id$resp_p))}}return (cat(Serial: , SSL::f$info$x509$certificate$serial, Subject: , SSL::f$info$x509$certificate$subject, Issuer: , SSL::f$info$x509$certificate$issuer))}}]) +0.000000 | HookCallFunction Files::register_protocol(Analyzer::ANALYZER_KRB, [get_file_handle=KRB::get_file_handle{ return ()}, describe=KRB::describe_file{ KRB::cid, KRB::c{ if (KRB::f$source != KRB_TCP && KRB::f$source != KRB) return ()if (!KRB::f?$info || !KRB::f$info?$x509 || !KRB::f$info$x509?$certificate) return ()for ([KRB::cid] in KRB::f$conns) { if (KRB::c?$krb) { return (cat(KRB::c$id$resp_h, :, KRB::c$id$resp_p))}}return (cat(Serial: , KRB::f$info$x509$certificate$serial, Subject: , KRB::f$info$x509$certificate$subject, Issuer: , KRB::f$info$x509$certificate$issuer))}}]) +0.000000 | HookCallFunction Files::register_protocol(Analyzer::ANALYZER_KRB_TCP, [get_file_handle=KRB::get_file_handle{ return ()}, describe=KRB::describe_file{ KRB::cid, KRB::c{ if (KRB::f$source != KRB_TCP && KRB::f$source != KRB) return ()if (!KRB::f?$info || !KRB::f$info?$x509 || !KRB::f$info$x509?$certificate) return ()for ([KRB::cid] in KRB::f$conns) { if (KRB::c?$krb) { return (cat(KRB::c$id$resp_h, :, KRB::c$id$resp_p))}}return (cat(Serial: , KRB::f$info$x509$certificate$serial, Subject: , KRB::f$info$x509$certificate$subject, Issuer: , KRB::f$info$x509$certificate$issuer))}}]) +0.000000 | HookCallFunction Files::register_protocol(Analyzer::ANALYZER_SMB, [get_file_handle=SMB::get_file_handle{ if (!(SMB::c$smb_state?$current_file && (SMB::c$smb_state$current_file?$name || SMB::c$smb_state$current_file?$path))) { return ()}SMB::current_file = SMB::c$smb_state$current_fileSMB::path_name = SMB::current_file?$path ? SMB::current_file$path : SMB::file_name = SMB::current_file?$name ? SMB::current_file$name : SMB::last_mod = cat(SMB::current_file?$times ? SMB::current_file$times$modified : double_to_time(0.0))return (hexdump(cat(Analyzer::ANALYZER_SMB, SMB::c$id$orig_h, SMB::c$id$resp_h, SMB::path_name, SMB::file_name, SMB::last_mod)))}, describe=SMB::describe_file{ SMB::cid, SMB::c{ if (SMB::f$source != SMB) return ()for ([SMB::cid] in SMB::f$conns) { if (SMB::c?$smb_state && SMB::c$smb_state?$current_file && SMB::c$smb_state$current_file?$name) return (SMB::c$smb_state$current_file$name)}return ()}}]) +0.000000 | HookCallFunction Files::register_protocol(Analyzer::ANALYZER_SMTP, [get_file_handle=SMTP::get_file_handle{ return (cat(Analyzer::ANALYZER_SMTP, SMTP::c$start_time, SMTP::c$smtp$trans_depth, SMTP::c$smtp_state$mime_depth))}, describe=SMTP::describe_file{ SMTP::cid, SMTP::c{ if (SMTP::f$source != SMTP) return ()for ([SMTP::cid] in SMTP::f$conns) { return (SMTP::describe(SMTP::c$smtp))}return ()}}]) +0.000000 | HookCallFunction Files::register_protocol(Analyzer::ANALYZER_SSL, [get_file_handle=SSL::get_file_handle{ return ()}, describe=SSL::describe_file{ SSL::cid, SSL::c{ if (SSL::f$source != SSL || !SSL::f?$info || !SSL::f$info?$x509 || !SSL::f$info$x509?$certificate) return ()for ([SSL::cid] in SSL::f$conns) { if (SSL::c?$ssl) { return (cat(SSL::c$id$resp_h, :, SSL::c$id$resp_p))}}return (cat(Serial: , SSL::f$info$x509$certificate$serial, Subject: , SSL::f$info$x509$certificate$subject, Issuer: , SSL::f$info$x509$certificate$issuer))}}]) 0.000000 | HookCallFunction Log::__add_filter(Broker::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=broker, path_func=, include=, exclude=, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=, config={}]) 0.000000 | HookCallFunction Log::__add_filter(Cluster::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=cluster, path_func=, include=, exclude=, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=, config={}]) 0.000000 | HookCallFunction Log::__add_filter(Config::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=config, path_func=, include=, exclude=, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=, config={}]) @@ -2078,7 +2078,7 @@ 0.000000 | HookCallFunction Log::__create_stream(Weird::LOG, [columns=Weird::Info, ev=Weird::log_weird, path=weird]) 0.000000 | HookCallFunction Log::__create_stream(X509::LOG, [columns=X509::Info, ev=X509::log_x509, path=x509]) 0.000000 | HookCallFunction Log::__create_stream(mysql::LOG, [columns=MySQL::Info, ev=MySQL::log_mysql, path=mysql]) -0.000000 | HookCallFunction Log::__write(PacketFilter::LOG, [ts=1552582539.91497, node=bro, filter=ip or not ip, init=T, success=T]) +0.000000 | HookCallFunction Log::__write(PacketFilter::LOG, [ts=1552701731.192609, node=bro, filter=ip or not ip, init=T, success=T]) 0.000000 | HookCallFunction Log::add_default_filter(Broker::LOG) 0.000000 | HookCallFunction Log::add_default_filter(Cluster::LOG) 0.000000 | HookCallFunction Log::add_default_filter(Config::LOG) @@ -2263,7 +2263,7 @@ 0.000000 | HookCallFunction Log::create_stream(Weird::LOG, [columns=Weird::Info, ev=Weird::log_weird, path=weird]) 0.000000 | HookCallFunction Log::create_stream(X509::LOG, [columns=X509::Info, ev=X509::log_x509, path=x509]) 0.000000 | HookCallFunction Log::create_stream(mysql::LOG, [columns=MySQL::Info, ev=MySQL::log_mysql, path=mysql]) -0.000000 | HookCallFunction Log::write(PacketFilter::LOG, [ts=1552582539.91497, node=bro, filter=ip or not ip, init=T, success=T]) +0.000000 | HookCallFunction Log::write(PacketFilter::LOG, [ts=1552701731.192609, node=bro, filter=ip or not ip, init=T, success=T]) 0.000000 | HookCallFunction NetControl::check_plugins() 0.000000 | HookCallFunction NetControl::init() 0.000000 | HookCallFunction Notice::want_pp() @@ -2696,7 +2696,7 @@ 0.000000 | HookLoadFile base<...>/x509 0.000000 | HookLoadFile base<...>/xmpp 0.000000 | HookLogInit packet_filter 1/1 {ts (time), node (string), filter (string), init (bool), success (bool)} -0.000000 | HookLogWrite packet_filter [ts=1552582539.914970, node=bro, filter=ip or not ip, init=T, success=T] +0.000000 | HookLogWrite packet_filter [ts=1552701731.192609, node=bro, filter=ip or not ip, init=T, success=T] 0.000000 | HookQueueEvent NetControl::init() 0.000000 | HookQueueEvent bro_init() 0.000000 | HookQueueEvent filter_change_tracking() diff --git a/testing/btest/Baseline/scripts.base.frameworks.intel.remove-non-existing/output b/testing/btest/Baseline/scripts.base.frameworks.intel.remove-non-existing/output index fd0420cc79..dca63f379e 100644 --- a/testing/btest/Baseline/scripts.base.frameworks.intel.remove-non-existing/output +++ b/testing/btest/Baseline/scripts.base.frameworks.intel.remove-non-existing/output @@ -6,6 +6,6 @@ #open 2018-02-27-17-25-30 #fields ts level message location #types time enum string string -0.000000 Reporter::INFO Tried to remove non-existing item '192.168.1.1' (Intel::ADDR). /home/jgras/devel/bro/scripts/base/frameworks/intel/./main.bro, lines 553-554 +0.000000 Reporter::INFO Tried to remove non-existing item '192.168.1.1' (Intel::ADDR). /home/jgras/devel/bro/scripts/base/frameworks/intel/./main.bro, lines 552-553 0.000000 Reporter::INFO received termination signal (empty) #close 2018-02-27-17-25-30 From eb9a05cd25e46cec6710e1122fc4ff758b4ae2e3 Mon Sep 17 00:00:00 2001 From: Jon Siwek Date: Mon, 18 Mar 2019 13:58:28 -0700 Subject: [PATCH 37/88] GH-307: Build binpac as a shared lib, not static by default --- CHANGES | 4 ++++ CMakeLists.txt | 12 ++++++++++++ NEWS | 4 ++++ VERSION | 2 +- aux/bifcl | 2 +- aux/binpac | 2 +- aux/broccoli | 2 +- aux/broctl | 2 +- aux/broker | 2 +- aux/zeek-aux | 2 +- cmake | 2 +- configure | 4 ++++ 12 files changed, 32 insertions(+), 8 deletions(-) diff --git a/CHANGES b/CHANGES index 1e97c6328c..f1aa05b9ce 100644 --- a/CHANGES +++ b/CHANGES @@ -1,4 +1,8 @@ +2.6-167 | 2019-03-18 13:58:28 -0700 + + * GH-307: Build binpac as a shared lib, not static by default (Jon Siwek, Corelight) + 2.6-166 | 2019-03-18 11:45:35 -0700 * Add source file path control options for Input and Intel frameworks (Christian Kreibich, Corelight) diff --git a/CMakeLists.txt b/CMakeLists.txt index 3c82a6d9ff..cfe0b29ed9 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -97,7 +97,15 @@ FindRequiredPackage(ZLIB) if (NOT BINPAC_EXE_PATH AND EXISTS ${CMAKE_CURRENT_SOURCE_DIR}/aux/binpac/CMakeLists.txt) + + set(ENABLE_STATIC_ONLY_SAVED ${ENABLE_STATIC_ONLY}) + + if ( BUILD_STATIC_BINPAC ) + set(ENABLE_STATIC_ONLY true) + endif() + add_subdirectory(aux/binpac) + set(ENABLE_STATIC_ONLY ${ENABLE_STATIC_ONLY_SAVED}) endif () FindRequiredPackage(BinPAC) @@ -286,10 +294,14 @@ if ( BROKER_ROOT_DIR ) set(brodeps ${brodeps} ${BROKER_LIBRARY} ${CAF_LIBRARIES}) include_directories(BEFORE ${BROKER_INCLUDE_DIR}) else () + set(ENABLE_STATIC_ONLY_SAVED ${ENABLE_STATIC_ONLY}) + if ( BUILD_STATIC_BROKER ) set(ENABLE_STATIC_ONLY true) endif() + add_subdirectory(aux/broker) + set(ENABLE_STATIC_ONLY ${ENABLE_STATIC_ONLY_SAVED}) if ( BUILD_STATIC_BROKER ) set(brodeps ${brodeps} broker_static) diff --git a/NEWS b/NEWS index 862a294ce9..7bbf4543f2 100644 --- a/NEWS +++ b/NEWS @@ -79,6 +79,10 @@ Changed Functionality by default. The limit can also be ignored case-by-case via the "HTTP::max_files_policy" hook. +- The binpac library is now only compiled as a shared library by default. + To revert back to compiling only a static library, there's the + ``--enable-static-binpac`` configure option. + Removed Functionality --------------------- diff --git a/VERSION b/VERSION index 7913ca2d43..787f4ccb54 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -2.6-166 +2.6-167 diff --git a/aux/bifcl b/aux/bifcl index 7e214967f4..44622332fb 160000 --- a/aux/bifcl +++ b/aux/bifcl @@ -1 +1 @@ -Subproject commit 7e214967f4a4416a9e4c45d58b43f569e933b365 +Subproject commit 44622332fb1361383799be33e365704caacce199 diff --git a/aux/binpac b/aux/binpac index b6cfc1243f..bb2476465e 160000 --- a/aux/binpac +++ b/aux/binpac @@ -1 +1 @@ -Subproject commit b6cfc1243f3e63037131e214f5c64a03eaad1d00 +Subproject commit bb2476465e304a00c368bd73d40cc6f734be5311 diff --git a/aux/broccoli b/aux/broccoli index 1b437de310..41841d8f64 160000 --- a/aux/broccoli +++ b/aux/broccoli @@ -1 +1 @@ -Subproject commit 1b437de310fb137ff271018065280ee1e65d6deb +Subproject commit 41841d8f64bdb062860309f7b36513212e81befa diff --git a/aux/broctl b/aux/broctl index 5601ca0ac3..b5b2b7895f 160000 --- a/aux/broctl +++ b/aux/broctl @@ -1 +1 @@ -Subproject commit 5601ca0ac31a59356bb67343cb3a66eca7386651 +Subproject commit b5b2b7895f264c825d7ff4bd8a88a4d5b6c4821c diff --git a/aux/broker b/aux/broker index 22560477b5..7d89cb7cd7 160000 --- a/aux/broker +++ b/aux/broker @@ -1 +1 @@ -Subproject commit 22560477b5d107fc75af628f67d3afe9ec211b35 +Subproject commit 7d89cb7cd7213db9be59258f0f76a084d5d87879 diff --git a/aux/zeek-aux b/aux/zeek-aux index a95eee2a2f..96c787cb39 160000 --- a/aux/zeek-aux +++ b/aux/zeek-aux @@ -1 +1 @@ -Subproject commit a95eee2a2f018f899dfe19a4f9f2425c041f05bd +Subproject commit 96c787cb396a5aad2d3ea3b2087f2a1fcd6b7216 diff --git a/cmake b/cmake index ad4d2fa614..0c1ee634a8 160000 --- a/cmake +++ b/cmake @@ -1 +1 @@ -Subproject commit ad4d2fa614390e6bb288fd2be4387a96ff3fb9e7 +Subproject commit 0c1ee634a8f915e738da72c797a17aad9cb618dd diff --git a/configure b/configure index ada9d21322..98bfc5308d 100755 --- a/configure +++ b/configure @@ -53,6 +53,7 @@ Usage: $0 [OPTION]... [VAR=VALUE]... --enable-jemalloc link against jemalloc --enable-broccoli build or install the Broccoli library (deprecated) --enable-static-broker build broker statically (ignored if --with-broker is specified) + --enable-static-binpac build binpac statically (ignored if --with-binpac is specified) --disable-broctl don't install Broctl --disable-auxtools don't build or install auxiliary tools --disable-perftools don't try to build with Google Perftools @@ -227,6 +228,9 @@ while [ $# -ne 0 ]; do --enable-static-broker) append_cache_entry BUILD_STATIC_BROKER BOOL true ;; + --enable-static-binpac) + append_cache_entry BUILD_STATIC_BINPAC BOOL true + ;; --disable-broctl) append_cache_entry INSTALL_BROCTL BOOL false ;; From 2b79c7af168eeb39f696cb5bbbb433328093e4a4 Mon Sep 17 00:00:00 2001 From: Jon Siwek Date: Fri, 22 Mar 2019 13:07:52 -0700 Subject: [PATCH 38/88] Updating submodule(s). [nomail] --- aux/broker | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/aux/broker b/aux/broker index 7d89cb7cd7..24867d5972 160000 --- a/aux/broker +++ b/aux/broker @@ -1 +1 @@ -Subproject commit 7d89cb7cd7213db9be59258f0f76a084d5d87879 +Subproject commit 24867d59728c56e295b1489f308161d0095ce487 From b2930a6ec342591567edd7c6d9d52ab360fc0abe Mon Sep 17 00:00:00 2001 From: Jon Siwek Date: Fri, 22 Mar 2019 16:35:28 -0700 Subject: [PATCH 39/88] Updating submodule(s). [nomail] --- aux/broctl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/aux/broctl b/aux/broctl index b5b2b7895f..963a4e1501 160000 --- a/aux/broctl +++ b/aux/broctl @@ -1 +1 @@ -Subproject commit b5b2b7895f264c825d7ff4bd8a88a4d5b6c4821c +Subproject commit 963a4e1501ef28370f3dd3e2a5c79b3515e10a7a From 3e31f3d5543ca17ac4ba5237aa9a91dca723b18c Mon Sep 17 00:00:00 2001 From: Jan Grashoefer Date: Sun, 24 Mar 2019 21:31:48 +0100 Subject: [PATCH 40/88] Added hook to filter intelligence items. --- scripts/base/frameworks/intel/main.bro | 15 +++++++++++++-- .../output | 6 +++--- 2 files changed, 16 insertions(+), 5 deletions(-) diff --git a/scripts/base/frameworks/intel/main.bro b/scripts/base/frameworks/intel/main.bro index 592d2b1027..4bc3b296dd 100644 --- a/scripts/base/frameworks/intel/main.bro +++ b/scripts/base/frameworks/intel/main.bro @@ -173,6 +173,14 @@ export { ## be removed. global item_expired: hook(indicator: string, indicator_type: Type, metas: set[MetaData]); + ## This hook can be used to filter intelligence items that are about to be + ## inserted into the internal data store. In case the hook execution is + ## terminated using break, the item will not be (re)added to the internal + ## data store. + ## + ## item: The intel item that should be inserted. + global filter_item: hook(item: Intel::Item); + global log_intel: event(rec: Info); } @@ -496,8 +504,11 @@ function _insert(item: Item, first_dispatch: bool &default = T) function insert(item: Item) { - # Insert possibly new item. - _insert(item, T); + if ( hook filter_item(item) ) + { + # Insert possibly new item. + _insert(item, T); + } } # Function to check whether an item is present. diff --git a/testing/btest/Baseline/scripts.base.frameworks.intel.remove-non-existing/output b/testing/btest/Baseline/scripts.base.frameworks.intel.remove-non-existing/output index dca63f379e..90d390518f 100644 --- a/testing/btest/Baseline/scripts.base.frameworks.intel.remove-non-existing/output +++ b/testing/btest/Baseline/scripts.base.frameworks.intel.remove-non-existing/output @@ -3,9 +3,9 @@ #empty_field (empty) #unset_field - #path reporter -#open 2018-02-27-17-25-30 +#open 2019-03-24-20-20-10 #fields ts level message location #types time enum string string -0.000000 Reporter::INFO Tried to remove non-existing item '192.168.1.1' (Intel::ADDR). /home/jgras/devel/bro/scripts/base/frameworks/intel/./main.bro, lines 552-553 +0.000000 Reporter::INFO Tried to remove non-existing item '192.168.1.1' (Intel::ADDR). /home/jgras/devel/zeek/scripts/base/frameworks/intel/./main.bro, lines 563-564 0.000000 Reporter::INFO received termination signal (empty) -#close 2018-02-27-17-25-30 +#close 2019-03-24-20-20-10 From 0f86aaff4b50a9260d18824b915441ed28b326e0 Mon Sep 17 00:00:00 2001 From: Jan Grashoefer Date: Sun, 24 Mar 2019 21:32:45 +0100 Subject: [PATCH 41/88] Added test for intel item filtering. --- .../broproc.intel.log | 10 +++++ .../base/frameworks/intel/filter-item.bro | 43 +++++++++++++++++++ 2 files changed, 53 insertions(+) create mode 100644 testing/btest/Baseline/scripts.base.frameworks.intel.filter-item/broproc.intel.log create mode 100644 testing/btest/scripts/base/frameworks/intel/filter-item.bro diff --git a/testing/btest/Baseline/scripts.base.frameworks.intel.filter-item/broproc.intel.log b/testing/btest/Baseline/scripts.base.frameworks.intel.filter-item/broproc.intel.log new file mode 100644 index 0000000000..dfe45974c1 --- /dev/null +++ b/testing/btest/Baseline/scripts.base.frameworks.intel.filter-item/broproc.intel.log @@ -0,0 +1,10 @@ +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path intel +#open 2019-03-24-20-29-18 +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p seen.indicator seen.indicator_type seen.where seen.node matched sources fuid file_mime_type file_desc +#types time string addr port addr port string enum enum string set[enum] set[string] string string string +1553459358.205227 - - - - - 1.2.3.42 Intel::ADDR SOMEWHERE bro Intel::ADDR source1 - - - +#close 2019-03-24-20-29-18 diff --git a/testing/btest/scripts/base/frameworks/intel/filter-item.bro b/testing/btest/scripts/base/frameworks/intel/filter-item.bro new file mode 100644 index 0000000000..4973674d95 --- /dev/null +++ b/testing/btest/scripts/base/frameworks/intel/filter-item.bro @@ -0,0 +1,43 @@ + +# @TEST-EXEC: btest-bg-run broproc bro %INPUT +# @TEST-EXEC: btest-bg-wait -k 5 +# @TEST-EXEC: btest-diff broproc/intel.log + +@TEST-START-FILE intel.dat +#fields indicator indicator_type meta.source meta.desc meta.url +1.2.3.42 Intel::ADDR source1 this host is just plain baaad http://some-data-distributor.com/1234 +10.0.0.1 Intel::ADDR source1 this host is just plain baaad http://some-data-distributor.com/1234 +@TEST-END-FILE + +redef exit_only_after_terminate = T; +redef Site::local_nets += { 10.0.0.0/8 }; +redef Intel::read_files += { "../intel.dat" }; +redef enum Intel::Where += { SOMEWHERE }; + +hook Intel::filter_item(item: Intel::Item) + { + if ( item$indicator_type == Intel::ADDR && + Site::is_local_addr(to_addr(item$indicator)) ) + break; + } + +event do_it() + { + Intel::seen([$host=1.2.3.42, + $where=SOMEWHERE]); + Intel::seen([$host=10.0.0.1, + $where=SOMEWHERE]); + } + +global log_lines = 0; +event Intel::log_intel(rec: Intel::Info) + { + ++log_lines; + if ( log_lines == 1 ) + terminate(); + } + +event bro_init() &priority=-10 + { + schedule 1sec { do_it() }; + } \ No newline at end of file From c301e1c9b444912517d9b57827da3c7575b13912 Mon Sep 17 00:00:00 2001 From: Jan Grashoefer Date: Sun, 24 Mar 2019 22:16:13 +0100 Subject: [PATCH 42/88] Added policy script for intel removal. --- scripts/policy/frameworks/intel/removal.bro | 23 +++++++++++++++++++++ 1 file changed, 23 insertions(+) create mode 100644 scripts/policy/frameworks/intel/removal.bro diff --git a/scripts/policy/frameworks/intel/removal.bro b/scripts/policy/frameworks/intel/removal.bro new file mode 100644 index 0000000000..cc4bb42921 --- /dev/null +++ b/scripts/policy/frameworks/intel/removal.bro @@ -0,0 +1,23 @@ +##! This script enables removal of intelligence items. + +@load base/frameworks/intel + +module Intel; + +export { + redef record Intel::MetaData += { + ## A boolean value to indicate whether the item should be removed. + remove: bool &default=F; + }; +} + +hook Intel::filter_item(item: Item) + { + if ( item$meta$remove ) + { + Intel::remove(item); + # Prevent readding + break; + } + } + From 2d9b90cddc49bc870b1c8b7a0cd46505585d1687 Mon Sep 17 00:00:00 2001 From: Jan Grashoefer Date: Sun, 24 Mar 2019 22:24:12 +0100 Subject: [PATCH 43/88] Added test for intel removal policy script. --- .../broproc.intel.log | 10 ++++ .../policy/frameworks/intel/removal.bro | 46 +++++++++++++++++++ 2 files changed, 56 insertions(+) create mode 100644 testing/btest/Baseline/scripts.policy.frameworks.intel.removal/broproc.intel.log create mode 100644 testing/btest/scripts/policy/frameworks/intel/removal.bro diff --git a/testing/btest/Baseline/scripts.policy.frameworks.intel.removal/broproc.intel.log b/testing/btest/Baseline/scripts.policy.frameworks.intel.removal/broproc.intel.log new file mode 100644 index 0000000000..d43abf187b --- /dev/null +++ b/testing/btest/Baseline/scripts.policy.frameworks.intel.removal/broproc.intel.log @@ -0,0 +1,10 @@ +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path intel +#open 2019-03-24-21-15-06 +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p seen.indicator seen.indicator_type seen.where seen.node matched sources fuid file_mime_type file_desc +#types time string addr port addr port string enum enum string set[enum] set[string] string string string +1553462106.131323 - - - - - 10.0.0.2 Intel::ADDR SOMEWHERE bro Intel::ADDR source1 - - - +#close 2019-03-24-21-15-06 diff --git a/testing/btest/scripts/policy/frameworks/intel/removal.bro b/testing/btest/scripts/policy/frameworks/intel/removal.bro new file mode 100644 index 0000000000..4d7e450da4 --- /dev/null +++ b/testing/btest/scripts/policy/frameworks/intel/removal.bro @@ -0,0 +1,46 @@ + +# @TEST-EXEC: btest-bg-run broproc bro %INPUT +# @TEST-EXEC: btest-bg-wait -k 5 +# @TEST-EXEC: btest-diff broproc/intel.log + +@TEST-START-FILE intel.dat +#fields indicator indicator_type meta.source meta.remove +10.0.0.1 Intel::ADDR source1 T +10.0.0.2 Intel::ADDR source1 F +@TEST-END-FILE + +@load frameworks/intel/removal + +redef exit_only_after_terminate = T; +redef Intel::read_files += { "../intel.dat" }; +redef enum Intel::Where += { SOMEWHERE }; + +hook Intel::filter_item(item: Intel::Item) + { + if ( item$indicator_type == Intel::ADDR && + Site::is_local_addr(to_addr(item$indicator)) ) + break; + } + +event do_it() + { + Intel::seen([$host=10.0.0.1, + $where=SOMEWHERE]); + Intel::seen([$host=10.0.0.2, + $where=SOMEWHERE]); + } + +global log_lines = 0; +event Intel::log_intel(rec: Intel::Info) + { + ++log_lines; + if ( log_lines == 1 ) + terminate(); + } + +event bro_init() &priority=-10 + { + Intel::insert([$indicator="10.0.0.1", $indicator_type=Intel::ADDR, $meta=[$source="source1"]]); + Intel::insert([$indicator="10.0.0.2", $indicator_type=Intel::ADDR, $meta=[$source="source1"]]); + schedule 1sec { do_it() }; + } \ No newline at end of file From a7b9c1d2584ce5e33365d3c8466e15339adbc33b Mon Sep 17 00:00:00 2001 From: Jan Grashoefer Date: Sun, 24 Mar 2019 22:45:24 +0100 Subject: [PATCH 44/88] Added new intel policy script to policy test. --- scripts/test-all-policy.bro | 1 + 1 file changed, 1 insertion(+) diff --git a/scripts/test-all-policy.bro b/scripts/test-all-policy.bro index c3c2941b06..2e38738527 100644 --- a/scripts/test-all-policy.bro +++ b/scripts/test-all-policy.bro @@ -16,6 +16,7 @@ @load frameworks/intel/do_notice.bro @load frameworks/intel/do_expire.bro @load frameworks/intel/whitelist.bro +@load frameworks/intel/removal.bro @load frameworks/intel/seen/__load__.bro @load frameworks/intel/seen/conn-established.bro @load frameworks/intel/seen/dns.bro From dbf5d5fc95373a39a53247aa252e34ca48dd351f Mon Sep 17 00:00:00 2001 From: Jon Siwek Date: Mon, 25 Mar 2019 17:49:18 -0700 Subject: [PATCH 45/88] Deprecate str_shell_escape, add safe_shell_quote replacement --- CHANGES | 4 ++ NEWS | 4 ++ VERSION | 2 +- doc | 2 +- scripts/base/utils/active-http.bro | 12 ++--- scripts/base/utils/dir.bro | 2 +- scripts/base/utils/exec.bro | 6 +-- src/bro.bif | 6 +-- src/strings.bif | 48 ++++++++++++++++++- .../btest/Baseline/bifs.safe_shell_quote/out | 2 + testing/btest/bifs/safe_shell_quote.bro | 12 +++++ 11 files changed, 83 insertions(+), 17 deletions(-) create mode 100644 testing/btest/Baseline/bifs.safe_shell_quote/out create mode 100644 testing/btest/bifs/safe_shell_quote.bro diff --git a/CHANGES b/CHANGES index 20a25c551e..733c4ed9dc 100644 --- a/CHANGES +++ b/CHANGES @@ -1,4 +1,8 @@ +2.6-192 | 2019-03-25 17:49:18 -0700 + + * Deprecate str_shell_escape, add safe_shell_quote replacement (Jon Siwek, Corelight) + 2.6-191 | 2019-03-25 16:43:10 -0700 * Add support for SMB filenames to the intel framework (Stephen Hosom) diff --git a/NEWS b/NEWS index d673e3385e..09763cdd0e 100644 --- a/NEWS +++ b/NEWS @@ -106,6 +106,10 @@ Removed Functionality Deprecated Functionality ------------------------ +- The ``str_shell_escape` function is now deprecated, use ``safe_shell_quote`` + instead. The later will automatically return a value that is enclosed + in double-quotes. + Bro 2.6 ======= diff --git a/VERSION b/VERSION index 73ef942bdc..e7ef7ca154 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -2.6-191 +2.6-192 diff --git a/doc b/doc index 406d0c8574..e404fc80c5 160000 --- a/doc +++ b/doc @@ -1 +1 @@ -Subproject commit 406d0c857491927d7fbee7aef954b8a40f23978d +Subproject commit e404fc80c5c4ecfd0c4441b6b83826761bd985e9 diff --git a/scripts/base/utils/active-http.bro b/scripts/base/utils/active-http.bro index a6b0f8111c..8243a7a9a9 100644 --- a/scripts/base/utils/active-http.bro +++ b/scripts/base/utils/active-http.bro @@ -57,10 +57,10 @@ export { function request2curl(r: Request, bodyfile: string, headersfile: string): string { - local cmd = fmt("curl -s -g -o \"%s\" -D \"%s\" -X \"%s\"", - str_shell_escape(bodyfile), - str_shell_escape(headersfile), - str_shell_escape(r$method)); + local cmd = fmt("curl -s -g -o %s -D %s -X %s", + safe_shell_quote(bodyfile), + safe_shell_quote(headersfile), + safe_shell_quote(r$method)); cmd = fmt("%s -m %.0f", cmd, r$max_time); @@ -70,9 +70,9 @@ function request2curl(r: Request, bodyfile: string, headersfile: string): string if ( r?$addl_curl_args ) cmd = fmt("%s %s", cmd, r$addl_curl_args); - cmd = fmt("%s \"%s\"", cmd, str_shell_escape(r$url)); + cmd = fmt("%s %s", cmd, safe_shell_quote(r$url)); # Make sure file will exist even if curl did not write one. - cmd = fmt("%s && touch %s", cmd, str_shell_escape(bodyfile)); + cmd = fmt("%s && touch %s", cmd, safe_shell_quote(bodyfile)); return cmd; } diff --git a/scripts/base/utils/dir.bro b/scripts/base/utils/dir.bro index c3598d039d..eb5597a7b7 100644 --- a/scripts/base/utils/dir.bro +++ b/scripts/base/utils/dir.bro @@ -28,7 +28,7 @@ event Dir::monitor_ev(dir: string, last_files: set[string], callback: function(fname: string), poll_interval: interval) { - when ( local result = Exec::run([$cmd=fmt("ls -1 \"%s/\"", str_shell_escape(dir))]) ) + when ( local result = Exec::run([$cmd=fmt("ls -1 %s/", safe_shell_quote(dir))]) ) { if ( result$exit_code != 0 ) { diff --git a/scripts/base/utils/exec.bro b/scripts/base/utils/exec.bro index 37668c0bc6..91053a1223 100644 --- a/scripts/base/utils/exec.bro +++ b/scripts/base/utils/exec.bro @@ -8,7 +8,7 @@ export { type Command: record { ## The command line to execute. Use care to avoid injection ## attacks (i.e., if the command uses untrusted/variable data, - ## sanitize it with :bro:see:`str_shell_escape`). + ## sanitize it with :bro:see:`safe_shell_quote`). cmd: string; ## Provide standard input to the program as a string. stdin: string &default=""; @@ -122,7 +122,7 @@ event Input::end_of_data(orig_name: string, source:string) delete pending_files[name][track_file]; if ( |pending_files[name]| == 0 ) delete pending_commands[name]; - system(fmt("rm \"%s\"", str_shell_escape(track_file))); + system(fmt("rm %s", safe_shell_quote(track_file))); } } @@ -191,5 +191,5 @@ event bro_done() # We are punting here and just deleting any unprocessed files. for ( uid in pending_files ) for ( fname in pending_files[uid] ) - system(fmt("rm \"%s\"", str_shell_escape(fname))); + system(fmt("rm %s", safe_shell_quote(fname))); } diff --git a/src/bro.bif b/src/bro.bif index 6f06126e31..96419ab83d 100644 --- a/src/bro.bif +++ b/src/bro.bif @@ -440,13 +440,13 @@ static int do_system(const char* s) ## Invokes a command via the ``system`` function of the OS. ## The command runs in the background with ``stdout`` redirecting to ## ``stderr``. Here is a usage example: -## ``system(fmt("rm \"%s\"", str_shell_escape(sniffed_data)));`` +## ``system(fmt("rm %s", safe_shell_quote(sniffed_data)));`` ## ## str: The command to execute. ## ## Returns: The return value from the OS ``system`` function. ## -## .. bro:see:: system_env str_shell_escape piped_exec +## .. bro:see:: system_env safe_shell_quote piped_exec ## ## .. note:: ## @@ -472,7 +472,7 @@ function system%(str: string%): int ## ## Returns: The return value from the OS ``system`` function. ## -## .. bro:see:: system str_shell_escape piped_exec +## .. bro:see:: system safe_shell_quote piped_exec function system_env%(str: string, env: table_string_of_string%): int %{ if ( env->Type()->Tag() != TYPE_TABLE ) diff --git a/src/strings.bif b/src/strings.bif index 7435f5cffb..e7571d5c70 100644 --- a/src/strings.bif +++ b/src/strings.bif @@ -1184,10 +1184,54 @@ function string_fill%(len: int, source: string%): string ## ## source: The string to escape. ## +## Returns: A shell-escaped version of *source*. Specifically, this +## backslash-escapes characters whose literal value is not otherwise +## preserved by enclosure in double-quotes (dollar-sign, backquote, +## backslash, and double-quote itself), and then encloses that +## backslash-escaped string in double-quotes to ultimately preserve +## the literal value of all input characters. +## +## .. bro:see:: system safe_shell_quote +function safe_shell_quote%(source: string%): string + %{ + unsigned j = 0; + const u_char* src = source->Bytes(); + unsigned n = source->Len(); + byte_vec dst = new u_char[n * 2 + 1 + 2]; + dst[j++] = '"'; + + for ( unsigned i = 0; i < n; ++i ) + { + switch ( src[i] ) { + case '`': case '"': case '\\': case '$': + dst[j++] = '\\'; + break; + default: + break; + } + + dst[j++] = src[i]; + } + + dst[j++] = '"'; + dst[j] = '\0'; + return new StringVal(new BroString(1, dst, j)); + %} + +## Takes a string and escapes characters that would allow execution of +## commands at the shell level. Must be used before including strings in +## :bro:id:`system` or similar calls. This function is deprecated, use +## :bro:see:`safe_shell_quote` as a replacement. The difference is that +## :bro:see:`safe_shell_quote` automatically returns a value that is +## wrapped in double-quotes, which is required to correctly and fully +## escape any characters that might be interpreted by the shell. +## +## source: The string to escape. +## ## Returns: A shell-escaped version of *source*. ## -## .. bro:see:: system -function str_shell_escape%(source: string%): string +## .. bro:see:: system safe_shell_quote +function str_shell_escape%(source: string%): string &deprecated %{ unsigned j = 0; const u_char* src = source->Bytes(); diff --git a/testing/btest/Baseline/bifs.safe_shell_quote/out b/testing/btest/Baseline/bifs.safe_shell_quote/out new file mode 100644 index 0000000000..33e291680c --- /dev/null +++ b/testing/btest/Baseline/bifs.safe_shell_quote/out @@ -0,0 +1,2 @@ +echo `pwd` ${TEST} > "my file"; echo -e "\n" +"echo \`pwd\` \${TEST} > \"my file\"; echo -e \"\\n\"" diff --git a/testing/btest/bifs/safe_shell_quote.bro b/testing/btest/bifs/safe_shell_quote.bro new file mode 100644 index 0000000000..490952c79b --- /dev/null +++ b/testing/btest/bifs/safe_shell_quote.bro @@ -0,0 +1,12 @@ +# +# @TEST-EXEC: bro -b %INPUT >out +# @TEST-EXEC: btest-diff out + +event bro_init() + { + local a = "echo `pwd` ${TEST} > \"my file\"; echo -e \"\\n\""; + print a; + + local b = safe_shell_quote(a); + print b; + } From 73954bca27b44ce316ab6bd817b8a8a498efafe7 Mon Sep 17 00:00:00 2001 From: Justin Azoff Date: Wed, 27 Mar 2019 11:02:27 -0400 Subject: [PATCH 46/88] Reduce weird-stats overhead observe_weird_stats only needs to be called when cluster_ss_request is called for the weirds.statistics stat, not for all of them. --- scripts/policy/misc/weird-stats.bro | 2 ++ 1 file changed, 2 insertions(+) diff --git a/scripts/policy/misc/weird-stats.bro b/scripts/policy/misc/weird-stats.bro index 50e29dd010..ac0914d531 100644 --- a/scripts/policy/misc/weird-stats.bro +++ b/scripts/policy/misc/weird-stats.bro @@ -84,6 +84,8 @@ function observe_weird_stats() # less synchronized? event SumStats::cluster_ss_request(uid: string, ss_name: string, cleanup: bool) &priority=10 { + if ( ss_name != "weirds.statistics" ) + return; observe_weird_stats(); } From ee00483ee613ffb2e419183f5ab8f4e911ace751 Mon Sep 17 00:00:00 2001 From: Jon Siwek Date: Wed, 27 Mar 2019 10:53:01 -0700 Subject: [PATCH 47/88] Update now-broken Broker API usages Related to the changes from https://github.com/zeek/broker/pull/38 --- CHANGES | 7 +++++++ NEWS | 3 +++ VERSION | 2 +- aux/broctl | 2 +- aux/broker | 2 +- src/broker/Manager.cc | 4 ++-- 6 files changed, 15 insertions(+), 5 deletions(-) diff --git a/CHANGES b/CHANGES index 733c4ed9dc..4906cd28b7 100644 --- a/CHANGES +++ b/CHANGES @@ -1,4 +1,11 @@ +2.6-193 | 2019-03-27 10:53:01 -0700 + + * Update now-broken Broker API usages (Jon Siwek, Corelight) + + Related to https://github.com/zeek/broker/pull/38, see Broker's NEWS file + for C++ code migration hints. + 2.6-192 | 2019-03-25 17:49:18 -0700 * Deprecate str_shell_escape, add safe_shell_quote replacement (Jon Siwek, Corelight) diff --git a/NEWS b/NEWS index 09763cdd0e..2fe8d2a569 100644 --- a/NEWS +++ b/NEWS @@ -100,6 +100,9 @@ Changed Functionality To revert back to compiling only a static library, there's the ``--enable-static-binpac`` configure option. +- The Broker C++ API has some breaking changes, see it's own NEWS file for + details on how to migrate old code. + Removed Functionality --------------------- diff --git a/VERSION b/VERSION index e7ef7ca154..a77d525cfc 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -2.6-192 +2.6-193 diff --git a/aux/broctl b/aux/broctl index 963a4e1501..afc0260abf 160000 --- a/aux/broctl +++ b/aux/broctl @@ -1 +1 @@ -Subproject commit 963a4e1501ef28370f3dd3e2a5c79b3515e10a7a +Subproject commit afc0260abf663f4b44d535d66d378fde7b0d5206 diff --git a/aux/broker b/aux/broker index 24867d5972..7dab576984 160000 --- a/aux/broker +++ b/aux/broker @@ -1 +1 @@ -Subproject commit 24867d59728c56e295b1489f308161d0095ce487 +Subproject commit 7dab576984dee1f58fe5ceb81f36b63128d58860 diff --git a/src/broker/Manager.cc b/src/broker/Manager.cc index 38ab4cd60d..d31198ced7 100644 --- a/src/broker/Manager.cc +++ b/src/broker/Manager.cc @@ -918,8 +918,8 @@ void Manager::Process() { had_input = true; - auto& topic = message.first; - auto& msg = message.second; + auto& topic = broker::get_topic(message); + auto& msg = broker::get_data(message); try { From bff8392ad41ca6ca16dd4d5d812d994a86e2b83c Mon Sep 17 00:00:00 2001 From: Daniel Thayer Date: Sun, 31 Mar 2019 02:24:47 -0500 Subject: [PATCH 48/88] Remove unnecessary ".bro" from @load directives Removed ".bro" file extensions from "@load" directives because they are not needed. --- scripts/base/files/pe/main.bro | 2 +- scripts/base/frameworks/files/__load__.bro | 2 +- scripts/base/protocols/radius/main.bro | 2 +- scripts/policy/tuning/defaults/__load__.bro | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/scripts/base/files/pe/main.bro b/scripts/base/files/pe/main.bro index 972e8a31c8..9ef859d2fb 100644 --- a/scripts/base/files/pe/main.bro +++ b/scripts/base/files/pe/main.bro @@ -1,6 +1,6 @@ module PE; -@load ./consts.bro +@load ./consts export { redef enum Log::ID += { LOG }; diff --git a/scripts/base/frameworks/files/__load__.bro b/scripts/base/frameworks/files/__load__.bro index 2177d81e25..2da9cffc66 100644 --- a/scripts/base/frameworks/files/__load__.bro +++ b/scripts/base/frameworks/files/__load__.bro @@ -1,2 +1,2 @@ -@load ./main.bro +@load ./main @load ./magic diff --git a/scripts/base/protocols/radius/main.bro b/scripts/base/protocols/radius/main.bro index ea30b27911..7c4e721ed6 100644 --- a/scripts/base/protocols/radius/main.bro +++ b/scripts/base/protocols/radius/main.bro @@ -2,7 +2,7 @@ module RADIUS; -@load ./consts.bro +@load ./consts @load base/utils/addrs export { diff --git a/scripts/policy/tuning/defaults/__load__.bro b/scripts/policy/tuning/defaults/__load__.bro index fd52f92401..2b574a6845 100644 --- a/scripts/policy/tuning/defaults/__load__.bro +++ b/scripts/policy/tuning/defaults/__load__.bro @@ -1,3 +1,3 @@ @load ./packet-fragments @load ./warnings -@load ./extracted_file_limits.bro +@load ./extracted_file_limits From 995368e68c3c882c67ca50d3a757c8b7d0d2f42f Mon Sep 17 00:00:00 2001 From: Jon Siwek Date: Mon, 1 Apr 2019 18:27:53 -0700 Subject: [PATCH 49/88] Remove variable content from weird names This changes many weird names to move non-static content from the weird name into the "addl" field to help ensure the total number of weird names is reasonably bounded. Note the net_weird and flow_weird events do not have an "addl" parameter, so information may no longer be available in those cases -- to make it available again we'd need to either (1) define new events that contain such a parameter, or (2) change net_weird/flow_weird event signature (which is a breaking change for user-code at the moment). Also, the generic handling of binpac exceptions for analyzers which to not otherwise catch and handle them has been changed from a Weird to a ProtocolViolation. Finally, a new "file_weird" event has been added for reporting weirdness found during file analysis. --- NEWS | 46 +++++++++++++++++++ doc | 2 +- scripts/base/frameworks/notice/weird.bro | 10 ++++ src/CMakeLists.txt | 1 + src/Conn.cc | 24 +--------- src/Conn.h | 10 +--- src/IP.cc | 4 +- src/Reporter.cc | 23 ++++++++-- src/Reporter.h | 4 +- src/Sessions.cc | 8 ++-- src/WeirdState.cc | 30 ++++++++++++ src/WeirdState.h | 21 +++++++++ src/analyzer/Analyzer.cc | 6 +-- .../protocol/bittorrent/BitTorrent.cc | 2 - .../protocol/bittorrent/BitTorrentTracker.cc | 9 ++-- .../bittorrent/bittorrent-analyzer.pac | 1 - .../protocol/dce-rpc/dce_rpc-auth.pac | 2 +- .../protocol/gtpv1/gtpv1-analyzer.pac | 12 ++--- src/analyzer/protocol/netbios/NetbiosSSN.cc | 8 ++-- src/analyzer/protocol/rpc/MOUNT.cc | 4 +- src/analyzer/protocol/rpc/NFS.cc | 4 +- src/analyzer/protocol/rpc/RPC.cc | 10 ++-- src/analyzer/protocol/rpc/RPC.h | 2 +- .../protocol/socks/socks-analyzer.pac | 4 +- src/analyzer/protocol/ssh/ssh-protocol.pac | 2 +- .../protocol/ssl/tls-handshake-analyzer.pac | 2 +- src/analyzer/protocol/udp/UDP.cc | 2 +- src/event.bif | 27 +++++++++-- src/file_analysis/File.cc | 6 +++ src/file_analysis/File.h | 10 ++++ src/file_analysis/analyzer/x509/OCSP.cc | 20 ++++---- src/file_analysis/analyzer/x509/OCSP.h | 4 +- src/file_analysis/analyzer/x509/X509.cc | 18 ++++---- src/file_analysis/analyzer/x509/X509.h | 4 +- src/file_analysis/analyzer/x509/X509Common.cc | 31 ++++++++----- src/file_analysis/analyzer/x509/X509Common.h | 6 ++- src/reporter.bif | 21 +++++++++ .../core.disable-mobile-ipv6/weird.log | 2 +- .../conn.log | 6 +-- .../weird.log | 13 ------ .../weird.log | 10 ---- .../scripts/base/protocols/modbus/events.bro | 1 + .../protocols/modbus/exception_handling.test | 2 - .../base/protocols/modbus/length_mismatch.bro | 1 - .../scripts/base/protocols/modbus/policy.bro | 2 + testing/external/commit-hash.zeek-testing | 2 +- .../external/commit-hash.zeek-testing-private | 2 +- 47 files changed, 289 insertions(+), 152 deletions(-) create mode 100644 src/WeirdState.cc create mode 100644 src/WeirdState.h delete mode 100644 testing/btest/Baseline/scripts.base.protocols.modbus.exception_handling/weird.log delete mode 100644 testing/btest/Baseline/scripts.base.protocols.modbus.length_mismatch/weird.log diff --git a/NEWS b/NEWS index 2fe8d2a569..13f05baa3b 100644 --- a/NEWS +++ b/NEWS @@ -66,6 +66,8 @@ New Functionality - Add support for SMB filenames in the intel framework. +- Added a new event for weirdness found via file analysis: ``file_weird``. + Changed Functionality --------------------- @@ -103,6 +105,50 @@ Changed Functionality - The Broker C++ API has some breaking changes, see it's own NEWS file for details on how to migrate old code. +- Some Weirds associated with generic binpac parsing exceptions in analyzers + that didn't otherwise handle them (like syslog, modbus, dnp3) are now + a ProtocolViolation instead + +- Weird names that contained variable content and may result in an unbounded + number of weird names have been renamed to remove the variable content + (which has been made available in the "addl" field of conn_weirds): + + - "unknown_dce_rpc_auth_type_%d" -> unknown_dce_rpc_auth_type + - "gtp_invalid_info_element_%d" -> gtp_invalid_info_element + - "unknown_netbios_type:" 0x%x -> unknown_netbios_type + - "excess_netbios_hdr_len" (%d > %d) -> excess_netbios_hdr_len + - "deficit_netbios_hdr_len" (%d > %d) -> deficit_netbios_hdr_len + - "bad_RPC_program (%d)" -> bad_RPC_program + - "unknown_MOUNT_request(%u)" -> unknown_MOUNT_request + - "unknown_NFS_request(%u)" -> unknown_NFS_request + - "RPC resync: discard %d bytes\n" -> RPC_resync + - "RPC_message_too_long (%d64)" -> RPC_message_too_long + - "socks5_unsupported_authentication_method_%d" -> socks5_unsupported_authentication_method + - "socks5_unsupported_authentication_%d_%d" -> socks5_unsupported_authentication + - "ssh_unknown_kex_algorithm=%s" -> ssh_unknown_kex_algorithm + - "Encountered unknown type in server name ssl extension: %d" -> ssl_ext_unknown_server_name_type + - "UDP_datagram_length_mismatch(%d!=%d)" -> UDP_datagram_length_mismatch + - "OPENSSL Could not parse OCSP request (fuid %s)" -> openssl_ocsp_request_parse_error + - "OPENSSL Could not parse OCSP response (fuid %s)" -> openssl_ocsp_response_parse_error + - "Could not parse X509 certificate (fuid %s)" -> x509_cert_parse_error + - "Certificate with invalid BasicConstraint. fuid %s" -> x509_invalid_basic_constraint + - "Could not parse subject alternative names. fuid %s" -> x509_san_parse_error + - "DNS-field does not contain an IA5String. fuid %s" -> x509_san_non_string + - "Weird IP address length %d in subject alternative name. fuid %s" -> x509_san_ip_length + - "Could not parse time in X509 certificate (fuid %s) -- UTCTime has wrong length" -> x509_utc_length + - "Could not parse UTC time in non-YY-format in X509 certificate (x509 %s)" -> x509_utc_format + - "Could not parse time in X509 certificate (fuid %s) -- Generalized time has wrong length" -> x509_gen_time_length + - "Invalid time type in X509 certificate (fuid %s)" -> x509_invalid_time_type + - "Could not parse time in X509 certificate (fuid %s) -- additional char after time" -> x509_time_add_char + - "Could not parse time in X509 certificate (fuid %s) -- not enough bytes remaining for offset" -> x509_time_offset_underflow + - "Could not parse time in X509 certificate (fuid %s) -- unknown offset type" -> x509_time_offset_type + - "X509::GetExtensionFromBIO: %s" -> x509_get_ext_from_bio + - "unknown_mobility_type_%d" -> unknown_mobility_type + - "unknown_routing_type_%d" -> unknown_routing_type + - "unknown_protocol_%d" -> unknown_protocol + - "unknown_gre_version_%d" -> unknown_gre_version + - "unknown_gre_protocol_%u16" -> unknown_gre_protocol + Removed Functionality --------------------- diff --git a/doc b/doc index e404fc80c5..a2c1072f68 160000 --- a/doc +++ b/doc @@ -1 +1 @@ -Subproject commit e404fc80c5c4ecfd0c4441b6b83826761bd985e9 +Subproject commit a2c1072f687067f2e3ef8bfd3d72743576dd4995 diff --git a/scripts/base/frameworks/notice/weird.bro b/scripts/base/frameworks/notice/weird.bro index c6f3748a46..c7a1f3aefb 100644 --- a/scripts/base/frameworks/notice/weird.bro +++ b/scripts/base/frameworks/notice/weird.bro @@ -422,3 +422,13 @@ event net_weird(name: string) local i = Info($ts=network_time(), $name=name); weird(i); } + +event file_weird(name: string, f: fa_file, addl: string) + { + local i = Info($ts=network_time(), $name=name, $addl=f$id); + + if ( addl != "" ) + i$addl += fmt(": %s", addl); + + weird(i); + } diff --git a/src/CMakeLists.txt b/src/CMakeLists.txt index f3dfd42d85..7aa750ac80 100644 --- a/src/CMakeLists.txt +++ b/src/CMakeLists.txt @@ -319,6 +319,7 @@ set(bro_SRCS UID.cc Val.cc Var.cc + WeirdState.cc bsd-getopt-long.c bro_inet_ntop.c cq.c diff --git a/src/Conn.cc b/src/Conn.cc index b55b1210b0..03ecf32703 100644 --- a/src/Conn.cc +++ b/src/Conn.cc @@ -1075,27 +1075,5 @@ void Connection::CheckFlowLabel(bool is_orig, uint32 flow_label) bool Connection::PermitWeird(const char* name, uint64 threshold, uint64 rate, double duration) { - auto& state = weird_state[name]; - ++state.count; - - if ( state.count <= threshold ) - return true; - - if ( state.count == threshold + 1) - state.sampling_start_time = network_time; - else - { - if ( network_time > state.sampling_start_time + duration ) - { - state.sampling_start_time = 0; - state.count = 1; - return true; - } - } - - auto num_above_threshold = state.count - threshold; - if ( rate ) - return num_above_threshold % rate == 0; - else - return false; + return ::PermitWeird(weird_state, name, threshold, rate, duration); } diff --git a/src/Conn.h b/src/Conn.h index ae639d6341..e49314968a 100644 --- a/src/Conn.h +++ b/src/Conn.h @@ -17,6 +17,7 @@ #include "IPAddr.h" #include "TunnelEncapsulation.h" #include "UID.h" +#include "WeirdState.h" #include "analyzer/Tag.h" #include "analyzer/Analyzer.h" @@ -345,14 +346,7 @@ protected: analyzer::pia::PIA* primary_PIA; Bro::UID uid; // Globally unique connection ID. - - struct WeirdState { - WeirdState() { count = 0; sampling_start_time = 0; } - uint64 count = 0; - double sampling_start_time = 0; - }; - - std::unordered_map weird_state; + WeirdStateMap weird_state; }; class ConnectionTimer : public Timer { diff --git a/src/IP.cc b/src/IP.cc index 689876339b..516be7fdd4 100644 --- a/src/IP.cc +++ b/src/IP.cc @@ -288,7 +288,7 @@ RecordVal* IPv6_Hdr::BuildRecordVal(VectorVal* chain) const } default: - reporter->Weird(fmt("unknown_mobility_type_%d", mob->ip6mob_type)); + reporter->Weird(fmt("unknown_mobility_type", mob->ip6mob_type)); break; } @@ -553,7 +553,7 @@ void IPv6_Hdr_Chain::ProcessRoutingHeader(const struct ip6_rthdr* r, uint16 len) #endif default: - reporter->Weird(fmt("unknown_routing_type_%d", r->ip6r_type)); + reporter->Weird(SrcAddr(), DstAddr(), "unknown_routing_type"); break; } } diff --git a/src/Reporter.cc b/src/Reporter.cc index ba1196de21..413f89b9ea 100644 --- a/src/Reporter.cc +++ b/src/Reporter.cc @@ -13,6 +13,7 @@ #include "Timer.h" #include "plugin/Plugin.h" #include "plugin/Manager.h" +#include "file_analysis/File.h" #ifdef SYSLOG_INT extern "C" { @@ -213,12 +214,14 @@ void Reporter::Syslog(const char* fmt, ...) va_end(ap); } -void Reporter::WeirdHelper(EventHandlerPtr event, Val* conn_val, const char* addl, const char* fmt_name, ...) +void Reporter::WeirdHelper(EventHandlerPtr event, Val* conn_val, file_analysis::File* f, const char* addl, const char* fmt_name, ...) { val_list* vl = new val_list(1); if ( conn_val ) vl->append(conn_val); + else if ( f ) + vl->append(f->GetVal()->Ref()); if ( addl ) vl->append(new StringVal(addl)); @@ -339,7 +342,21 @@ void Reporter::Weird(const char* name) return; } - WeirdHelper(net_weird, 0, 0, "%s", name); + WeirdHelper(net_weird, 0, 0, 0, "%s", name); + } + +void Reporter::Weird(file_analysis::File* f, const char* name, const char* addl) + { + UpdateWeirdStats(name); + + if ( ! WeirdOnSamplingWhiteList(name) ) + { + if ( ! f->PermitWeird(name, weird_sampling_threshold, + weird_sampling_rate, weird_sampling_duration) ) + return; + } + + WeirdHelper(file_weird, 0, f, addl, "%s", name); } void Reporter::Weird(Connection* conn, const char* name, const char* addl) @@ -353,7 +370,7 @@ void Reporter::Weird(Connection* conn, const char* name, const char* addl) return; } - WeirdHelper(conn_weird, conn->BuildConnVal(), addl, "%s", name); + WeirdHelper(conn_weird, conn->BuildConnVal(), 0, addl, "%s", name); } void Reporter::Weird(const IPAddr& orig, const IPAddr& resp, const char* name) diff --git a/src/Reporter.h b/src/Reporter.h index bd029c0b59..88270a9dba 100644 --- a/src/Reporter.h +++ b/src/Reporter.h @@ -17,6 +17,7 @@ #include "IPAddr.h" namespace analyzer { class Analyzer; } +namespace file_analysis { class File; } class Connection; class Location; class Reporter; @@ -84,6 +85,7 @@ public: // Report a traffic weirdness, i.e., an unexpected protocol situation // that may lead to incorrectly processing a connnection. void Weird(const char* name); // Raises net_weird(). + void Weird(file_analysis::File* f, const char* name, const char* addl = ""); // Raises file_weird(). void Weird(Connection* conn, const char* name, const char* addl = ""); // Raises conn_weird(). void Weird(const IPAddr& orig, const IPAddr& resp, const char* name); // Raises flow_weird(). @@ -238,7 +240,7 @@ private: // The order if addl, name needs to be like that since fmt_name can // contain format specifiers - void WeirdHelper(EventHandlerPtr event, Val* conn_val, const char* addl, const char* fmt_name, ...) __attribute__((format(printf, 5, 6)));; + void WeirdHelper(EventHandlerPtr event, Val* conn_val, file_analysis::File* f, const char* addl, const char* fmt_name, ...) __attribute__((format(printf, 6, 7)));; void WeirdFlowHelper(const IPAddr& orig, const IPAddr& resp, const char* fmt_name, ...) __attribute__((format(printf, 4, 5)));; void UpdateWeirdStats(const char* name); inline bool WeirdOnSamplingWhiteList(const char* name) diff --git a/src/Sessions.cc b/src/Sessions.cc index 5709ad5f28..edccb7e00c 100644 --- a/src/Sessions.cc +++ b/src/Sessions.cc @@ -537,8 +537,7 @@ void NetSessions::DoNextPacket(double t, const Packet* pkt, const IP_Hdr* ip_hdr if ( gre_version != 0 && gre_version != 1 ) { - Weird(fmt("unknown_gre_version_%d", gre_version), ip_hdr, - encapsulation); + Weird("unknown_gre_version", ip_hdr, encapsulation); return; } @@ -613,8 +612,7 @@ void NetSessions::DoNextPacket(double t, const Packet* pkt, const IP_Hdr* ip_hdr else { // Not IPv4/IPv6 payload. - Weird(fmt("unknown_gre_protocol_%" PRIu16, proto_typ), ip_hdr, - encapsulation); + Weird("unknown_gre_protocol", ip_hdr, encapsulation); return; } @@ -747,7 +745,7 @@ void NetSessions::DoNextPacket(double t, const Packet* pkt, const IP_Hdr* ip_hdr } default: - Weird(fmt("unknown_protocol_%d", proto), pkt, encapsulation); + Weird("unknown_protocol", pkt, encapsulation); return; } diff --git a/src/WeirdState.cc b/src/WeirdState.cc new file mode 100644 index 0000000000..1f1407a1d2 --- /dev/null +++ b/src/WeirdState.cc @@ -0,0 +1,30 @@ +#include "WeirdState.h" +#include "Net.h" + +bool PermitWeird(WeirdStateMap& wsm, const char* name, uint64_t threshold, + uint64_t rate, double duration) + { + auto& state = wsm[name]; + ++state.count; + + if ( state.count <= threshold ) + return true; + + if ( state.count == threshold + 1) + state.sampling_start_time = network_time; + else + { + if ( network_time > state.sampling_start_time + duration ) + { + state.sampling_start_time = 0; + state.count = 1; + return true; + } + } + + auto num_above_threshold = state.count - threshold; + if ( rate ) + return num_above_threshold % rate == 0; + else + return false; + } diff --git a/src/WeirdState.h b/src/WeirdState.h new file mode 100644 index 0000000000..64dc2bb4b2 --- /dev/null +++ b/src/WeirdState.h @@ -0,0 +1,21 @@ +// See the file "COPYING" in the main distribution directory for copyright. + +#ifndef WEIRDSTATE_H +#define WEIRDSTATE_H + +#include +#include + +struct WeirdState { + WeirdState() { count = 0; sampling_start_time = 0; } + uint64_t count = 0; + double sampling_start_time = 0; +}; + +using WeirdStateMap = std::unordered_map; + +bool PermitWeird(WeirdStateMap& wsm, const char* name, uint64_t threshold, + uint64_t rate, double duration); + +#endif // WEIRDSTATE_H + diff --git a/src/analyzer/Analyzer.cc b/src/analyzer/Analyzer.cc index 1fe0dc82bf..818dd917e8 100644 --- a/src/analyzer/Analyzer.cc +++ b/src/analyzer/Analyzer.cc @@ -223,7 +223,7 @@ void Analyzer::NextPacket(int len, const u_char* data, bool is_orig, uint64 seq, } catch ( binpac::Exception const &e ) { - Weird(e.c_msg()); + ProtocolViolation(fmt("Binpac exception: %s", e.c_msg())); } } } @@ -246,7 +246,7 @@ void Analyzer::NextStream(int len, const u_char* data, bool is_orig) } catch ( binpac::Exception const &e ) { - Weird(e.c_msg()); + ProtocolViolation(fmt("Binpac exception: %s", e.c_msg())); } } } @@ -269,7 +269,7 @@ void Analyzer::NextUndelivered(uint64 seq, int len, bool is_orig) } catch ( binpac::Exception const &e ) { - Weird(e.c_msg()); + ProtocolViolation(fmt("Binpac exception: %s", e.c_msg())); } } } diff --git a/src/analyzer/protocol/bittorrent/BitTorrent.cc b/src/analyzer/protocol/bittorrent/BitTorrent.cc index fd2d5fa914..652d3d120c 100644 --- a/src/analyzer/protocol/bittorrent/BitTorrent.cc +++ b/src/analyzer/protocol/bittorrent/BitTorrent.cc @@ -126,6 +126,4 @@ void BitTorrent_Analyzer::DeliverWeird(const char* msg, bool orig) vl->append(new StringVal(msg)); ConnectionEvent(bittorrent_peer_weird, vl); } - else - Weird(msg); } diff --git a/src/analyzer/protocol/bittorrent/BitTorrentTracker.cc b/src/analyzer/protocol/bittorrent/BitTorrentTracker.cc index 0a3cda37fd..54cac790fb 100644 --- a/src/analyzer/protocol/bittorrent/BitTorrentTracker.cc +++ b/src/analyzer/protocol/bittorrent/BitTorrentTracker.cc @@ -253,8 +253,6 @@ void BitTorrentTracker_Analyzer::DeliverWeird(const char* msg, bool orig) vl->append(new StringVal(msg)); ConnectionEvent(bt_tracker_weird, vl); } - else - Weird(msg); } bool BitTorrentTracker_Analyzer::ParseRequest(char* line) @@ -326,8 +324,11 @@ bool BitTorrentTracker_Analyzer::ParseRequest(char* line) case BTT_REQ_DONE: if ( *line ) - DeliverWeird(fmt("Got post request data: %s\n", line), - true); + { + auto msg = fmt("Got post request data: %s\n", line); + Weird("bittorrent_tracker_data_post_request", msg); + DeliverWeird(msg, true); + } break; default: diff --git a/src/analyzer/protocol/bittorrent/bittorrent-analyzer.pac b/src/analyzer/protocol/bittorrent/bittorrent-analyzer.pac index c3ba226908..232f4a9bd1 100644 --- a/src/analyzer/protocol/bittorrent/bittorrent-analyzer.pac +++ b/src/analyzer/protocol/bittorrent/bittorrent-analyzer.pac @@ -40,7 +40,6 @@ flow BitTorrent_Flow(is_orig: bool) { if ( pstrlen != 19 || memcmp("BitTorrent protocol", pstr.begin(), 19) ) { - connection()->bro_analyzer()->Weird(fmt("BitTorrent: invalid handshake (pstrlen: %hhu, pstr: %.*s)", pstrlen, 19, pstr.begin())); throw Exception("invalid handshake"); } diff --git a/src/analyzer/protocol/dce-rpc/dce_rpc-auth.pac b/src/analyzer/protocol/dce-rpc/dce_rpc-auth.pac index d776f6fec2..44648e35f0 100644 --- a/src/analyzer/protocol/dce-rpc/dce_rpc-auth.pac +++ b/src/analyzer/protocol/dce-rpc/dce_rpc-auth.pac @@ -43,7 +43,7 @@ refine connection DCE_RPC_Conn += { ntlm->DeliverStream(${auth.blob}.length(), ${auth.blob}.begin(), is_orig); break; default: - bro_analyzer()->Weird(fmt("unknown_dce_rpc_auth_type_%d",${auth.type})); + bro_analyzer()->Weird("unknown_dce_rpc_auth_type", fmt("%d", ${auth.type})); break; } diff --git a/src/analyzer/protocol/gtpv1/gtpv1-analyzer.pac b/src/analyzer/protocol/gtpv1/gtpv1-analyzer.pac index 37b7cee0b1..6cf9439363 100644 --- a/src/analyzer/protocol/gtpv1/gtpv1-analyzer.pac +++ b/src/analyzer/protocol/gtpv1/gtpv1-analyzer.pac @@ -319,7 +319,7 @@ void CreatePDP_Request(const BroAnalyzer& a, const GTPv1_Header* pdu) rv->Assign(21, BuildPrivateExt(ie)); break; default: - a->Weird(fmt("gtp_invalid_info_element_%d", (*v)[i]->type())); + a->Weird("gtp_invalid_info_element", fmt("%d", (*v)[i]->type())); break; } } @@ -388,7 +388,7 @@ void CreatePDP_Response(const BroAnalyzer& a, const GTPv1_Header* pdu) rv->Assign(12, BuildPrivateExt(ie)); break; default: - a->Weird(fmt("gtp_invalid_info_element_%d", (*v)[i]->type())); + a->Weird("gtp_invalid_info_element", fmt("%d", (*v)[i]->type())); break; } } @@ -466,7 +466,7 @@ void UpdatePDP_Request(const BroAnalyzer& a, const GTPv1_Header* pdu) rv->Assign(15, BuildEndUserAddr(ie)); break; default: - a->Weird(fmt("gtp_invalid_info_element_%d", (*v)[i]->type())); + a->Weird("gtp_invalid_info_element", fmt("%d", (*v)[i]->type())); break; } } @@ -526,7 +526,7 @@ void UpdatePDP_Response(const BroAnalyzer& a, const GTPv1_Header* pdu) rv->Assign(9, BuildPrivateExt(ie)); break; default: - a->Weird(fmt("gtp_invalid_info_element_%d", (*v)[i]->type())); + a->Weird("gtp_invalid_info_element", fmt("%d", (*v)[i]->type())); break; } } @@ -560,7 +560,7 @@ void DeletePDP_Request(const BroAnalyzer& a, const GTPv1_Header* pdu) rv->Assign(2, BuildPrivateExt(ie)); break; default: - a->Weird(fmt("gtp_invalid_info_element_%d", (*v)[i]->type())); + a->Weird("gtp_invalid_info_element", fmt("%d", (*v)[i]->type())); break; } } @@ -591,7 +591,7 @@ void DeletePDP_Response(const BroAnalyzer& a, const GTPv1_Header* pdu) rv->Assign(1, BuildPrivateExt(ie)); break; default: - a->Weird(fmt("gtp_invalid_info_element_%d", (*v)[i]->type())); + a->Weird("gtp_invalid_info_element", fmt("%d", (*v)[i]->type())); break; } } diff --git a/src/analyzer/protocol/netbios/NetbiosSSN.cc b/src/analyzer/protocol/netbios/NetbiosSSN.cc index 07c81f6839..492375b7aa 100644 --- a/src/analyzer/protocol/netbios/NetbiosSSN.cc +++ b/src/analyzer/protocol/netbios/NetbiosSSN.cc @@ -97,7 +97,7 @@ int NetbiosSSN_Interpreter::ParseMessage(unsigned int type, unsigned int flags, return ParseDatagram(data, len, is_query); default: - analyzer->Weird(fmt("unknown_netbios_type: 0x%x", type)); + analyzer->Weird("unknown_netbios_type", fmt("0x%x", type)); return 1; } } @@ -143,7 +143,7 @@ int NetbiosSSN_Interpreter::ParseMessageTCP(const u_char* data, int len, NetbiosSSN_RawMsgHdr hdr(data, len); if ( hdr.length > unsigned(len) ) - analyzer->Weird(fmt("excess_netbios_hdr_len (%d > %d)", + analyzer->Weird("excess_netbios_hdr_len", fmt("(%d > %d)", hdr.length, len)); else if ( hdr.length < unsigned(len) ) @@ -162,12 +162,12 @@ int NetbiosSSN_Interpreter::ParseMessageUDP(const u_char* data, int len, NetbiosDGM_RawMsgHdr hdr(data, len); if ( unsigned(hdr.length-14) > unsigned(len) ) - analyzer->Weird(fmt("excess_netbios_hdr_len (%d > %d)", + analyzer->Weird("excess_netbios_hdr_len", fmt("(%d > %d)", hdr.length, len)); else if ( hdr.length < unsigned(len) ) { - analyzer->Weird(fmt("deficit_netbios_hdr_len (%d < %d)", + analyzer->Weird("deficit_netbios_hdr_len", fmt("(%d < %d)", hdr.length, len)); len = hdr.length; } diff --git a/src/analyzer/protocol/rpc/MOUNT.cc b/src/analyzer/protocol/rpc/MOUNT.cc index f32f4449af..604d2e3ed1 100644 --- a/src/analyzer/protocol/rpc/MOUNT.cc +++ b/src/analyzer/protocol/rpc/MOUNT.cc @@ -17,7 +17,7 @@ using namespace analyzer::rpc; int MOUNT_Interp::RPC_BuildCall(RPC_CallInfo* c, const u_char*& buf, int& n) { if ( c->Program() != 100005 ) - Weird(fmt("bad_RPC_program (%d)", c->Program())); + Weird("bad_RPC_program", fmt("%d", c->Program())); uint32 proc = c->Proc(); // The call arguments, depends on the call type obviously ... @@ -49,7 +49,7 @@ int MOUNT_Interp::RPC_BuildCall(RPC_CallInfo* c, const u_char*& buf, int& n) n = 0; } else - Weird(fmt("unknown_MOUNT_request(%u)", proc)); + Weird("unknown_MOUNT_request", fmt("%u", proc)); // Return 1 so that replies to unprocessed calls will still // be processed, and the return status extracted. diff --git a/src/analyzer/protocol/rpc/NFS.cc b/src/analyzer/protocol/rpc/NFS.cc index 6d0841900c..ff16812d65 100644 --- a/src/analyzer/protocol/rpc/NFS.cc +++ b/src/analyzer/protocol/rpc/NFS.cc @@ -17,7 +17,7 @@ using namespace analyzer::rpc; int NFS_Interp::RPC_BuildCall(RPC_CallInfo* c, const u_char*& buf, int& n) { if ( c->Program() != 100003 ) - Weird(fmt("bad_RPC_program (%d)", c->Program())); + Weird("bad_RPC_program", fmt("%d", c->Program())); uint32 proc = c->Proc(); // The call arguments, depends on the call type obviously ... @@ -103,7 +103,7 @@ int NFS_Interp::RPC_BuildCall(RPC_CallInfo* c, const u_char*& buf, int& n) n = 0; } else - Weird(fmt("unknown_NFS_request(%u)", proc)); + Weird("unknown_NFS_request", fmt("%u", proc)); // Return 1 so that replies to unprocessed calls will still // be processed, and the return status extracted. diff --git a/src/analyzer/protocol/rpc/RPC.cc b/src/analyzer/protocol/rpc/RPC.cc index 9d86210df6..5bd748d1ea 100644 --- a/src/analyzer/protocol/rpc/RPC.cc +++ b/src/analyzer/protocol/rpc/RPC.cc @@ -371,9 +371,9 @@ void RPC_Interpreter::Event_RPC_Reply(uint32_t xid, BifEnum::rpc_status status, } } -void RPC_Interpreter::Weird(const char* msg) +void RPC_Interpreter::Weird(const char* msg, const char* addl) { - analyzer->Weird(msg); + analyzer->Weird(msg, addl); } @@ -532,9 +532,7 @@ bool Contents_RPC::CheckResync(int& len, const u_char*& data, bool orig) DEBUG_MSG("%.6f RPC resync: " "discard small pieces: %d\n", network_time, len); - Conn()->Weird( - fmt("RPC resync: discard %d bytes\n", - len)); + Conn()->Weird("RPC_resync", fmt("discard %d bytes\n", len)); } NeedResync(); @@ -677,7 +675,7 @@ void Contents_RPC::DeliverStream(int len, const u_char* data, bool orig) // network_time, IsOrig(), marker, last_frag, msg_buf.GetExpected(), msg_buf.GetProcessed(), len); if ( ! msg_buf.AddToExpected(marker) ) - Conn()->Weird(fmt("RPC_message_too_long (%" PRId64 ")" , msg_buf.GetExpected())); + Conn()->Weird("RPC_message_too_long", fmt("%" PRId64, msg_buf.GetExpected())); if ( last_frag ) state = WAIT_FOR_LAST_DATA; diff --git a/src/analyzer/protocol/rpc/RPC.h b/src/analyzer/protocol/rpc/RPC.h index 8fa19b8d53..40c65a00d4 100644 --- a/src/analyzer/protocol/rpc/RPC.h +++ b/src/analyzer/protocol/rpc/RPC.h @@ -123,7 +123,7 @@ protected: void Event_RPC_Call(RPC_CallInfo* c); void Event_RPC_Reply(uint32_t xid, BifEnum::rpc_status status, int reply_len); - void Weird(const char* name); + void Weird(const char* name, const char* addl = ""); PDict(RPC_CallInfo) calls; analyzer::Analyzer* analyzer; diff --git a/src/analyzer/protocol/socks/socks-analyzer.pac b/src/analyzer/protocol/socks/socks-analyzer.pac index 206b632fe0..f625851d0a 100644 --- a/src/analyzer/protocol/socks/socks-analyzer.pac +++ b/src/analyzer/protocol/socks/socks-analyzer.pac @@ -161,13 +161,13 @@ refine connection SOCKS_Conn += { function socks5_unsupported_authentication_method(auth_method: uint8): bool %{ - reporter->Weird(bro_analyzer()->Conn(), fmt("socks5_unsupported_authentication_method_%d", auth_method)); + reporter->Weird(bro_analyzer()->Conn(), "socks5_unsupported_authentication_method", fmt("%d", auth_method)); return true; %} function socks5_unsupported_authentication_version(auth_method: uint8, version: uint8): bool %{ - reporter->Weird(bro_analyzer()->Conn(), fmt("socks5_unsupported_authentication_%d_%d", auth_method, version)); + reporter->Weird(bro_analyzer()->Conn(), "socks5_unsupported_authentication", fmt("method %d, version %d", auth_method, version)); return true; %} diff --git a/src/analyzer/protocol/ssh/ssh-protocol.pac b/src/analyzer/protocol/ssh/ssh-protocol.pac index bf09f6e168..b0caebc740 100644 --- a/src/analyzer/protocol/ssh/ssh-protocol.pac +++ b/src/analyzer/protocol/ssh/ssh-protocol.pac @@ -415,7 +415,7 @@ refine connection SSH_Conn += { return true; - bro_analyzer()->Weird(fmt("ssh_unknown_kex_algorithm=%s", c_str(kex_algorithm_))); + bro_analyzer()->Weird("ssh_unknown_kex_algorithm", c_str(kex_algorithm_)); return true; } diff --git a/src/analyzer/protocol/ssl/tls-handshake-analyzer.pac b/src/analyzer/protocol/ssl/tls-handshake-analyzer.pac index 7d2986efe3..5cf250c366 100644 --- a/src/analyzer/protocol/ssl/tls-handshake-analyzer.pac +++ b/src/analyzer/protocol/ssl/tls-handshake-analyzer.pac @@ -172,7 +172,7 @@ refine connection Handshake_Conn += { ServerName* servername = (*list)[i]; if ( servername->name_type() != 0 ) { - bro_analyzer()->Weird(fmt("Encountered unknown type in server name ssl extension: %d", servername->name_type())); + bro_analyzer()->Weird("ssl_ext_unknown_server_name_type", fmt("%d", servername->name_type())); continue; } diff --git a/src/analyzer/protocol/udp/UDP.cc b/src/analyzer/protocol/udp/UDP.cc index ae56d8d22d..ca144941b6 100644 --- a/src/analyzer/protocol/udp/UDP.cc +++ b/src/analyzer/protocol/udp/UDP.cc @@ -124,7 +124,7 @@ void UDP_Analyzer::DeliverPacket(int len, const u_char* data, bool is_orig, int ulen = ntohs(up->uh_ulen); if ( ulen != len ) - Weird(fmt("UDP_datagram_length_mismatch(%d!=%d)", ulen, len)); + Weird("UDP_datagram_length_mismatch", fmt("%d != %d", ulen, len)); len -= sizeof(struct udphdr); ulen -= sizeof(struct udphdr); diff --git a/src/event.bif b/src/event.bif index 28ed7f6807..ae00c9b653 100644 --- a/src/event.bif +++ b/src/event.bif @@ -421,7 +421,7 @@ event conn_stats%(c: connection, os: endpoint_stats, rs: endpoint_stats%); ## ## addl: Optional additional context further describing the situation. ## -## .. bro:see:: flow_weird net_weird +## .. bro:see:: flow_weird net_weird file_weird ## ## .. note:: "Weird" activity is much more common in real-world network traffic ## than one would intuitively expect. While in principle, any protocol @@ -444,7 +444,7 @@ event conn_weird%(name: string, c: connection, addl: string%); ## ## dst: The destination address corresponding to the activity. ## -## .. bro:see:: conn_weird net_weird +## .. bro:see:: conn_weird net_weird file_weird ## ## .. note:: "Weird" activity is much more common in real-world network traffic ## than one would intuitively expect. While in principle, any protocol @@ -462,7 +462,7 @@ event flow_weird%(name: string, src: addr, dst: addr%); ## scripts use this name in filtering policies that specify which ## "weirds" are worth reporting. ## -## .. bro:see:: flow_weird +## .. bro:see:: flow_weird file_weird ## ## .. note:: "Weird" activity is much more common in real-world network traffic ## than one would intuitively expect. While in principle, any protocol @@ -470,6 +470,27 @@ event flow_weird%(name: string, src: addr, dst: addr%); ## endpoint's implementation interprets an RFC quite liberally. event net_weird%(name: string%); +## Generated for unexpected activity that is tied to a file. +## When Bro's packet analysis encounters activity that +## does not conform to a protocol's specification, it raises one of the +## ``*_weird`` events to report that. +## +## name: A unique name for the specific type of "weird" situation. Bro's default +## scripts use this name in filtering policies that specify which +## "weirds" are worth reporting. +## +## f: The corresponding file. +## +## addl: Additional information related to the weird. +## +## .. bro:see:: flow_weird net_weird conn_weird +## +## .. note:: "Weird" activity is much more common in real-world network traffic +## than one would intuitively expect. While in principle, any protocol +## violation could be an attack attempt, it's much more likely that an +## endpoint's implementation interprets an RFC quite liberally. +event file_weird%(name: string, f: fa_file, addl: string%); + ## Generated regularly for the purpose of profiling Bro's processing. This event ## is raised for every :bro:id:`load_sample_freq` packet. For these packets, ## Bro records script-level functions executed during their processing as well diff --git a/src/file_analysis/File.cc b/src/file_analysis/File.cc index 92c4356bda..641943909e 100644 --- a/src/file_analysis/File.cc +++ b/src/file_analysis/File.cc @@ -649,3 +649,9 @@ void File::FileEvent(EventHandlerPtr h, val_list* vl) analyzers.DrainModifications(); } } + +bool File::PermitWeird(const char* name, uint64 threshold, uint64 rate, + double duration) + { + return ::PermitWeird(weird_state, name, threshold, rate, duration); + } diff --git a/src/file_analysis/File.h b/src/file_analysis/File.h index 1d4fb03789..0c4c313f06 100644 --- a/src/file_analysis/File.h +++ b/src/file_analysis/File.h @@ -13,6 +13,7 @@ #include "Tag.h" #include "AnalyzerSet.h" #include "BroString.h" +#include "WeirdState.h" namespace file_analysis { @@ -192,6 +193,13 @@ public: */ bool SetMime(const string& mime_type); + /** + * Whether to permit a weird to carry on through the full reporter/weird + * framework. + */ + bool PermitWeird(const char* name, uint64 threshold, uint64 rate, + double duration); + protected: friend class Manager; friend class FileReassembler; @@ -325,6 +333,8 @@ protected: BroString::CVec chunks; } bof_buffer; /**< Beginning of file buffer. */ + WeirdStateMap weird_state; + static int id_idx; static int parent_id_idx; static int source_idx; diff --git a/src/file_analysis/analyzer/x509/OCSP.cc b/src/file_analysis/analyzer/x509/OCSP.cc index b5ec4f30c6..c49481c23a 100644 --- a/src/file_analysis/analyzer/x509/OCSP.cc +++ b/src/file_analysis/analyzer/x509/OCSP.cc @@ -160,11 +160,11 @@ bool file_analysis::OCSP::EndOfFile() if (!req) { - reporter->Weird(fmt("OPENSSL Could not parse OCSP request (fuid %s)", GetFile()->GetID().c_str())); + reporter->Weird(GetFile(), "openssl_ocsp_request_parse_error"); return false; } - ParseRequest(req, GetFile()->GetID().c_str()); + ParseRequest(req); OCSP_REQUEST_free(req); } else @@ -173,12 +173,12 @@ bool file_analysis::OCSP::EndOfFile() if (!resp) { - reporter->Weird(fmt("OPENSSL Could not parse OCSP response (fuid %s)", GetFile()->GetID().c_str())); + reporter->Weird(GetFile(), "openssl_ocsp_response_parse_error"); return false; } OCSP_RESPVal* resp_val = new OCSP_RESPVal(resp); // resp_val takes ownership - ParseResponse(resp_val, GetFile()->GetID().c_str()); + ParseResponse(resp_val); Unref(resp_val); } @@ -412,7 +412,7 @@ static uint64 parse_request_version(OCSP_REQUEST* req) } #endif -void file_analysis::OCSP::ParseRequest(OCSP_REQUEST* req, const char* fid) +void file_analysis::OCSP::ParseRequest(OCSP_REQUEST* req) { char buf[OCSP_STRING_BUF_SIZE]; // we need a buffer for some of the openssl functions memset(buf, 0, sizeof(buf)); @@ -453,7 +453,7 @@ void file_analysis::OCSP::ParseRequest(OCSP_REQUEST* req, const char* fid) BIO_free(bio); } -void file_analysis::OCSP::ParseResponse(OCSP_RESPVal *resp_val, const char* fid) +void file_analysis::OCSP::ParseResponse(OCSP_RESPVal *resp_val) { OCSP_RESPONSE *resp = resp_val->GetResp(); //OCSP_RESPBYTES *resp_bytes = resp->responseBytes; @@ -532,7 +532,7 @@ void file_analysis::OCSP::ParseResponse(OCSP_RESPVal *resp_val, const char* fid) produced_at = OCSP_resp_get0_produced_at(basic_resp); #endif - vl->append(new Val(GetTimeFromAsn1(produced_at, fid, reporter), TYPE_TIME)); + vl->append(new Val(GetTimeFromAsn1(produced_at, GetFile(), reporter), TYPE_TIME)); // responses @@ -579,7 +579,7 @@ void file_analysis::OCSP::ParseResponse(OCSP_RESPVal *resp_val, const char* fid) // revocation time and reason if revoked if ( status == V_OCSP_CERTSTATUS_REVOKED ) { - rvl->append(new Val(GetTimeFromAsn1(revoke_time, fid, reporter), TYPE_TIME)); + rvl->append(new Val(GetTimeFromAsn1(revoke_time, GetFile(), reporter), TYPE_TIME)); if ( reason != OCSP_REVOKED_STATUS_NOSTATUS ) { @@ -596,12 +596,12 @@ void file_analysis::OCSP::ParseResponse(OCSP_RESPVal *resp_val, const char* fid) } if ( this_update ) - rvl->append(new Val(GetTimeFromAsn1(this_update, fid, reporter), TYPE_TIME)); + rvl->append(new Val(GetTimeFromAsn1(this_update, GetFile(), reporter), TYPE_TIME)); else rvl->append(new Val(0.0, TYPE_TIME)); if ( next_update ) - rvl->append(new Val(GetTimeFromAsn1(next_update, fid, reporter), TYPE_TIME)); + rvl->append(new Val(GetTimeFromAsn1(next_update, GetFile(), reporter), TYPE_TIME)); else rvl->append(new Val(0.0, TYPE_TIME)); diff --git a/src/file_analysis/analyzer/x509/OCSP.h b/src/file_analysis/analyzer/x509/OCSP.h index 75caf3120a..eb6499794c 100644 --- a/src/file_analysis/analyzer/x509/OCSP.h +++ b/src/file_analysis/analyzer/x509/OCSP.h @@ -29,8 +29,8 @@ protected: OCSP(RecordVal* args, File* file, bool request); private: - void ParseResponse(OCSP_RESPVal*, const char* fid = 0); - void ParseRequest(OCSP_REQUEST*, const char* fid = 0); + void ParseResponse(OCSP_RESPVal*); + void ParseRequest(OCSP_REQUEST*); void ParseExtensionsSpecific(X509_EXTENSION* ex, bool, ASN1_OBJECT*, const char*) override; std::string ocsp_data; diff --git a/src/file_analysis/analyzer/x509/X509.cc b/src/file_analysis/analyzer/x509/X509.cc index e34bf58d82..38422897db 100644 --- a/src/file_analysis/analyzer/x509/X509.cc +++ b/src/file_analysis/analyzer/x509/X509.cc @@ -47,14 +47,14 @@ bool file_analysis::X509::EndOfFile() ::X509* ssl_cert = d2i_X509(NULL, &cert_char, cert_data.size()); if ( ! ssl_cert ) { - reporter->Weird(fmt("Could not parse X509 certificate (fuid %s)", GetFile()->GetID().c_str())); + reporter->Weird(GetFile(), "x509_cert_parse_error"); return false; } X509Val* cert_val = new X509Val(ssl_cert); // cert_val takes ownership of ssl_cert // parse basic information into record. - RecordVal* cert_record = ParseCertificate(cert_val, GetFile()->GetID().c_str()); + RecordVal* cert_record = ParseCertificate(cert_val, GetFile()); // and send the record on to scriptland val_list* vl = new val_list(); @@ -86,7 +86,7 @@ bool file_analysis::X509::EndOfFile() return false; } -RecordVal* file_analysis::X509::ParseCertificate(X509Val* cert_val, const char* fid) +RecordVal* file_analysis::X509::ParseCertificate(X509Val* cert_val, File* f) { ::X509* ssl_cert = cert_val->GetCertificate(); @@ -133,8 +133,8 @@ RecordVal* file_analysis::X509::ParseCertificate(X509Val* cert_val, const char* pX509Cert->Assign(3, new StringVal(len, buf)); BIO_free(bio); - pX509Cert->Assign(5, new Val(GetTimeFromAsn1(X509_get_notBefore(ssl_cert), fid, reporter), TYPE_TIME)); - pX509Cert->Assign(6, new Val(GetTimeFromAsn1(X509_get_notAfter(ssl_cert), fid, reporter), TYPE_TIME)); + pX509Cert->Assign(5, new Val(GetTimeFromAsn1(X509_get_notBefore(ssl_cert), f, reporter), TYPE_TIME)); + pX509Cert->Assign(6, new Val(GetTimeFromAsn1(X509_get_notAfter(ssl_cert), f, reporter), TYPE_TIME)); // we only read 255 bytes because byte 256 is always 0. // if the string is longer than 255, that will be our null-termination, @@ -236,7 +236,7 @@ void file_analysis::X509::ParseBasicConstraints(X509_EXTENSION* ex) } else - reporter->Weird(fmt("Certificate with invalid BasicConstraint. fuid %s", GetFile()->GetID().c_str())); + reporter->Weird(GetFile(), "x509_invalid_basic_constraint"); } void file_analysis::X509::ParseExtensionsSpecific(X509_EXTENSION* ex, bool global, ASN1_OBJECT* ext_asn, const char* oid) @@ -266,7 +266,7 @@ void file_analysis::X509::ParseSAN(X509_EXTENSION* ext) GENERAL_NAMES *altname = (GENERAL_NAMES*)X509V3_EXT_d2i(ext); if ( ! altname ) { - reporter->Weird(fmt("Could not parse subject alternative names. fuid %s", GetFile()->GetID().c_str())); + reporter->Weird(GetFile(), "x509_san_parse_error"); return; } @@ -286,7 +286,7 @@ void file_analysis::X509::ParseSAN(X509_EXTENSION* ext) { if ( ASN1_STRING_type(gen->d.ia5) != V_ASN1_IA5STRING ) { - reporter->Weird(fmt("DNS-field does not contain an IA5String. fuid %s", GetFile()->GetID().c_str())); + reporter->Weird(GetFile(), "x509_san_non_string"); continue; } @@ -337,7 +337,7 @@ void file_analysis::X509::ParseSAN(X509_EXTENSION* ext) else { - reporter->Weird(fmt("Weird IP address length %d in subject alternative name. fuid %s", gen->d.ip->length, GetFile()->GetID().c_str())); + reporter->Weird(GetFile(), "x509_san_ip_length", fmt("%d", gen->d.ip->length)); continue; } } diff --git a/src/file_analysis/analyzer/x509/X509.h b/src/file_analysis/analyzer/x509/X509.h index 91a5a7a5a1..a3dc62e533 100644 --- a/src/file_analysis/analyzer/x509/X509.h +++ b/src/file_analysis/analyzer/x509/X509.h @@ -79,13 +79,13 @@ public: * * @param cert_val The certificate to converts. * - * @param fid A file ID associated with the certificate, if any + * @param f A file associated with the certificate, if any * (primarily for error reporting). * * @param Returns the new record value and passes ownership to * caller. */ - static RecordVal* ParseCertificate(X509Val* cert_val, const char* fid = 0); + static RecordVal* ParseCertificate(X509Val* cert_val, File* file = 0); static file_analysis::Analyzer* Instantiate(RecordVal* args, File* file) { return new X509(args, file); } diff --git a/src/file_analysis/analyzer/x509/X509Common.cc b/src/file_analysis/analyzer/x509/X509Common.cc index d59a383b78..b6c16fc1dc 100644 --- a/src/file_analysis/analyzer/x509/X509Common.cc +++ b/src/file_analysis/analyzer/x509/X509Common.cc @@ -20,9 +20,16 @@ X509Common::X509Common(file_analysis::Tag arg_tag, RecordVal* arg_args, File* ar { } -double X509Common::GetTimeFromAsn1(const ASN1_TIME* atime, const char* arg_fid, Reporter* reporter) +static void EmitWeird(const char* name, File* file, const char* addl = "") + { + if ( file ) + reporter->Weird(file, name, addl); + else + reporter->Weird(name); + } + +double X509Common::GetTimeFromAsn1(const ASN1_TIME* atime, File* f, Reporter* reporter) { - const char *fid = arg_fid ? arg_fid : ""; time_t lResult = 0; char lBuffer[26]; @@ -35,14 +42,14 @@ double X509Common::GetTimeFromAsn1(const ASN1_TIME* atime, const char* arg_fid, { if ( remaining < 11 || remaining > 17 ) { - reporter->Weird(fmt("Could not parse time in X509 certificate (fuid %s) -- UTCTime has wrong length", fid)); + EmitWeird("x509_utc_length", f); return 0; } if ( pString[remaining-1] != 'Z' ) { // not valid according to RFC 2459 4.1.2.5.1 - reporter->Weird(fmt("Could not parse UTC time in non-YY-format in X509 certificate (x509 %s)", fid)); + EmitWeird("x509_utc_format", f); return 0; } @@ -71,7 +78,7 @@ double X509Common::GetTimeFromAsn1(const ASN1_TIME* atime, const char* arg_fid, if ( remaining < 12 || remaining > 23 ) { - reporter->Weird(fmt("Could not parse time in X509 certificate (fuid %s) -- Generalized time has wrong length", fid)); + EmitWeird("x509_gen_time_length", f); return 0; } @@ -82,7 +89,7 @@ double X509Common::GetTimeFromAsn1(const ASN1_TIME* atime, const char* arg_fid, } else { - reporter->Weird(fmt("Invalid time type in X509 certificate (fuid %s)", fid)); + EmitWeird("x509_invalid_time_type", f); return 0; } @@ -115,7 +122,7 @@ double X509Common::GetTimeFromAsn1(const ASN1_TIME* atime, const char* arg_fid, else { - reporter->Weird(fmt("Could not parse time in X509 certificate (fuid %s) -- additional char after time", fid)); + EmitWeird("x509_time_add_char", f); return 0; } @@ -130,13 +137,13 @@ double X509Common::GetTimeFromAsn1(const ASN1_TIME* atime, const char* arg_fid, { if ( remaining < 5 ) { - reporter->Weird(fmt("Could not parse time in X509 certificate (fuid %s) -- not enough bytes remaining for offset", fid)); + EmitWeird("x509_time_offset_underflow", f); return 0; } if ((*pString != '+') && (*pString != '-')) { - reporter->Weird(fmt("Could not parse time in X509 certificate (fuid %s) -- unknown offset type", fid)); + EmitWeird("x509_time_offset_type", f); return 0; } @@ -249,7 +256,7 @@ void file_analysis::X509Common::ParseExtension(X509_EXTENSION* ex, EventHandlerP } } - StringVal* ext_val = GetExtensionFromBIO(bio); + StringVal* ext_val = GetExtensionFromBIO(bio, GetFile()); if ( ! ext_val ) ext_val = new StringVal(0, ""); @@ -282,7 +289,7 @@ void file_analysis::X509Common::ParseExtension(X509_EXTENSION* ex, EventHandlerP ParseExtensionsSpecific(ex, global, ext_asn, oid); } -StringVal* file_analysis::X509Common::GetExtensionFromBIO(BIO* bio) +StringVal* file_analysis::X509Common::GetExtensionFromBIO(BIO* bio, File* f) { BIO_flush(bio); ERR_clear_error(); @@ -292,7 +299,7 @@ StringVal* file_analysis::X509Common::GetExtensionFromBIO(BIO* bio) { char tmp[120]; ERR_error_string_n(ERR_get_error(), tmp, sizeof(tmp)); - reporter->Weird(fmt("X509::GetExtensionFromBIO: %s", tmp)); + EmitWeird("x509_get_ext_from_bio", f, tmp); BIO_free_all(bio); return 0; } diff --git a/src/file_analysis/analyzer/x509/X509Common.h b/src/file_analysis/analyzer/x509/X509Common.h index a7015bc235..2f02357cca 100644 --- a/src/file_analysis/analyzer/x509/X509Common.h +++ b/src/file_analysis/analyzer/x509/X509Common.h @@ -25,11 +25,13 @@ public: * @param bio the OpenSSL BIO to read. It will be freed by the function, * including when an error occurs. * + * @param f an associated file, if any (used for error reporting). + * * @return The X509 extension value. */ - static StringVal* GetExtensionFromBIO(BIO* bio); + static StringVal* GetExtensionFromBIO(BIO* bio, File* f = 0); - static double GetTimeFromAsn1(const ASN1_TIME* atime, const char* arg_fid, Reporter* reporter); + static double GetTimeFromAsn1(const ASN1_TIME* atime, File* f, Reporter* reporter); protected: X509Common(file_analysis::Tag arg_tag, RecordVal* arg_args, File* arg_file); diff --git a/src/reporter.bif b/src/reporter.bif index 4a58e2728b..71fc50b49d 100644 --- a/src/reporter.bif +++ b/src/reporter.bif @@ -127,6 +127,27 @@ function Reporter::conn_weird%(name: string, c: connection, addl: string &defaul return val_mgr->GetBool(1); %} +## Generates a "file" weird. +## +## name: the name of the weird. +## +## f: the file associated with the weird. +## +## addl: additional information to accompany the weird. +## +## Returns: true if the file was still valid, else false. +function Reporter::file_weird%(name: string, f: fa_file, addl: string &default=""%): bool + %{ + auto fuid = f->AsRecordVal()->Lookup(0)->AsStringVal(); + auto file = file_mgr->LookupFile(fuid->CheckString()); + + if ( ! file ) + return val_mgr->GetBool(0); + + reporter->Weird(file, name->CheckString(), addl->CheckString()); + return val_mgr->GetBool(1); + %} + ## Gets the weird sampling whitelist ## ## Returns: Current weird sampling whitelist diff --git a/testing/btest/Baseline/core.disable-mobile-ipv6/weird.log b/testing/btest/Baseline/core.disable-mobile-ipv6/weird.log index 9da1a8d3ba..ee45663170 100644 --- a/testing/btest/Baseline/core.disable-mobile-ipv6/weird.log +++ b/testing/btest/Baseline/core.disable-mobile-ipv6/weird.log @@ -6,5 +6,5 @@ #open 2012-04-05-21-56-51 #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer #types time string addr port addr port string string bool string -1333663011.602839 - - - - - unknown_protocol_135 - F bro +1333663011.602839 - - - - - unknown_protocol - F bro #close 2012-04-05-21-56-51 diff --git a/testing/btest/Baseline/scripts.base.protocols.modbus.events/conn.log b/testing/btest/Baseline/scripts.base.protocols.modbus.events/conn.log index dbdf6b2bef..964ae1dede 100644 --- a/testing/btest/Baseline/scripts.base.protocols.modbus.events/conn.log +++ b/testing/btest/Baseline/scripts.base.protocols.modbus.events/conn.log @@ -3,7 +3,7 @@ #empty_field (empty) #unset_field - #path conn -#open 2016-07-13-16-16-30 +#open 2019-04-02-01-01-40 #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig local_resp missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes tunnel_parents #types time string addr port addr port enum string interval count count string bool bool count string count count count count set[string] 1093521678.945447 CHhAvVGS1DHFjwGM9 10.0.0.57 2387 10.0.0.3 502 tcp - 0.000493 0 0 SF - - 0 FafA 2 80 2 80 - @@ -13,6 +13,6 @@ 1093522946.554059 CUM0KZ3MLUfNB0cl11 10.0.0.57 2585 10.0.0.8 502 tcp - 76.561880 926 0 SF - - 0 ShADafF 8 1254 7 288 - 1093523065.562221 CmES5u32sYpV7JYN 10.0.0.8 502 10.0.0.57 4446 tcp - 155.114237 128 0 SF - - 0 ShADaFf 16 776 15 608 - 1153491879.610371 CP5puj4I8PtEU4qzYg 192.168.66.235 2582 166.161.16.230 502 tcp - 2.905078 0 0 S0 - - 0 S 2 96 0 0 - -1153491888.530306 C37jN32gN3y3AZzyf6 192.168.66.235 2582 166.161.16.230 502 tcp modbus 85.560847 1692 1278 S1 - - 0 ShADad 167 8380 181 8522 - +1153491888.530306 C37jN32gN3y3AZzyf6 192.168.66.235 2582 166.161.16.230 502 tcp - 85.560847 1692 1278 S1 - - 0 ShADad 167 8380 181 8522 - 1342774499.588269 C3eiCBGOLw3VtHfOj 10.1.1.234 51411 10.10.5.85 502 tcp modbus 2100.811351 237936 4121200 S2 - - 0 ShADdaF 39659 2300216 20100 5166412 - -#close 2016-07-13-16-16-33 +#close 2019-04-02-01-01-42 diff --git a/testing/btest/Baseline/scripts.base.protocols.modbus.exception_handling/weird.log b/testing/btest/Baseline/scripts.base.protocols.modbus.exception_handling/weird.log deleted file mode 100644 index 00c668fb27..0000000000 --- a/testing/btest/Baseline/scripts.base.protocols.modbus.exception_handling/weird.log +++ /dev/null @@ -1,13 +0,0 @@ -#separator \x09 -#set_separator , -#empty_field (empty) -#unset_field - -#path weird -#open 2016-07-13-16-16-39 -#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer -#types time string addr port addr port string string bool string -1153491909.414066 - - - - - truncated_IP - F bro -1153491912.529443 CHhAvVGS1DHFjwGM9 192.168.66.235 2582 166.161.16.230 502 binpac exception: out_of_bound: WriteSingleRegisterRequest: 4 > 0 - F bro -1153491920.661039 CHhAvVGS1DHFjwGM9 192.168.66.235 2582 166.161.16.230 502 TCP_ack_underflow_or_misorder - F bro -1153491929.715910 CHhAvVGS1DHFjwGM9 192.168.66.235 2582 166.161.16.230 502 TCP_seq_underflow_or_misorder - F bro -#close 2016-07-13-16-16-39 diff --git a/testing/btest/Baseline/scripts.base.protocols.modbus.length_mismatch/weird.log b/testing/btest/Baseline/scripts.base.protocols.modbus.length_mismatch/weird.log deleted file mode 100644 index 800b9ec4eb..0000000000 --- a/testing/btest/Baseline/scripts.base.protocols.modbus.length_mismatch/weird.log +++ /dev/null @@ -1,10 +0,0 @@ -#separator \x09 -#set_separator , -#empty_field (empty) -#unset_field - -#path weird -#open 2018-08-30-14-12-39 -#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer -#types time string addr port addr port string string bool string -1445502056.228889 CHhAvVGS1DHFjwGM9 192.168.2.166 1987 192.168.88.95 502 binpac exception: out_of_bound: ReadWriteMultipleRegistersRequest:write_register_values: 16932 > 191 - F bro -#close 2018-08-30-14-12-39 diff --git a/testing/btest/scripts/base/protocols/modbus/events.bro b/testing/btest/scripts/base/protocols/modbus/events.bro index fe748fa3dc..55a3f3cb04 100644 --- a/testing/btest/scripts/base/protocols/modbus/events.bro +++ b/testing/btest/scripts/base/protocols/modbus/events.bro @@ -7,6 +7,7 @@ # @TEST-EXEC: btest-diff coverage # @TEST-EXEC: btest-diff conn.log +redef DPD::ignore_violations_after = 1; event modbus_message(c: connection, headers: ModbusHeaders, is_orig: bool) { diff --git a/testing/btest/scripts/base/protocols/modbus/exception_handling.test b/testing/btest/scripts/base/protocols/modbus/exception_handling.test index 9d15c754f9..8a4fadcbeb 100644 --- a/testing/btest/scripts/base/protocols/modbus/exception_handling.test +++ b/testing/btest/scripts/base/protocols/modbus/exception_handling.test @@ -1,10 +1,8 @@ # @TEST-EXEC: bro -r $TRACES/modbus/fuzz-72.trace # @TEST-EXEC: btest-diff modbus.log -# @TEST-EXEC: btest-diff weird.log # The pcap has a flow with some fuzzed modbus traffic in it that should cause # the binpac-generated analyzer code to throw a binpac::ExceptionOutOfBound. # This should be correctly caught as a type of binpac::Exception and the # binpac::ModbusTCP::Exception type that's defined as part of the analyzer # shouldn't interfere with that handling and definitely shouldn't crash bro. -# A weird is currently emitted for parsing exceptions. diff --git a/testing/btest/scripts/base/protocols/modbus/length_mismatch.bro b/testing/btest/scripts/base/protocols/modbus/length_mismatch.bro index 35835e4b64..17371f3788 100644 --- a/testing/btest/scripts/base/protocols/modbus/length_mismatch.bro +++ b/testing/btest/scripts/base/protocols/modbus/length_mismatch.bro @@ -12,4 +12,3 @@ # data buffer. # @TEST-EXEC: bro -r $TRACES/modbus/4SICS-GeekLounge-151022-min.pcap -# @TEST-EXEC: btest-diff weird.log diff --git a/testing/btest/scripts/base/protocols/modbus/policy.bro b/testing/btest/scripts/base/protocols/modbus/policy.bro index b28ebd3b4b..8f7e41c274 100644 --- a/testing/btest/scripts/base/protocols/modbus/policy.bro +++ b/testing/btest/scripts/base/protocols/modbus/policy.bro @@ -7,3 +7,5 @@ @load protocols/modbus/known-masters-slaves.bro @load protocols/modbus/track-memmap.bro + +redef DPD::ignore_violations_after = 1; diff --git a/testing/external/commit-hash.zeek-testing b/testing/external/commit-hash.zeek-testing index 0a59fc487b..e202437bb2 100644 --- a/testing/external/commit-hash.zeek-testing +++ b/testing/external/commit-hash.zeek-testing @@ -1 +1 @@ -1de9cb3f7386e8243431f57b00d87b0ecf98e5ef +b9e28fecbc04c1fe37906f6d6078fb11114b6661 diff --git a/testing/external/commit-hash.zeek-testing-private b/testing/external/commit-hash.zeek-testing-private index c5e623029b..8366c51105 100644 --- a/testing/external/commit-hash.zeek-testing-private +++ b/testing/external/commit-hash.zeek-testing-private @@ -1 +1 @@ -47df32597eb14183ca0a468be4ab1525417d79dc +68e6f55eaaced3f4f42b8e291f6e97dd709833c0 From faa0f43558ce4d0b80bcc878fa9cfbd853299c3b Mon Sep 17 00:00:00 2001 From: Jon Siwek Date: Tue, 2 Apr 2019 10:41:32 -0700 Subject: [PATCH 50/88] Fix reporter net_weird API usage for unknown_mobility_type (This code path is pre-processed out by default) --- src/IP.cc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/IP.cc b/src/IP.cc index 516be7fdd4..589c973e72 100644 --- a/src/IP.cc +++ b/src/IP.cc @@ -288,7 +288,7 @@ RecordVal* IPv6_Hdr::BuildRecordVal(VectorVal* chain) const } default: - reporter->Weird(fmt("unknown_mobility_type", mob->ip6mob_type)); + reporter->Weird("unknown_mobility_type"); break; } From 3f7bbf2784d094787e6c7cb32adb0fc658fb8a86 Mon Sep 17 00:00:00 2001 From: Jon Siwek Date: Wed, 3 Apr 2019 13:26:51 -0700 Subject: [PATCH 51/88] Update external test commit pointers --- testing/external/commit-hash.zeek-testing | 2 +- testing/external/commit-hash.zeek-testing-private | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/testing/external/commit-hash.zeek-testing b/testing/external/commit-hash.zeek-testing index 0a59fc487b..029d39391b 100644 --- a/testing/external/commit-hash.zeek-testing +++ b/testing/external/commit-hash.zeek-testing @@ -1 +1 @@ -1de9cb3f7386e8243431f57b00d87b0ecf98e5ef +37f541404be417d5b092b8b36c7c1c84d2f307e9 diff --git a/testing/external/commit-hash.zeek-testing-private b/testing/external/commit-hash.zeek-testing-private index c5e623029b..a99b5e8d7b 100644 --- a/testing/external/commit-hash.zeek-testing-private +++ b/testing/external/commit-hash.zeek-testing-private @@ -1 +1 @@ -47df32597eb14183ca0a468be4ab1525417d79dc +de8e378210cacc599d8e59e1204286f7fe9cbc1b From 7c48aad5826738502765b2f079782ec2549d7b1c Mon Sep 17 00:00:00 2001 From: Johanna Amann Date: Thu, 4 Apr 2019 12:27:42 -0700 Subject: [PATCH 52/88] Update DTLS error handling DTLS now only outputs protocol violations once it saw something that looked like a DTLS connection (at least a client hello). Before the danger that it misinterprets something is too high. It has a configurable number of invalid packets that it can skip over (because other protocols might be interleaved with the connection) and a maximum amount of Protocol violations that it outputs because of wrong packet versions. --- doc | 2 +- scripts/base/init-bare.bro | 11 ++++++++ src/analyzer/protocol/ssl/CMakeLists.txt | 3 ++- src/analyzer/protocol/ssl/consts.bif | 2 ++ src/analyzer/protocol/ssl/dtls-protocol.pac | 27 ++++++++++++++++++- src/analyzer/protocol/ssl/dtls.pac | 1 + .../canonified_loaded_scripts.log | 5 ++-- .../canonified_loaded_scripts.log | 5 ++-- testing/btest/Baseline/plugins.hooks/output | 17 +++++++----- .../.stdout | 0 .../base/protocols/ssl/dtls-no-dtls.test | 15 +++++++++++ 11 files changed, 74 insertions(+), 14 deletions(-) create mode 100644 src/analyzer/protocol/ssl/consts.bif create mode 100644 testing/btest/Baseline/scripts.base.protocols.ssl.dtls-no-dtls/.stdout create mode 100644 testing/btest/scripts/base/protocols/ssl/dtls-no-dtls.test diff --git a/doc b/doc index 5aa921f0f6..2036846610 160000 --- a/doc +++ b/doc @@ -1 +1 @@ -Subproject commit 5aa921f0f6ce2931e446a11f2a10cffb7f0dbc09 +Subproject commit 203684661040089877830eb98e12a6d4c18a4675 diff --git a/scripts/base/init-bare.bro b/scripts/base/init-bare.bro index 0c32cebcc5..e94efd07df 100644 --- a/scripts/base/init-bare.bro +++ b/scripts/base/init-bare.bro @@ -4169,6 +4169,17 @@ export { HashAlgorithm: count; ##< Hash algorithm number SignatureAlgorithm: count; ##< Signature algorithm number }; + + +## Number of non-DTLS frames that can occur in a DTLS connection before +## parsing of the connection is suspended. +## DTLS does not immediately stop parsing a connection because other protocols +## might be interleaved in the same UDP "connection". +const SSL::dtls_max_version_errors = 10 &redef; + +## Maximum number of invalid version errors to report in one DTLS connection. +const SSL::dtls_max_reported_version_errors = 1 &redef; + } module GLOBAL; diff --git a/src/analyzer/protocol/ssl/CMakeLists.txt b/src/analyzer/protocol/ssl/CMakeLists.txt index 14e41892c8..3193470635 100644 --- a/src/analyzer/protocol/ssl/CMakeLists.txt +++ b/src/analyzer/protocol/ssl/CMakeLists.txt @@ -8,6 +8,7 @@ bro_plugin_cc(SSL.cc DTLS.cc Plugin.cc) bro_plugin_bif(types.bif) bro_plugin_bif(events.bif) bro_plugin_bif(functions.bif) +bro_plugin_bif(consts.bif) bro_plugin_pac(tls-handshake.pac tls-handshake-protocol.pac tls-handshake-analyzer.pac ssl-defs.pac proc-client-hello.pac proc-server-hello.pac @@ -16,7 +17,7 @@ bro_plugin_pac(tls-handshake.pac tls-handshake-protocol.pac tls-handshake-analyz ) bro_plugin_pac(ssl.pac ssl-dtls-analyzer.pac ssl-analyzer.pac ssl-dtls-protocol.pac ssl-protocol.pac ssl-defs.pac proc-client-hello.pac - proc-server-hello.pac + proc-server-hello.pac proc-certificate.pac ) bro_plugin_pac(dtls.pac ssl-dtls-analyzer.pac dtls-analyzer.pac ssl-dtls-protocol.pac dtls-protocol.pac ssl-defs.pac) diff --git a/src/analyzer/protocol/ssl/consts.bif b/src/analyzer/protocol/ssl/consts.bif new file mode 100644 index 0000000000..9dcbaa65d5 --- /dev/null +++ b/src/analyzer/protocol/ssl/consts.bif @@ -0,0 +1,2 @@ +const SSL::dtls_max_version_errors: count; +const SSL::dtls_max_reported_version_errors: count; diff --git a/src/analyzer/protocol/ssl/dtls-protocol.pac b/src/analyzer/protocol/ssl/dtls-protocol.pac index 771aa267b3..70897a585c 100644 --- a/src/analyzer/protocol/ssl/dtls-protocol.pac +++ b/src/analyzer/protocol/ssl/dtls-protocol.pac @@ -45,15 +45,40 @@ type Handshake(rec: SSLRecord) = record { refine connection SSL_Conn += { + %member{ + uint16 invalid_version_count_; + uint16 reported_errors_; + %} + + %init{ + invalid_version_count_ = 0; + reported_errors_ = 0; + %} + function dtls_version_ok(version: uint16): uint16 %{ switch ( version ) { case DTLSv10: case DTLSv12: + // Reset only to 0 once we have seen a client hello. + // This means the connection gets a limited amount of valid/invalid + // packets before a client hello has to be seen - which seems reasonable. + if ( bro_analyzer()->ProtocolConfirmed() ) + invalid_version_count_ = 0; return true; default: - bro_analyzer()->ProtocolViolation(fmt("Invalid version in DTLS connection. Packet reported version: %d", version)); + invalid_version_count_++; + + if ( bro_analyzer()->ProtocolConfirmed() ) + { + reported_errors_++; + if ( reported_errors_ <= BifConst::SSL::dtls_max_reported_version_errors ) + bro_analyzer()->ProtocolViolation(fmt("Invalid version in DTLS connection. Packet reported version: %d", version)); + } + + if ( invalid_version_count_ > BifConst::SSL::dtls_max_version_errors ) + bro_analyzer()->SetSkip(true); return false; } %} diff --git a/src/analyzer/protocol/ssl/dtls.pac b/src/analyzer/protocol/ssl/dtls.pac index b08dd61f8f..b2aa34d5c5 100644 --- a/src/analyzer/protocol/ssl/dtls.pac +++ b/src/analyzer/protocol/ssl/dtls.pac @@ -10,6 +10,7 @@ namespace analyzer { namespace dtls { class DTLS_Analyzer; } } typedef analyzer::dtls::DTLS_Analyzer* DTLSAnalyzer; #include "DTLS.h" +#include "consts.bif.h" %} extern type DTLSAnalyzer; diff --git a/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log b/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log index 4eeaa4b07b..bd24bf02aa 100644 --- a/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log +++ b/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log @@ -3,7 +3,7 @@ #empty_field (empty) #unset_field - #path loaded_scripts -#open 2018-06-08-16-37-15 +#open 2019-04-04-19-22-03 #fields name #types string scripts/base/init-bare.bro @@ -149,6 +149,7 @@ scripts/base/init-frameworks-and-bifs.bro build/scripts/base/bif/plugins/Bro_SSL.types.bif.bro build/scripts/base/bif/plugins/Bro_SSL.events.bif.bro build/scripts/base/bif/plugins/Bro_SSL.functions.bif.bro + build/scripts/base/bif/plugins/Bro_SSL.consts.bif.bro build/scripts/base/bif/plugins/Bro_SteppingStone.events.bif.bro build/scripts/base/bif/plugins/Bro_Syslog.events.bif.bro build/scripts/base/bif/plugins/Bro_TCP.events.bif.bro @@ -179,4 +180,4 @@ scripts/base/init-frameworks-and-bifs.bro build/scripts/base/bif/plugins/Bro_SQLiteWriter.sqlite.bif.bro scripts/policy/misc/loaded-scripts.bro scripts/base/utils/paths.bro -#close 2018-06-08-16-37-15 +#close 2019-04-04-19-22-03 diff --git a/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log b/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log index eaca1c489a..540910b350 100644 --- a/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log +++ b/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log @@ -3,7 +3,7 @@ #empty_field (empty) #unset_field - #path loaded_scripts -#open 2018-09-05-20-33-08 +#open 2019-04-04-19-22-06 #fields name #types string scripts/base/init-bare.bro @@ -149,6 +149,7 @@ scripts/base/init-frameworks-and-bifs.bro build/scripts/base/bif/plugins/Bro_SSL.types.bif.bro build/scripts/base/bif/plugins/Bro_SSL.events.bif.bro build/scripts/base/bif/plugins/Bro_SSL.functions.bif.bro + build/scripts/base/bif/plugins/Bro_SSL.consts.bif.bro build/scripts/base/bif/plugins/Bro_SteppingStone.events.bif.bro build/scripts/base/bif/plugins/Bro_Syslog.events.bif.bro build/scripts/base/bif/plugins/Bro_TCP.events.bif.bro @@ -373,4 +374,4 @@ scripts/base/init-default.bro scripts/base/misc/find-filtered-trace.bro scripts/base/misc/version.bro scripts/policy/misc/loaded-scripts.bro -#close 2018-09-05-20-33-08 +#close 2019-04-04-19-22-06 diff --git a/testing/btest/Baseline/plugins.hooks/output b/testing/btest/Baseline/plugins.hooks/output index d4a84a5223..04908bed0b 100644 --- a/testing/btest/Baseline/plugins.hooks/output +++ b/testing/btest/Baseline/plugins.hooks/output @@ -277,7 +277,7 @@ 0.000000 MetaHookPost CallFunction(Log::__create_stream, , (Weird::LOG, [columns=Weird::Info, ev=Weird::log_weird, path=weird])) -> 0.000000 MetaHookPost CallFunction(Log::__create_stream, , (X509::LOG, [columns=X509::Info, ev=X509::log_x509, path=x509])) -> 0.000000 MetaHookPost CallFunction(Log::__create_stream, , (mysql::LOG, [columns=MySQL::Info, ev=MySQL::log_mysql, path=mysql])) -> -0.000000 MetaHookPost CallFunction(Log::__write, , (PacketFilter::LOG, [ts=1552701731.192609, node=bro, filter=ip or not ip, init=T, success=T])) -> +0.000000 MetaHookPost CallFunction(Log::__write, , (PacketFilter::LOG, [ts=1554405757.770254, node=bro, filter=ip or not ip, init=T, success=T])) -> 0.000000 MetaHookPost CallFunction(Log::add_default_filter, , (Broker::LOG)) -> 0.000000 MetaHookPost CallFunction(Log::add_default_filter, , (Cluster::LOG)) -> 0.000000 MetaHookPost CallFunction(Log::add_default_filter, , (Config::LOG)) -> @@ -462,7 +462,7 @@ 0.000000 MetaHookPost CallFunction(Log::create_stream, , (Weird::LOG, [columns=Weird::Info, ev=Weird::log_weird, path=weird])) -> 0.000000 MetaHookPost CallFunction(Log::create_stream, , (X509::LOG, [columns=X509::Info, ev=X509::log_x509, path=x509])) -> 0.000000 MetaHookPost CallFunction(Log::create_stream, , (mysql::LOG, [columns=MySQL::Info, ev=MySQL::log_mysql, path=mysql])) -> -0.000000 MetaHookPost CallFunction(Log::write, , (PacketFilter::LOG, [ts=1552701731.192609, node=bro, filter=ip or not ip, init=T, success=T])) -> +0.000000 MetaHookPost CallFunction(Log::write, , (PacketFilter::LOG, [ts=1554405757.770254, node=bro, filter=ip or not ip, init=T, success=T])) -> 0.000000 MetaHookPost CallFunction(NetControl::check_plugins, , ()) -> 0.000000 MetaHookPost CallFunction(NetControl::init, , ()) -> 0.000000 MetaHookPost CallFunction(Notice::want_pp, , ()) -> @@ -678,6 +678,7 @@ 0.000000 MetaHookPost LoadFile(0, .<...>/Bro_SQLiteWriter.sqlite.bif.bro) -> -1 0.000000 MetaHookPost LoadFile(0, .<...>/Bro_SSH.events.bif.bro) -> -1 0.000000 MetaHookPost LoadFile(0, .<...>/Bro_SSH.types.bif.bro) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/Bro_SSL.consts.bif.bro) -> -1 0.000000 MetaHookPost LoadFile(0, .<...>/Bro_SSL.events.bif.bro) -> -1 0.000000 MetaHookPost LoadFile(0, .<...>/Bro_SSL.functions.bif.bro) -> -1 0.000000 MetaHookPost LoadFile(0, .<...>/Bro_SSL.types.bif.bro) -> -1 @@ -1179,7 +1180,7 @@ 0.000000 MetaHookPre CallFunction(Log::__create_stream, , (Weird::LOG, [columns=Weird::Info, ev=Weird::log_weird, path=weird])) 0.000000 MetaHookPre CallFunction(Log::__create_stream, , (X509::LOG, [columns=X509::Info, ev=X509::log_x509, path=x509])) 0.000000 MetaHookPre CallFunction(Log::__create_stream, , (mysql::LOG, [columns=MySQL::Info, ev=MySQL::log_mysql, path=mysql])) -0.000000 MetaHookPre CallFunction(Log::__write, , (PacketFilter::LOG, [ts=1552701731.192609, node=bro, filter=ip or not ip, init=T, success=T])) +0.000000 MetaHookPre CallFunction(Log::__write, , (PacketFilter::LOG, [ts=1554405757.770254, node=bro, filter=ip or not ip, init=T, success=T])) 0.000000 MetaHookPre CallFunction(Log::add_default_filter, , (Broker::LOG)) 0.000000 MetaHookPre CallFunction(Log::add_default_filter, , (Cluster::LOG)) 0.000000 MetaHookPre CallFunction(Log::add_default_filter, , (Config::LOG)) @@ -1364,7 +1365,7 @@ 0.000000 MetaHookPre CallFunction(Log::create_stream, , (Weird::LOG, [columns=Weird::Info, ev=Weird::log_weird, path=weird])) 0.000000 MetaHookPre CallFunction(Log::create_stream, , (X509::LOG, [columns=X509::Info, ev=X509::log_x509, path=x509])) 0.000000 MetaHookPre CallFunction(Log::create_stream, , (mysql::LOG, [columns=MySQL::Info, ev=MySQL::log_mysql, path=mysql])) -0.000000 MetaHookPre CallFunction(Log::write, , (PacketFilter::LOG, [ts=1552701731.192609, node=bro, filter=ip or not ip, init=T, success=T])) +0.000000 MetaHookPre CallFunction(Log::write, , (PacketFilter::LOG, [ts=1554405757.770254, node=bro, filter=ip or not ip, init=T, success=T])) 0.000000 MetaHookPre CallFunction(NetControl::check_plugins, , ()) 0.000000 MetaHookPre CallFunction(NetControl::init, , ()) 0.000000 MetaHookPre CallFunction(Notice::want_pp, , ()) @@ -1580,6 +1581,7 @@ 0.000000 MetaHookPre LoadFile(0, .<...>/Bro_SQLiteWriter.sqlite.bif.bro) 0.000000 MetaHookPre LoadFile(0, .<...>/Bro_SSH.events.bif.bro) 0.000000 MetaHookPre LoadFile(0, .<...>/Bro_SSH.types.bif.bro) +0.000000 MetaHookPre LoadFile(0, .<...>/Bro_SSL.consts.bif.bro) 0.000000 MetaHookPre LoadFile(0, .<...>/Bro_SSL.events.bif.bro) 0.000000 MetaHookPre LoadFile(0, .<...>/Bro_SSL.functions.bif.bro) 0.000000 MetaHookPre LoadFile(0, .<...>/Bro_SSL.types.bif.bro) @@ -2080,7 +2082,7 @@ 0.000000 | HookCallFunction Log::__create_stream(Weird::LOG, [columns=Weird::Info, ev=Weird::log_weird, path=weird]) 0.000000 | HookCallFunction Log::__create_stream(X509::LOG, [columns=X509::Info, ev=X509::log_x509, path=x509]) 0.000000 | HookCallFunction Log::__create_stream(mysql::LOG, [columns=MySQL::Info, ev=MySQL::log_mysql, path=mysql]) -0.000000 | HookCallFunction Log::__write(PacketFilter::LOG, [ts=1552701731.192609, node=bro, filter=ip or not ip, init=T, success=T]) +0.000000 | HookCallFunction Log::__write(PacketFilter::LOG, [ts=1554405757.770254, node=bro, filter=ip or not ip, init=T, success=T]) 0.000000 | HookCallFunction Log::add_default_filter(Broker::LOG) 0.000000 | HookCallFunction Log::add_default_filter(Cluster::LOG) 0.000000 | HookCallFunction Log::add_default_filter(Config::LOG) @@ -2265,7 +2267,7 @@ 0.000000 | HookCallFunction Log::create_stream(Weird::LOG, [columns=Weird::Info, ev=Weird::log_weird, path=weird]) 0.000000 | HookCallFunction Log::create_stream(X509::LOG, [columns=X509::Info, ev=X509::log_x509, path=x509]) 0.000000 | HookCallFunction Log::create_stream(mysql::LOG, [columns=MySQL::Info, ev=MySQL::log_mysql, path=mysql]) -0.000000 | HookCallFunction Log::write(PacketFilter::LOG, [ts=1552701731.192609, node=bro, filter=ip or not ip, init=T, success=T]) +0.000000 | HookCallFunction Log::write(PacketFilter::LOG, [ts=1554405757.770254, node=bro, filter=ip or not ip, init=T, success=T]) 0.000000 | HookCallFunction NetControl::check_plugins() 0.000000 | HookCallFunction NetControl::init() 0.000000 | HookCallFunction Notice::want_pp() @@ -2481,6 +2483,7 @@ 0.000000 | HookLoadFile .<...>/Bro_SQLiteWriter.sqlite.bif.bro 0.000000 | HookLoadFile .<...>/Bro_SSH.events.bif.bro 0.000000 | HookLoadFile .<...>/Bro_SSH.types.bif.bro +0.000000 | HookLoadFile .<...>/Bro_SSL.consts.bif.bro 0.000000 | HookLoadFile .<...>/Bro_SSL.events.bif.bro 0.000000 | HookLoadFile .<...>/Bro_SSL.functions.bif.bro 0.000000 | HookLoadFile .<...>/Bro_SSL.types.bif.bro @@ -2699,7 +2702,7 @@ 0.000000 | HookLoadFile base<...>/x509 0.000000 | HookLoadFile base<...>/xmpp 0.000000 | HookLogInit packet_filter 1/1 {ts (time), node (string), filter (string), init (bool), success (bool)} -0.000000 | HookLogWrite packet_filter [ts=1552701731.192609, node=bro, filter=ip or not ip, init=T, success=T] +0.000000 | HookLogWrite packet_filter [ts=1554405757.770254, node=bro, filter=ip or not ip, init=T, success=T] 0.000000 | HookQueueEvent NetControl::init() 0.000000 | HookQueueEvent bro_init() 0.000000 | HookQueueEvent filter_change_tracking() diff --git a/testing/btest/Baseline/scripts.base.protocols.ssl.dtls-no-dtls/.stdout b/testing/btest/Baseline/scripts.base.protocols.ssl.dtls-no-dtls/.stdout new file mode 100644 index 0000000000..e69de29bb2 diff --git a/testing/btest/scripts/base/protocols/ssl/dtls-no-dtls.test b/testing/btest/scripts/base/protocols/ssl/dtls-no-dtls.test new file mode 100644 index 0000000000..c8721529c9 --- /dev/null +++ b/testing/btest/scripts/base/protocols/ssl/dtls-no-dtls.test @@ -0,0 +1,15 @@ +# This tests checks that non-dtls connections to which we attach don't trigger tons of errors. + +# @TEST-EXEC: bro -C -r $TRACES/dns-txt-multiple.trace %INPUT +# @TEST-EXEC: btest-diff .stdout + +event bro_init() + { + const add_ports = { 53/udp }; + Analyzer::register_for_ports(Analyzer::ANALYZER_DTLS, add_ports); + } + +event protocol_violation(c: connection, atype: Analyzer::Tag, aid: count, reason: string) + { + print c$id, atype, reason; + } From 5e9b119a086f5311d5462d86615732eb23ddc65e Mon Sep 17 00:00:00 2001 From: Jon Siwek Date: Fri, 5 Apr 2019 12:35:50 -0700 Subject: [PATCH 53/88] Use a default binpac flowbuffer policy --- aux/binpac | 2 +- src/main.cc | 6 +++++- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/aux/binpac b/aux/binpac index bb2476465e..ce89e30109 160000 --- a/aux/binpac +++ b/aux/binpac @@ -1 +1 @@ -Subproject commit bb2476465e304a00c368bd73d40cc6f734be5311 +Subproject commit ce89e301091fd8fd6ef53701b7b29a79d888b637 diff --git a/src/main.cc b/src/main.cc index 473f3a72e7..09b1ebfaeb 100644 --- a/src/main.cc +++ b/src/main.cc @@ -893,7 +893,11 @@ int main(int argc, char** argv) // Must come after plugin activation (and also after hash // initialization). - binpac::init(); + binpac::FlowBuffer::Policy flowbuffer_policy; + flowbuffer_policy.max_capacity = 10 * 1024 * 1024; + flowbuffer_policy.min_capacity = 512; + flowbuffer_policy.contract_threshold = 2 * 1024 * 1024; + binpac::init(&flowbuffer_policy); init_event_handlers(); From fe044ecc903e14b4520f21b9fc85def72e094af7 Mon Sep 17 00:00:00 2001 From: Jon Siwek Date: Fri, 5 Apr 2019 12:42:29 -0700 Subject: [PATCH 54/88] Set PE analyzer CMake dependencies correctly --- src/file_analysis/analyzer/pe/CMakeLists.txt | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/src/file_analysis/analyzer/pe/CMakeLists.txt b/src/file_analysis/analyzer/pe/CMakeLists.txt index 7fc89bfd51..5708f98e8f 100644 --- a/src/file_analysis/analyzer/pe/CMakeLists.txt +++ b/src/file_analysis/analyzer/pe/CMakeLists.txt @@ -6,5 +6,12 @@ include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} bro_plugin_begin(Bro PE) bro_plugin_cc(PE.cc Plugin.cc) bro_plugin_bif(events.bif) -bro_plugin_pac(pe.pac pe-file.pac pe-analyzer.pac) +bro_plugin_pac( + pe.pac + pe-analyzer.pac + pe-file-headers.pac + pe-file-idata.pac + pe-file.pac + pe-file-types.pac +) bro_plugin_end() From c94358f1aa4a60cd75aa8f6faf89b60b7fdd9006 Mon Sep 17 00:00:00 2001 From: Jon Siwek Date: Fri, 5 Apr 2019 12:43:47 -0700 Subject: [PATCH 55/88] Improve PE file analysis * Consider parsing done after processing headers * Remove the analyzer when done parsing * Enforce a maximum DOS stub program length (helps filter out non-PE) --- src/file_analysis/analyzer/pe/PE.cc | 5 +++-- src/file_analysis/analyzer/pe/pe-file-headers.pac | 10 +++++++++- 2 files changed, 12 insertions(+), 3 deletions(-) diff --git a/src/file_analysis/analyzer/pe/PE.cc b/src/file_analysis/analyzer/pe/PE.cc index 9db13291b0..070aff32dd 100644 --- a/src/file_analysis/analyzer/pe/PE.cc +++ b/src/file_analysis/analyzer/pe/PE.cc @@ -20,7 +20,8 @@ PE::~PE() bool PE::DeliverStream(const u_char* data, uint64 len) { if ( conn->is_done() ) - return true; + return false; + try { interp->NewData(data, data + len); @@ -30,7 +31,7 @@ bool PE::DeliverStream(const u_char* data, uint64 len) return false; } - return true; + return ! conn->is_done(); } bool PE::EndOfFile() diff --git a/src/file_analysis/analyzer/pe/pe-file-headers.pac b/src/file_analysis/analyzer/pe/pe-file-headers.pac index f12d76e035..9eee6e03da 100644 --- a/src/file_analysis/analyzer/pe/pe-file-headers.pac +++ b/src/file_analysis/analyzer/pe/pe-file-headers.pac @@ -1,3 +1,8 @@ +# Do not try parsing if the DOS stub program seems larger than 4mb. +# DOS stub programs are not expected to be much more than on the order of +# hundreds of bytes even though the format allows a full 32-bit range. +let MAX_DOS_CODE_LENGTH = 4 * 1024 * 1024; + type Headers = record { dos_header : DOS_Header; dos_code : DOS_Code(dos_code_len); @@ -6,6 +11,9 @@ type Headers = record { } &let { dos_code_len: uint32 = dos_header.AddressOfNewExeHeader > 64 ? dos_header.AddressOfNewExeHeader - 64 : 0; length: uint64 = 64 + dos_code_len + pe_header.length + section_headers.length; + + # Do not care about parsing rest of the file so mark done now ... + proc: bool = $context.connection.mark_done(); }; # The DOS header gives us the offset of the NT headers @@ -28,7 +36,7 @@ type DOS_Header = record { OEMid : uint16; OEMinfo : uint16; Reserved2 : uint16[10]; - AddressOfNewExeHeader : uint32; + AddressOfNewExeHeader : uint32 &enforce(AddressOfNewExeHeader >= 64 && (AddressOfNewExeHeader - 64) < MAX_DOS_CODE_LENGTH); } &length=64; type DOS_Code(len: uint32) = record { From 23c244d448de2b936797de4adeddf12b7135af58 Mon Sep 17 00:00:00 2001 From: Jon Siwek Date: Fri, 5 Apr 2019 17:06:03 -0700 Subject: [PATCH 56/88] Change next version number in NEWS --- NEWS | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/NEWS b/NEWS index 13f05baa3b..bde87d6f55 100644 --- a/NEWS +++ b/NEWS @@ -3,8 +3,8 @@ This document summarizes the most important changes in the current Bro release. For an exhaustive list of changes, see the ``CHANGES`` file (note that submodules, such as Broker, come with their own ``CHANGES``.) -Bro 2.7 -======= +Zeek 3.0.0 +========== New Functionality ----------------- From 9c843a7d83c4a7f658f68a9ef2627ff8d34171bf Mon Sep 17 00:00:00 2001 From: Jon Siwek Date: Fri, 5 Apr 2019 17:06:26 -0700 Subject: [PATCH 57/88] Add script to update external test repo commit pointers It will prompt to update the file storing the external test repo commit hash when a change is detected upon running update-changes. --- .update-changes.cfg | 12 +---- CHANGES | 4 ++ VERSION | 2 +- .../scripts/update-external-repo-pointer.sh | 49 +++++++++++++++++++ 4 files changed, 56 insertions(+), 11 deletions(-) create mode 100755 testing/scripts/update-external-repo-pointer.sh diff --git a/.update-changes.cfg b/.update-changes.cfg index e3d04b7422..ed23fb4565 100644 --- a/.update-changes.cfg +++ b/.update-changes.cfg @@ -7,15 +7,7 @@ function new_version_hook # test suite repos to check out on a CI system. version=$1 - if [ -d testing/external/zeek-testing ]; then - echo "Updating testing/external/commit-hash.zeek-testing" - ( cd testing/external/zeek-testing && git fetch origin && git rev-parse origin/master ) > testing/external/commit-hash.zeek-testing - git add testing/external/commit-hash.zeek-testing - fi + ./testing/scripts/update-external-repo-pointer.sh testing/external/zeek-testing testing/external/commit-hash.zeek-testing - if [ -d testing/external/zeek-testing-private ]; then - echo "Updating testing/external/commit-hash.zeek-testing-private" - ( cd testing/external/zeek-testing-private && git fetch origin && git rev-parse origin/master ) > testing/external/commit-hash.zeek-testing-private - git add testing/external/commit-hash.zeek-testing-private - fi + ./testing/scripts/update-external-repo-pointer.sh testing/external/zeek-testing-private testing/external/commit-hash.zeek-testing-private } diff --git a/CHANGES b/CHANGES index e0be717f10..43fa7e3ad7 100644 --- a/CHANGES +++ b/CHANGES @@ -1,4 +1,8 @@ +2.6-205 | 2019-04-05 17:06:26 -0700 + + * Add script to update external test repo commit pointers (Jon Siwek, Corelight) + 2.6-203 | 2019-04-04 16:35:52 -0700 * Update DTLS error handling (Johanna Amann, Corelight) diff --git a/VERSION b/VERSION index 92df2bb961..a0c99ee2be 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -2.6-203 +2.6-205 diff --git a/testing/scripts/update-external-repo-pointer.sh b/testing/scripts/update-external-repo-pointer.sh new file mode 100755 index 0000000000..e6711a0d9d --- /dev/null +++ b/testing/scripts/update-external-repo-pointer.sh @@ -0,0 +1,49 @@ +#! /usr/bin/env bash + +set -e + +if [ $# -ne 2 ]; then + echo "usage: $0 " + exit 1 +fi + +repo_dir=$1 +hash_file=$2 + +repo_base=$(basename $repo_dir) +file_base=$(basename $hash_file) + +if [ ! -d "$repo_dir" ]; then + echo "External repo does not exist: $repo_dir" + exit 1 +fi + +printf "Checking for '$repo_base' changes ..." + +origin_hash=$(cd $repo_dir && git fetch origin && git rev-parse origin/master) +head_hash=$(cd $repo_dir && git rev-parse HEAD) +file_hash=$(cat $hash_file) + +if [ "$file_hash" != "$head_hash" ]; then + printf "\n" + printf "\n" + printf " '$repo_base' pointer has changed:\n" + + line=" $file_base at $file_hash" + len=${#line} + + printf "%${len}s\n" "$line" + printf "%${len}s\n" "origin/master at $origin_hash" + printf "%${len}s\n" "HEAD at $head_hash" + printf "\n" + printf "Update file '$file_base' to HEAD commit ? " + + read -p "[Y/n] " choice + + case "$choice" in + n|N) echo "Skipped '$repo_base'";; + *) echo $head_hash > $hash_file && git add $hash_file && echo "Updated '$file_base'";; + esac +else + echo " none" +fi From 0c508f828016922e5897d27a826c9de796138c70 Mon Sep 17 00:00:00 2001 From: Mauro Palumbo Date: Mon, 8 Apr 2019 22:32:14 +0200 Subject: [PATCH 58/88] smb2_write_response event added --- src/analyzer/protocol/smb/smb2-com-write.pac | 9 +++++++++ src/analyzer/protocol/smb/smb2_com_write.bif | 15 +++++++++++++++ .../.stdout | 0 .../base/protocols/smb/smb2-write-response.test | 13 +++++++++++++ 4 files changed, 37 insertions(+) create mode 100644 testing/btest/Baseline/scripts.base.protocols.smb.smb2-write-response/.stdout create mode 100644 testing/btest/scripts/base/protocols/smb/smb2-write-response.test diff --git a/src/analyzer/protocol/smb/smb2-com-write.pac b/src/analyzer/protocol/smb/smb2-com-write.pac index 177a3a84bd..c117fc793d 100644 --- a/src/analyzer/protocol/smb/smb2-com-write.pac +++ b/src/analyzer/protocol/smb/smb2-com-write.pac @@ -24,6 +24,15 @@ refine connection SMB_Conn += { function proc_smb2_write_response(h: SMB2_Header, val: SMB2_write_response) : bool %{ + + if ( smb2_write_response ) + { + BifEvent::generate_smb2_write_response(bro_analyzer(), + bro_analyzer()->Conn(), + BuildSMB2HeaderVal(h), + ${val.write_count}); + } + return true; %} diff --git a/src/analyzer/protocol/smb/smb2_com_write.bif b/src/analyzer/protocol/smb/smb2_com_write.bif index 90efce049c..66dab9b077 100644 --- a/src/analyzer/protocol/smb/smb2_com_write.bif +++ b/src/analyzer/protocol/smb/smb2_com_write.bif @@ -16,3 +16,18 @@ ## ## .. bro:see:: smb2_message event smb2_write_request%(c: connection, hdr: SMB2::Header, file_id: SMB2::GUID, offset: count, length: count%); + +## Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)` +## version 2 requests of type *write*. This is sent by the server in response to a write request or +## named pipe on the server. +## +## For more information, see MS-SMB2:2.2.22 +## +## c: The connection. +## +## hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 2 message. +## +## length: The number of bytes of the file being written. +## +## .. bro:see:: smb2_message +event smb2_write_response%(c: connection, hdr: SMB2::Header, length: count%); diff --git a/testing/btest/Baseline/scripts.base.protocols.smb.smb2-write-response/.stdout b/testing/btest/Baseline/scripts.base.protocols.smb.smb2-write-response/.stdout new file mode 100644 index 0000000000..e69de29bb2 diff --git a/testing/btest/scripts/base/protocols/smb/smb2-write-response.test b/testing/btest/scripts/base/protocols/smb/smb2-write-response.test new file mode 100644 index 0000000000..68c9ad47f6 --- /dev/null +++ b/testing/btest/scripts/base/protocols/smb/smb2-write-response.test @@ -0,0 +1,13 @@ +# @TEST-EXEC: bro -r $TRACES/smb/smb2readwrite.pcap %INPUT +# @TEST-EXEC: btest-diff .stdout + +@load base/protocols/smb + +# A test for write response. +event smb2_write_response(c: connection, hdr: SMB2::Header, length: count) + { + print fmt("smb2_write_response %s -> %s:%d, length: %d", c$id$orig_h, c$id$resp_h, c$id$resp_p, length); + print (hdr); + } + + From 7366155bad048368d96fd120c0226d9fa6ff08d7 Mon Sep 17 00:00:00 2001 From: Daniel Thayer Date: Tue, 9 Apr 2019 01:26:16 -0500 Subject: [PATCH 59/88] Update script search logic for new file extension When searching for script files, look for both the new and old file extensions. If a file with ".zeek" can't be found, then search for a file with ".bro" as a fallback. --- src/Debug.cc | 2 +- src/OSFinger.cc | 2 +- src/RuleMatcher.cc | 2 +- src/broxygen/ScriptInfo.cc | 13 +++++--- src/broxygen/Target.cc | 2 +- src/plugin/Manager.cc | 45 ++++++++++++++++--------- src/scan.l | 21 +++++++++--- src/util.cc | 68 ++++++++++++++++++++++++++++++++------ src/util.h | 17 +++++++--- 9 files changed, 129 insertions(+), 43 deletions(-) diff --git a/src/Debug.cc b/src/Debug.cc index 54a40c58d1..a45c27888e 100644 --- a/src/Debug.cc +++ b/src/Debug.cc @@ -348,7 +348,7 @@ vector parse_location_string(const string& s) if ( ! sscanf(line_string.c_str(), "%d", &plr.line) ) plr.type = plrUnknown; - string path(find_file(filename, bro_path(), "bro")); + string path(find_script_file(filename, bro_path())); if ( path.empty() ) { diff --git a/src/OSFinger.cc b/src/OSFinger.cc index df5f30b0cc..1b540a1fd0 100644 --- a/src/OSFinger.cc +++ b/src/OSFinger.cc @@ -295,7 +295,7 @@ void OSFingerprint::load_config(const char* file) char buf[MAXLINE]; char* p; - FILE* c = open_file(find_file(file, bro_path(), "osf")); + FILE* c = open_file(find_file(file, bro_path(), ".osf")); if (!c) { diff --git a/src/RuleMatcher.cc b/src/RuleMatcher.cc index 54228d58dd..5b72264926 100644 --- a/src/RuleMatcher.cc +++ b/src/RuleMatcher.cc @@ -235,7 +235,7 @@ bool RuleMatcher::ReadFiles(const name_list& files) for ( int i = 0; i < files.length(); ++i ) { - rules_in = open_file(find_file(files[i], bro_path(), "sig")); + rules_in = open_file(find_file(files[i], bro_path(), ".sig")); if ( ! rules_in ) { diff --git a/src/broxygen/ScriptInfo.cc b/src/broxygen/ScriptInfo.cc index a32d96cdd5..da6ba6b44a 100644 --- a/src/broxygen/ScriptInfo.cc +++ b/src/broxygen/ScriptInfo.cc @@ -158,7 +158,7 @@ static string make_redef_details(const string& heading, char underline, ScriptInfo::ScriptInfo(const string& arg_name, const string& arg_path) : Info(), name(arg_name), path(arg_path), - is_pkg_loader(SafeBasename(name).result == PACKAGE_LOADER), + is_pkg_loader(is_package_loader(SafeBasename(name).result)), dependencies(), module_usages(), comments(), id_info(), redef_options(), constants(), state_vars(), types(), events(), hooks(), functions(), redefs() @@ -314,7 +314,7 @@ string ScriptInfo::DoReStructuredText(bool roles_only) const if ( it != dependencies.begin() ) rval += ", "; - string path = find_file(*it, bro_path(), "bro"); + string path = find_script_file(*it, bro_path()); string doc = *it; if ( ! path.empty() && is_dir(path.c_str()) ) @@ -365,8 +365,13 @@ time_t ScriptInfo::DoGetModificationTime() const if ( ! info ) { - string pkg_name = *it + "/" + PACKAGE_LOADER; - info = broxygen_mgr->GetScriptInfo(pkg_name); + for (const string& ext : script_extensions) + { + string pkg_name = *it + "/__load__" + ext; + info = broxygen_mgr->GetScriptInfo(pkg_name); + if ( info ) + break; + } if ( ! info ) reporter->InternalWarning("Broxygen failed to get mtime of %s", diff --git a/src/broxygen/Target.cc b/src/broxygen/Target.cc index dba0d67d6c..2610f648e7 100644 --- a/src/broxygen/Target.cc +++ b/src/broxygen/Target.cc @@ -410,7 +410,7 @@ void ScriptTarget::DoFindDependencies(const vector& infos) for ( size_t i = 0; i < script_deps.size(); ++i ) { - if ( SafeBasename(script_deps[i]->Name()).result == PACKAGE_LOADER ) + if ( is_package_loader(SafeBasename(script_deps[i]->Name()).result) ) { string pkg_dir = SafeDirname(script_deps[i]->Name()).result; string target_file = Name() + pkg_dir + "/index.rst"; diff --git a/src/plugin/Manager.cc b/src/plugin/Manager.cc index 836520d03a..e098d955c1 100644 --- a/src/plugin/Manager.cc +++ b/src/plugin/Manager.cc @@ -13,6 +13,7 @@ #include "../Reporter.h" #include "../Func.h" #include "../Event.h" +#include "../util.h" using namespace plugin; @@ -182,30 +183,44 @@ bool Manager::ActivateDynamicPluginInternal(const std::string& name, bool ok_if_ add_to_bro_path(scripts); } - // First load {scripts}/__preload__.bro automatically. - string init = dir + "scripts/__preload__.bro"; + string init; - if ( is_file(init) ) + // First load {scripts}/__preload__.bro automatically. + for (const string& ext : script_extensions) { - DBG_LOG(DBG_PLUGINS, " Loading %s", init.c_str()); - scripts_to_load.push_back(init); + init = dir + "scripts/__preload__" + ext; + + if ( is_file(init) ) + { + DBG_LOG(DBG_PLUGINS, " Loading %s", init.c_str()); + scripts_to_load.push_back(init); + break; + } } // Load {bif,scripts}/__load__.bro automatically. - init = dir + "lib/bif/__load__.bro"; - - if ( is_file(init) ) + for (const string& ext : script_extensions) { - DBG_LOG(DBG_PLUGINS, " Loading %s", init.c_str()); - scripts_to_load.push_back(init); + init = dir + "lib/bif/__load__" + ext; + + if ( is_file(init) ) + { + DBG_LOG(DBG_PLUGINS, " Loading %s", init.c_str()); + scripts_to_load.push_back(init); + break; + } } - init = dir + "scripts/__load__.bro"; - - if ( is_file(init) ) + for (const string& ext : script_extensions) { - DBG_LOG(DBG_PLUGINS, " Loading %s", init.c_str()); - scripts_to_load.push_back(init); + init = dir + "scripts/__load__" + ext; + + if ( is_file(init) ) + { + DBG_LOG(DBG_PLUGINS, " Loading %s", init.c_str()); + scripts_to_load.push_back(init); + break; + } } // Load shared libraries. diff --git a/src/scan.l b/src/scan.l index c2be426044..4da18b125f 100644 --- a/src/scan.l +++ b/src/scan.l @@ -77,6 +77,17 @@ static string find_relative_file(const string& filename, const string& ext) return find_file(filename, bro_path(), ext); } +static string find_relative_script_file(const string& filename) + { + if ( filename.empty() ) + return string(); + + if ( filename[0] == '.' ) + return find_script_file(filename, SafeDirname(::filename).result); + else + return find_script_file(filename, bro_path()); + } + static ino_t get_inode_num(FILE* f, const string& path) { struct stat b; @@ -363,14 +374,14 @@ when return TOK_WHEN; @load{WS}{FILE} { const char* new_file = skip_whitespace(yytext + 5); // Skip "@load". string loader = ::filename; // load_files may change ::filename, save copy - string loading = find_relative_file(new_file, "bro"); + string loading = find_relative_script_file(new_file); (void) load_files(new_file); broxygen_mgr->ScriptDependency(loader, loading); } @load-sigs{WS}{FILE} { const char* file = skip_whitespace(yytext + 10); - string path = find_relative_file(file, "sig"); + string path = find_relative_file(file, ".sig"); int rc = PLUGIN_HOOK_WITH_RESULT(HOOK_LOAD_FILE, HookLoadFile(plugin::Plugin::SIGNATURES, file, path), -1); switch ( rc ) { @@ -430,7 +441,7 @@ when return TOK_WHEN; @unload{WS}{FILE} { // Skip "@unload". const char* file = skip_whitespace(yytext + 7); - string path = find_relative_file(file, "bro"); + string path = find_relative_script_file(file); if ( path.empty() ) reporter->Error("failed find file associated with @unload %s", file); @@ -624,7 +635,7 @@ static bool already_scanned(const string& path) static int load_files(const char* orig_file) { - string file_path = find_relative_file(orig_file, "bro"); + string file_path = find_relative_script_file(orig_file); int rc = PLUGIN_HOOK_WITH_RESULT(HOOK_LOAD_FILE, HookLoadFile(plugin::Plugin::SCRIPT, orig_file, file_path), -1); if ( rc == 1 ) @@ -970,7 +981,7 @@ int yywrap() string canon = without_bropath_component(it->name); string flat = flatten_script_name(canon, prefixes[i]); - string path = find_relative_file(flat, "bro"); + string path = find_relative_script_file(flat); if ( ! path.empty() ) { diff --git a/src/util.cc b/src/util.cc index cce49a7f6d..227faa9c1f 100644 --- a/src/util.cc +++ b/src/util.cc @@ -20,6 +20,7 @@ #endif #include +#include #include #include #include @@ -1007,7 +1008,18 @@ string bro_prefixes() return rval; } -const char* PACKAGE_LOADER = "__load__.bro"; +const array script_extensions = {".zeek", ".bro"}; + +bool is_package_loader(const string& path) + { + for (const string& ext : script_extensions) + { + if (path == "__load__" + ext) + return true; + } + + return false; + } FILE* open_file(const string& path, const string& mode) { @@ -1034,13 +1046,22 @@ static bool can_read(const string& path) FILE* open_package(string& path, const string& mode) { string arg_path = path; - path.append("/").append(PACKAGE_LOADER); + path.append("/__load__"); - if ( can_read(path) ) - return open_file(path, mode); + for (const string& ext : script_extensions) + { + string p = path + ext; + if ( can_read(p) ) + { + path.append(ext); + return open_file(path, mode); + } + } + path.append(script_extensions[0]); + string package_loader = "__load__" + script_extensions[0]; reporter->Error("Failed to open package '%s': missing '%s' file", - arg_path.c_str(), PACKAGE_LOADER); + arg_path.c_str(), package_loader.c_str()); return 0; } @@ -1123,7 +1144,7 @@ string flatten_script_name(const string& name, const string& prefix) if ( ! rval.empty() ) rval.append("."); - if ( SafeBasename(name).result == PACKAGE_LOADER ) + if ( is_package_loader(SafeBasename(name).result) ) rval.append(SafeDirname(name).result); else rval.append(name); @@ -1221,7 +1242,7 @@ string without_bropath_component(const string& path) } static string find_file_in_path(const string& filename, const string& path, - const string& opt_ext = "") + const vector& opt_ext) { if ( filename.empty() ) return string(); @@ -1239,10 +1260,13 @@ static string find_file_in_path(const string& filename, const string& path, if ( ! opt_ext.empty() ) { - string with_ext = abs_path + '.' + opt_ext; + for (const string& ext : opt_ext) + { + string with_ext = abs_path + ext; - if ( can_read(with_ext) ) - return with_ext; + if ( can_read(with_ext) ) + return with_ext; + } } if ( can_read(abs_path) ) @@ -1257,9 +1281,31 @@ string find_file(const string& filename, const string& path_set, vector paths; tokenize_string(path_set, ":", &paths); + vector ext; + if ( ! opt_ext.empty() ) + ext.push_back(opt_ext); + for ( size_t n = 0; n < paths.size(); ++n ) { - string f = find_file_in_path(filename, paths[n], opt_ext); + string f = find_file_in_path(filename, paths[n], ext); + + if ( ! f.empty() ) + return f; + } + + return string(); + } + +string find_script_file(const string& filename, const string& path_set) + { + vector paths; + tokenize_string(path_set, ":", &paths); + + vector ext(script_extensions.begin(), script_extensions.end()); + + for ( size_t n = 0; n < paths.size(); ++n ) + { + string f = find_file_in_path(filename, paths[n], ext); if ( ! f.empty() ) return f; diff --git a/src/util.h b/src/util.h index 232275d9c9..bd1566080f 100644 --- a/src/util.h +++ b/src/util.h @@ -26,6 +26,7 @@ #include #include +#include #include #include #include @@ -248,16 +249,16 @@ static const SourceID SOURCE_BROKER = 0xffffffff; extern void pinpoint(); extern int int_list_cmp(const void* v1, const void* v2); -// Contains the name of the script file that gets read -// when a package is loaded (i.e., "__load__.bro). -extern const char* PACKAGE_LOADER; - extern const std::string& bro_path(); extern const char* bro_magic_path(); extern const char* bro_plugin_path(); extern const char* bro_plugin_activate(); extern std::string bro_prefixes(); +extern const std::array script_extensions; + +bool is_package_loader(const std::string& path); + extern void add_to_bro_path(const std::string& dir); @@ -341,6 +342,14 @@ std::string without_bropath_component(const std::string& path); std::string find_file(const std::string& filename, const std::string& path_set, const std::string& opt_ext = ""); +/** + * Locate a script file within a given search path. + * @param filename Name of a file to find. + * @param path_set Colon-delimited set of paths to search for the file. + * @return Path to the found file, or an empty string if not found. + */ +std::string find_script_file(const std::string& filename, const std::string& path_set); + // Wrapper around fopen(3). Emits an error when failing to open. FILE* open_file(const std::string& path, const std::string& mode = "r"); From 0d61df30b7d192f72703a4e803327cd1eae3d6df Mon Sep 17 00:00:00 2001 From: Jeff Barber Date: Wed, 10 Apr 2019 15:10:29 -0700 Subject: [PATCH 60/88] Prevent topk_merge from crashing when second argument is empty set --- src/probabilistic/Topk.cc | 7 +++++++ testing/btest/scripts/base/frameworks/sumstats/topk.bro | 5 +++++ 2 files changed, 12 insertions(+) diff --git a/src/probabilistic/Topk.cc b/src/probabilistic/Topk.cc index e01b4e41b6..254b268145 100644 --- a/src/probabilistic/Topk.cc +++ b/src/probabilistic/Topk.cc @@ -78,6 +78,13 @@ TopkVal::~TopkVal() void TopkVal::Merge(const TopkVal* value, bool doPrune) { + if (!value->type) + { + // Merge-from is empty. Nothing to do. + assert(value->numElements == 0); + return; + } + if ( type == 0 ) { assert(numElements == 0); diff --git a/testing/btest/scripts/base/frameworks/sumstats/topk.bro b/testing/btest/scripts/base/frameworks/sumstats/topk.bro index 99c301c669..0d0a49b191 100644 --- a/testing/btest/scripts/base/frameworks/sumstats/topk.bro +++ b/testing/btest/scripts/base/frameworks/sumstats/topk.bro @@ -5,6 +5,11 @@ event bro_init() &priority=5 { local r1: SumStats::Reducer = [$stream="test.metric", $apply=set(SumStats::TOPK)]; + # Merge two empty sets + local topk1: opaque of topk = topk_init(4); + local topk2: opaque of topk = topk_init(4); + topk_merge(topk1, topk2); + SumStats::create([$name="topk-test", $epoch=3secs, $reducers=set(r1), From 7c2477d87a51b2c99d5b7dd65373afe6c0184f90 Mon Sep 17 00:00:00 2001 From: Daniel Thayer Date: Thu, 11 Apr 2019 02:38:53 -0500 Subject: [PATCH 61/88] Fix the core/load-duplicates.bro test The load-duplicates.bro test would never fail because loading the provided script code twice wouldn't trigger an error. Fixed this by changing the sample script content. Also added a test case to verify that an error occurs as expected when two scripts with the same content are loaded. --- testing/btest/core/load-duplicates.bro | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/testing/btest/core/load-duplicates.bro b/testing/btest/core/load-duplicates.bro index 8c86fbc272..9b3810d40d 100644 --- a/testing/btest/core/load-duplicates.bro +++ b/testing/btest/core/load-duplicates.bro @@ -3,12 +3,13 @@ # @TEST-EXEC: mkdir -p foo/bar # @TEST-EXEC: echo "@load bar/test" >loader.bro # @TEST-EXEC: cp %INPUT foo/bar/test.bro +# @TEST-EXEC: cp %INPUT foo/bar/test2.bro +# # @TEST-EXEC: BROPATH=$BROPATH:.:./foo bro -b misc/loaded-scripts loader bar/test # @TEST-EXEC: BROPATH=$BROPATH:.:./foo bro -b misc/loaded-scripts loader bar/test.bro # @TEST-EXEC: BROPATH=$BROPATH:.:./foo bro -b misc/loaded-scripts loader foo/bar/test # @TEST-EXEC: BROPATH=$BROPATH:.:./foo bro -b misc/loaded-scripts loader foo/bar/test.bro # @TEST-EXEC: BROPATH=$BROPATH:.:./foo bro -b misc/loaded-scripts loader `pwd`/foo/bar/test.bro +# @TEST-EXEC-FAIL: BROPATH=$BROPATH:.:./foo bro -b misc/loaded-scripts loader bar/test2 -type Test: enum { - TEST, -}; +global pi = 3.14; From 438fe27ce4306b0b1af56e75af7ad20fa40061e3 Mon Sep 17 00:00:00 2001 From: Daniel Thayer Date: Thu, 11 Apr 2019 12:07:54 -0500 Subject: [PATCH 62/88] Add test cases to verify new file extension is recognized Added tests to verify that scripts with the new ".zeek" file extension are recognized and that ".bro" is used as a fallback. --- .../core.load-file-extension/bro_only | 1 + .../core.load-file-extension/bro_preferred | 1 + .../core.load-file-extension/bro_preferred_2 | 1 + .../core.load-file-extension/no_extension | 1 + .../core.load-file-extension/xyz_preferred | 1 + .../core.load-file-extension/zeek_only | 1 + .../core.load-file-extension/zeek_preferred | 1 + .../zeek_script_preferred | 1 + testing/btest/Baseline/core.load-pkg/output | 3 +- testing/btest/Baseline/core.load-pkg/output2 | 2 + .../btest/Baseline/core.load-prefixes/output | 2 +- .../btest/Baseline/core.load-unload/output2 | 1 + testing/btest/core/load-file-extension.bro | 89 +++++++++++++++++++ testing/btest/core/load-pkg.bro | 24 ++++- testing/btest/core/load-prefixes.bro | 8 +- testing/btest/core/load-unload.bro | 27 +++++- 16 files changed, 154 insertions(+), 10 deletions(-) create mode 100644 testing/btest/Baseline/core.load-file-extension/bro_only create mode 100644 testing/btest/Baseline/core.load-file-extension/bro_preferred create mode 100644 testing/btest/Baseline/core.load-file-extension/bro_preferred_2 create mode 100644 testing/btest/Baseline/core.load-file-extension/no_extension create mode 100644 testing/btest/Baseline/core.load-file-extension/xyz_preferred create mode 100644 testing/btest/Baseline/core.load-file-extension/zeek_only create mode 100644 testing/btest/Baseline/core.load-file-extension/zeek_preferred create mode 100644 testing/btest/Baseline/core.load-file-extension/zeek_script_preferred create mode 100644 testing/btest/Baseline/core.load-pkg/output2 create mode 100644 testing/btest/Baseline/core.load-unload/output2 create mode 100644 testing/btest/core/load-file-extension.bro diff --git a/testing/btest/Baseline/core.load-file-extension/bro_only b/testing/btest/Baseline/core.load-file-extension/bro_only new file mode 100644 index 0000000000..bb2333014b --- /dev/null +++ b/testing/btest/Baseline/core.load-file-extension/bro_only @@ -0,0 +1 @@ +Bro script loaded diff --git a/testing/btest/Baseline/core.load-file-extension/bro_preferred b/testing/btest/Baseline/core.load-file-extension/bro_preferred new file mode 100644 index 0000000000..bb2333014b --- /dev/null +++ b/testing/btest/Baseline/core.load-file-extension/bro_preferred @@ -0,0 +1 @@ +Bro script loaded diff --git a/testing/btest/Baseline/core.load-file-extension/bro_preferred_2 b/testing/btest/Baseline/core.load-file-extension/bro_preferred_2 new file mode 100644 index 0000000000..bb2333014b --- /dev/null +++ b/testing/btest/Baseline/core.load-file-extension/bro_preferred_2 @@ -0,0 +1 @@ +Bro script loaded diff --git a/testing/btest/Baseline/core.load-file-extension/no_extension b/testing/btest/Baseline/core.load-file-extension/no_extension new file mode 100644 index 0000000000..b9cfe8016f --- /dev/null +++ b/testing/btest/Baseline/core.load-file-extension/no_extension @@ -0,0 +1 @@ +No file extension script loaded diff --git a/testing/btest/Baseline/core.load-file-extension/xyz_preferred b/testing/btest/Baseline/core.load-file-extension/xyz_preferred new file mode 100644 index 0000000000..8883b557a3 --- /dev/null +++ b/testing/btest/Baseline/core.load-file-extension/xyz_preferred @@ -0,0 +1 @@ +Non-standard file extension script loaded diff --git a/testing/btest/Baseline/core.load-file-extension/zeek_only b/testing/btest/Baseline/core.load-file-extension/zeek_only new file mode 100644 index 0000000000..129000059a --- /dev/null +++ b/testing/btest/Baseline/core.load-file-extension/zeek_only @@ -0,0 +1 @@ +Zeek script loaded diff --git a/testing/btest/Baseline/core.load-file-extension/zeek_preferred b/testing/btest/Baseline/core.load-file-extension/zeek_preferred new file mode 100644 index 0000000000..129000059a --- /dev/null +++ b/testing/btest/Baseline/core.load-file-extension/zeek_preferred @@ -0,0 +1 @@ +Zeek script loaded diff --git a/testing/btest/Baseline/core.load-file-extension/zeek_script_preferred b/testing/btest/Baseline/core.load-file-extension/zeek_script_preferred new file mode 100644 index 0000000000..129000059a --- /dev/null +++ b/testing/btest/Baseline/core.load-file-extension/zeek_script_preferred @@ -0,0 +1 @@ +Zeek script loaded diff --git a/testing/btest/Baseline/core.load-pkg/output b/testing/btest/Baseline/core.load-pkg/output index 119b2f9a18..ab438bfe3b 100644 --- a/testing/btest/Baseline/core.load-pkg/output +++ b/testing/btest/Baseline/core.load-pkg/output @@ -1 +1,2 @@ -Foo loaded +test.zeek loaded +__load__.zeek loaded diff --git a/testing/btest/Baseline/core.load-pkg/output2 b/testing/btest/Baseline/core.load-pkg/output2 new file mode 100644 index 0000000000..1021a36092 --- /dev/null +++ b/testing/btest/Baseline/core.load-pkg/output2 @@ -0,0 +1,2 @@ +test.zeek loaded +__load__.bro loaded diff --git a/testing/btest/Baseline/core.load-prefixes/output b/testing/btest/Baseline/core.load-prefixes/output index ea35b3a8c0..2969d774cf 100644 --- a/testing/btest/Baseline/core.load-prefixes/output +++ b/testing/btest/Baseline/core.load-prefixes/output @@ -1,4 +1,4 @@ loaded lcl2.base.utils.site.bro loaded lcl.base.utils.site.bro loaded lcl2.base.protocols.http.bro -loaded lcl.base.protocols.http.bro +loaded lcl.base.protocols.http.zeek diff --git a/testing/btest/Baseline/core.load-unload/output2 b/testing/btest/Baseline/core.load-unload/output2 new file mode 100644 index 0000000000..bd327f15d4 --- /dev/null +++ b/testing/btest/Baseline/core.load-unload/output2 @@ -0,0 +1 @@ +Loaded: dontloadme.bro diff --git a/testing/btest/core/load-file-extension.bro b/testing/btest/core/load-file-extension.bro new file mode 100644 index 0000000000..1b5520c873 --- /dev/null +++ b/testing/btest/core/load-file-extension.bro @@ -0,0 +1,89 @@ +# Test loading scripts with different file extensions. +# +# Test that either ".zeek" or ".bro" can be loaded without specifying extension +# @TEST-EXEC: cp x/foo.bro . +# @TEST-EXEC: bro -b load_foo > bro_only +# @TEST-EXEC: btest-diff bro_only +# @TEST-EXEC: rm foo.bro +# +# @TEST-EXEC: cp x/foo.zeek . +# @TEST-EXEC: bro -b load_foo > zeek_only +# @TEST-EXEC: btest-diff zeek_only +# @TEST-EXEC: rm foo.zeek +# +# Test that ".zeek" is the preferred file extension, unless ".bro" is specified +# @TEST-EXEC: cp x/foo.* . +# @TEST-EXEC: cp x2/foo . +# @TEST-EXEC: bro -b load_foo > zeek_preferred +# @TEST-EXEC: btest-diff zeek_preferred +# +# @TEST-EXEC: bro -b load_foo_bro > bro_preferred +# @TEST-EXEC: btest-diff bro_preferred +# @TEST-EXEC: rm foo* +# +# Test that ".bro" is preferred over a script with no file extension (when +# there is no ".zeek" script) +# @TEST-EXEC: cp x/foo.bro . +# @TEST-EXEC: cp x2/foo . +# @TEST-EXEC: bro -b load_foo > bro_preferred_2 +# @TEST-EXEC: btest-diff bro_preferred_2 +# @TEST-EXEC: rm foo* +# +# Test that a script with no file extension can be loaded +# @TEST-EXEC: cp x2/foo . +# @TEST-EXEC: bro -b load_foo > no_extension +# @TEST-EXEC: btest-diff no_extension +# @TEST-EXEC: rm foo +# +# Test that a ".zeek" script is preferred over a script package of same name +# @TEST-EXEC: cp -r x/foo* . +# @TEST-EXEC: bro -b load_foo > zeek_script_preferred +# @TEST-EXEC: btest-diff zeek_script_preferred +# @TEST-EXEC: rm -r foo* +# +# Test that unrecognized file extensions can be loaded explicitly +# @TEST-EXEC: cp x/foo.* . +# @TEST-EXEC: bro -b load_foo_xyz > xyz_preferred +# @TEST-EXEC: btest-diff xyz_preferred +# @TEST-EXEC: rm foo.* +# +# @TEST-EXEC: cp x/foo.xyz . +# @TEST-EXEC-FAIL: bro -b load_foo +# @TEST-EXEC: rm foo.xyz + +@TEST-START-FILE load_foo +@load foo +@TEST-END-FILE + +@TEST-START-FILE load_foo_bro +@load foo.bro +@TEST-END-FILE + +@TEST-START-FILE load_foo_xyz +@load foo.xyz +@TEST-END-FILE + + +@TEST-START-FILE x/foo.bro +print "Bro script loaded"; +@TEST-END-FILE + +@TEST-START-FILE x/foo.zeek +print "Zeek script loaded"; +@TEST-END-FILE + +@TEST-START-FILE x/foo.xyz +print "Non-standard file extension script loaded"; +@TEST-END-FILE + +@TEST-START-FILE x/foo/__load__.zeek +@load ./main +@TEST-END-FILE + +@TEST-START-FILE x/foo/main.zeek +print "Script package loaded"; +@TEST-END-FILE + +@TEST-START-FILE x2/foo +print "No file extension script loaded"; +@TEST-END-FILE diff --git a/testing/btest/core/load-pkg.bro b/testing/btest/core/load-pkg.bro index e6671e038d..8c861f7982 100644 --- a/testing/btest/core/load-pkg.bro +++ b/testing/btest/core/load-pkg.bro @@ -1,10 +1,28 @@ +# Test that package loading works when a package loader script is present. +# +# Test that ".zeek" is loaded when there is also a ".bro" # @TEST-EXEC: bro -b foo >output # @TEST-EXEC: btest-diff output +# +# Test that ".bro" is loaded when there is no ".zeek" +# @TEST-EXEC: rm foo/__load__.zeek +# @TEST-EXEC: bro -b foo >output2 +# @TEST-EXEC: btest-diff output2 +# +# Test that package cannot be loaded when no package loader script exists. +# @TEST-EXEC: rm foo/__load__.bro +# @TEST-EXEC-FAIL: bro -b foo @TEST-START-FILE foo/__load__.bro -@load ./test.bro +@load ./test +print "__load__.bro loaded"; @TEST-END-FILE -@TEST-START-FILE foo/test.bro -print "Foo loaded"; +@TEST-START-FILE foo/__load__.zeek +@load ./test +print "__load__.zeek loaded"; +@TEST-END-FILE + +@TEST-START-FILE foo/test.zeek +print "test.zeek loaded"; @TEST-END-FILE diff --git a/testing/btest/core/load-prefixes.bro b/testing/btest/core/load-prefixes.bro index 1dfc3ac5dd..5d064c0d36 100644 --- a/testing/btest/core/load-prefixes.bro +++ b/testing/btest/core/load-prefixes.bro @@ -8,6 +8,8 @@ @prefixes += lcl2 @TEST-END-FILE +# Since base/utils/site.bro is a script, only a script with the original file +# extension can be loaded here. @TEST-START-FILE lcl.base.utils.site.bro print "loaded lcl.base.utils.site.bro"; @TEST-END-FILE @@ -16,8 +18,10 @@ print "loaded lcl.base.utils.site.bro"; print "loaded lcl2.base.utils.site.bro"; @TEST-END-FILE -@TEST-START-FILE lcl.base.protocols.http.bro -print "loaded lcl.base.protocols.http.bro"; +# For a script package like base/protocols/http/, either of the recognized +# file extensions can be loaded here. +@TEST-START-FILE lcl.base.protocols.http.zeek +print "loaded lcl.base.protocols.http.zeek"; @TEST-END-FILE @TEST-START-FILE lcl2.base.protocols.http.bro diff --git a/testing/btest/core/load-unload.bro b/testing/btest/core/load-unload.bro index 6525a8e8ea..6b2614a50c 100644 --- a/testing/btest/core/load-unload.bro +++ b/testing/btest/core/load-unload.bro @@ -1,11 +1,32 @@ # This tests the @unload directive # -# @TEST-EXEC: bro -b %INPUT misc/loaded-scripts dontloadmebro > output +# Test that @unload works with ".bro" when there is no ".zeek" script +# @TEST-EXEC: bro -b unloadbro misc/loaded-scripts dontloadmebro > output # @TEST-EXEC: btest-diff output -# @TEST-EXEC: grep -q dontloadmebro loaded_scripts.log && exit 1 || exit 0 +# @TEST-EXEC: grep dontloadmebro loaded_scripts.log && exit 1 || exit 0 +# +# Test that @unload looks for ".zeek" first (assuming no file extension is +# specified in the @unload) +# @TEST-EXEC: bro -b unload misc/loaded-scripts dontloadme.zeek dontloadme.bro > output2 +# @TEST-EXEC: btest-diff output2 +# @TEST-EXEC: grep dontloadme.bro loaded_scripts.log +@TEST-START-FILE unloadbro.bro @unload dontloadmebro +@TEST-END-FILE @TEST-START-FILE dontloadmebro.bro -print "FAIL"; +print "Loaded: dontloadmebro.bro"; +@TEST-END-FILE + +@TEST-START-FILE unload.zeek +@unload dontloadme +@TEST-END-FILE + +@TEST-START-FILE dontloadme.zeek +print "Loaded: dontloadme.zeek"; +@TEST-END-FILE + +@TEST-START-FILE dontloadme.bro +print "Loaded: dontloadme.bro"; @TEST-END-FILE From 537d9cab97d3c9f4413dee4a32a82a89af188af4 Mon Sep 17 00:00:00 2001 From: Daniel Thayer Date: Thu, 11 Apr 2019 14:59:17 -0500 Subject: [PATCH 63/88] Update a few tests due to scripts with new file extension --- testing/btest/plugins/bifs-and-scripts-install.sh | 2 +- testing/btest/plugins/bifs-and-scripts.sh | 2 +- .../protocol-plugin/scripts/{__load__.bro => __load__.zeek} | 0 3 files changed, 2 insertions(+), 2 deletions(-) rename testing/btest/plugins/protocol-plugin/scripts/{__load__.bro => __load__.zeek} (100%) diff --git a/testing/btest/plugins/bifs-and-scripts-install.sh b/testing/btest/plugins/bifs-and-scripts-install.sh index 60c754f8ff..5498e515ca 100644 --- a/testing/btest/plugins/bifs-and-scripts-install.sh +++ b/testing/btest/plugins/bifs-and-scripts-install.sh @@ -9,7 +9,7 @@ mkdir -p scripts/demo/foo/base/ -cat >scripts/__load__.bro <scripts/__load__.zeek <scripts/__load__.bro <scripts/__load__.zeek < Date: Thu, 11 Apr 2019 21:12:40 -0500 Subject: [PATCH 64/88] Rename all scripts to have ".zeek" file extension --- scripts/CMakeLists.txt | 8 +- .../extract/{__load__.bro => __load__.zeek} | 0 .../files/extract/{main.bro => main.zeek} | 0 .../hash/{__load__.bro => __load__.zeek} | 0 .../base/files/hash/{main.bro => main.zeek} | 0 .../files/pe/{__load__.bro => __load__.zeek} | 0 .../base/files/pe/{consts.bro => consts.zeek} | 0 scripts/base/files/pe/{main.bro => main.zeek} | 0 .../unified2/{__load__.bro => __load__.zeek} | 0 .../files/unified2/{main.bro => main.zeek} | 0 .../x509/{__load__.bro => __load__.zeek} | 0 .../base/files/x509/{main.bro => main.zeek} | 0 .../analyzer/{__load__.bro => __load__.zeek} | 0 .../analyzer/{main.bro => main.zeek} | 0 .../broker/{__load__.bro => __load__.zeek} | 0 .../frameworks/broker/{log.bro => log.zeek} | 0 .../frameworks/broker/{main.bro => main.zeek} | 0 .../broker/{store.bro => store.zeek} | 0 .../cluster/{__load__.bro => __load__.zeek} | 0 .../cluster/{main.bro => main.zeek} | 6 +- .../cluster/nodes/{logger.bro => logger.zeek} | 0 .../nodes/{manager.bro => manager.zeek} | 0 .../cluster/nodes/{proxy.bro => proxy.zeek} | 0 .../cluster/nodes/{worker.bro => worker.zeek} | 0 .../cluster/{pools.bro => pools.zeek} | 0 ...connections.bro => setup-connections.zeek} | 0 .../config/{__load__.bro => __load__.zeek} | 0 .../config/{input.bro => input.zeek} | 0 .../frameworks/config/{main.bro => main.zeek} | 0 .../config/{weird.bro => weird.zeek} | 0 .../control/{__load__.bro => __load__.zeek} | 0 .../control/{main.bro => main.zeek} | 0 .../dpd/{__load__.bro => __load__.zeek} | 0 .../frameworks/dpd/{main.bro => main.zeek} | 0 .../files/{__load__.bro => __load__.zeek} | 0 .../magic/{__load__.bro => __load__.zeek} | 0 .../frameworks/files/{main.bro => main.zeek} | 0 .../input/{__load__.bro => __load__.zeek} | 0 .../frameworks/input/{main.bro => main.zeek} | 0 .../input/readers/{ascii.bro => ascii.zeek} | 0 .../readers/{benchmark.bro => benchmark.zeek} | 0 .../input/readers/{binary.bro => binary.zeek} | 0 .../input/readers/{config.bro => config.zeek} | 0 .../input/readers/{raw.bro => raw.zeek} | 0 .../input/readers/{sqlite.bro => sqlite.zeek} | 0 .../intel/{__load__.bro => __load__.zeek} | 0 .../intel/{cluster.bro => cluster.zeek} | 0 .../intel/{files.bro => files.zeek} | 0 .../intel/{input.bro => input.zeek} | 0 .../frameworks/intel/{main.bro => main.zeek} | 0 .../logging/{__load__.bro => __load__.zeek} | 0 .../logging/{main.bro => main.zeek} | 0 .../{__load__.bro => __load__.zeek} | 0 .../postprocessors/{scp.bro => scp.zeek} | 0 .../postprocessors/{sftp.bro => sftp.zeek} | 0 .../logging/writers/{ascii.bro => ascii.zeek} | 0 .../logging/writers/{none.bro => none.zeek} | 0 .../writers/{sqlite.bro => sqlite.zeek} | 0 .../{__load__.bro => __load__.zeek} | 0 ...and-release.bro => catch-and-release.zeek} | 0 .../netcontrol/{cluster.bro => cluster.zeek} | 0 .../netcontrol/{drop.bro => drop.zeek} | 0 .../netcontrol/{main.bro => main.zeek} | 4 +- .../{non-cluster.bro => non-cluster.zeek} | 0 .../netcontrol/{plugin.bro => plugin.zeek} | 0 .../plugins/{__load__.bro => __load__.zeek} | 0 .../plugins/{acld.bro => acld.zeek} | 0 .../plugins/{broker.bro => broker.zeek} | 0 .../plugins/{debug.bro => debug.zeek} | 0 .../plugins/{openflow.bro => openflow.zeek} | 0 .../{packetfilter.bro => packetfilter.zeek} | 0 .../netcontrol/{shunt.bro => shunt.zeek} | 0 .../netcontrol/{types.bro => types.zeek} | 0 .../notice/{__load__.bro => __load__.zeek} | 0 .../{add-geodata.bro => add-geodata.zeek} | 0 .../notice/actions/{drop.bro => drop.zeek} | 0 .../{email_admin.bro => email_admin.zeek} | 0 .../notice/actions/{page.bro => page.zeek} | 0 .../actions/{pp-alarms.bro => pp-alarms.zeek} | 0 .../frameworks/notice/{main.bro => main.zeek} | 0 .../notice/{weird.bro => weird.zeek} | 0 .../openflow/{__load__.bro => __load__.zeek} | 0 .../openflow/{cluster.bro => cluster.zeek} | 0 .../openflow/{consts.bro => consts.zeek} | 0 .../openflow/{main.bro => main.zeek} | 2 +- .../{non-cluster.bro => non-cluster.zeek} | 0 .../plugins/{__load__.bro => __load__.zeek} | 0 .../plugins/{broker.bro => broker.zeek} | 0 .../openflow/plugins/{log.bro => log.zeek} | 0 .../openflow/plugins/{ryu.bro => ryu.zeek} | 0 .../openflow/{types.bro => types.zeek} | 0 .../{__load__.bro => __load__.zeek} | 0 .../{cluster.bro => cluster.zeek} | 0 .../packet-filter/{main.bro => main.zeek} | 0 .../{netstats.bro => netstats.zeek} | 0 .../packet-filter/{utils.bro => utils.zeek} | 0 .../reporter/{__load__.bro => __load__.zeek} | 0 .../reporter/{main.bro => main.zeek} | 2 +- .../{__load__.bro => __load__.zeek} | 0 .../signatures/{main.bro => main.zeek} | 0 .../software/{__load__.bro => __load__.zeek} | 0 .../software/{main.bro => main.zeek} | 0 .../sumstats/{__load__.bro => __load__.zeek} | 0 .../sumstats/{cluster.bro => cluster.zeek} | 0 .../sumstats/{main.bro => main.zeek} | 0 .../{non-cluster.bro => non-cluster.zeek} | 0 .../plugins/{__load__.bro => __load__.zeek} | 0 .../plugins/{average.bro => average.zeek} | 0 .../{hll_unique.bro => hll_unique.zeek} | 0 .../sumstats/plugins/{last.bro => last.zeek} | 0 .../sumstats/plugins/{max.bro => max.zeek} | 0 .../sumstats/plugins/{min.bro => min.zeek} | 0 .../plugins/{sample.bro => sample.zeek} | 0 .../plugins/{std-dev.bro => std-dev.zeek} | 0 .../sumstats/plugins/{sum.bro => sum.zeek} | 0 .../sumstats/plugins/{topk.bro => topk.zeek} | 0 .../plugins/{unique.bro => unique.zeek} | 0 .../plugins/{variance.bro => variance.zeek} | 0 .../tunnels/{__load__.bro => __load__.zeek} | 0 .../tunnels/{main.bro => main.zeek} | 0 .../base/{init-bare.bro => init-bare.zeek} | 6 +- .../{init-default.bro => init-default.zeek} | 2 +- ...bifs.bro => init-frameworks-and-bifs.zeek} | 2 +- ...ding.bro => find-checksum-offloading.zeek} | 0 ...red-trace.bro => find-filtered-trace.zeek} | 0 .../base/misc/{version.bro => version.zeek} | 0 .../conn/{__load__.bro => __load__.zeek} | 0 .../conn/{contents.bro => contents.zeek} | 0 .../conn/{inactivity.bro => inactivity.zeek} | 0 .../protocols/conn/{main.bro => main.zeek} | 0 .../conn/{polling.bro => polling.zeek} | 0 .../conn/{thresholds.bro => thresholds.zeek} | 0 .../dce-rpc/{__load__.bro => __load__.zeek} | 0 .../dce-rpc/{consts.bro => consts.zeek} | 0 .../protocols/dce-rpc/{main.bro => main.zeek} | 0 .../dhcp/{__load__.bro => __load__.zeek} | 0 .../dhcp/{consts.bro => consts.zeek} | 0 .../protocols/dhcp/{main.bro => main.zeek} | 0 .../dnp3/{__load__.bro => __load__.zeek} | 0 .../dnp3/{consts.bro => consts.zeek} | 0 .../protocols/dnp3/{main.bro => main.zeek} | 0 .../dns/{__load__.bro => __load__.zeek} | 0 .../protocols/dns/{consts.bro => consts.zeek} | 0 .../protocols/dns/{main.bro => main.zeek} | 0 .../ftp/{__load__.bro => __load__.zeek} | 0 .../protocols/ftp/{files.bro => files.zeek} | 0 .../ftp/{gridftp.bro => gridftp.zeek} | 0 .../protocols/ftp/{info.bro => info.zeek} | 0 .../protocols/ftp/{main.bro => main.zeek} | 0 ...utils-commands.bro => utils-commands.zeek} | 0 .../protocols/ftp/{utils.bro => utils.zeek} | 0 .../http/{__load__.bro => __load__.zeek} | 0 .../http/{entities.bro => entities.zeek} | 0 .../protocols/http/{files.bro => files.zeek} | 0 .../protocols/http/{main.bro => main.zeek} | 0 .../protocols/http/{utils.bro => utils.zeek} | 0 .../imap/{__load__.bro => __load__.zeek} | 0 .../protocols/imap/{main.bro => main.zeek} | 0 .../irc/{__load__.bro => __load__.zeek} | 0 .../irc/{dcc-send.bro => dcc-send.zeek} | 0 .../protocols/irc/{files.bro => files.zeek} | 0 .../protocols/irc/{main.bro => main.zeek} | 0 .../krb/{__load__.bro => __load__.zeek} | 0 .../protocols/krb/{consts.bro => consts.zeek} | 0 .../protocols/krb/{files.bro => files.zeek} | 0 .../protocols/krb/{main.bro => main.zeek} | 0 .../modbus/{__load__.bro => __load__.zeek} | 0 .../modbus/{consts.bro => consts.zeek} | 0 .../protocols/modbus/{main.bro => main.zeek} | 0 .../mysql/{__load__.bro => __load__.zeek} | 0 .../mysql/{consts.bro => consts.zeek} | 0 .../protocols/mysql/{main.bro => main.zeek} | 0 .../ntlm/{__load__.bro => __load__.zeek} | 0 .../protocols/ntlm/{main.bro => main.zeek} | 0 .../pop3/{__load__.bro => __load__.zeek} | 0 .../radius/{__load__.bro => __load__.zeek} | 0 .../radius/{consts.bro => consts.zeek} | 0 .../protocols/radius/{main.bro => main.zeek} | 0 .../rdp/{__load__.bro => __load__.zeek} | 0 .../protocols/rdp/{consts.bro => consts.zeek} | 0 .../protocols/rdp/{main.bro => main.zeek} | 0 .../rfb/{__load__.bro => __load__.zeek} | 0 .../protocols/rfb/{main.bro => main.zeek} | 0 .../sip/{__load__.bro => __load__.zeek} | 0 .../protocols/sip/{main.bro => main.zeek} | 0 .../smb/{__load__.bro => __load__.zeek} | 0 ...nst-dos-error.bro => const-dos-error.zeek} | 0 ...nst-nt-status.bro => const-nt-status.zeek} | 0 .../protocols/smb/{consts.bro => consts.zeek} | 2 +- .../protocols/smb/{files.bro => files.zeek} | 0 .../protocols/smb/{main.bro => main.zeek} | 0 .../smb/{smb1-main.bro => smb1-main.zeek} | 0 .../smb/{smb2-main.bro => smb2-main.zeek} | 0 .../smtp/{__load__.bro => __load__.zeek} | 0 .../smtp/{entities.bro => entities.zeek} | 0 .../protocols/smtp/{files.bro => files.zeek} | 0 .../protocols/smtp/{main.bro => main.zeek} | 0 .../snmp/{__load__.bro => __load__.zeek} | 0 .../protocols/snmp/{main.bro => main.zeek} | 0 .../socks/{__load__.bro => __load__.zeek} | 0 .../socks/{consts.bro => consts.zeek} | 0 .../protocols/socks/{main.bro => main.zeek} | 0 .../ssh/{__load__.bro => __load__.zeek} | 0 .../protocols/ssh/{main.bro => main.zeek} | 0 .../ssl/{__load__.bro => __load__.zeek} | 0 .../protocols/ssl/{consts.bro => consts.zeek} | 0 .../ssl/{ct-list.bro => ct-list.zeek} | 0 .../protocols/ssl/{files.bro => files.zeek} | 0 .../protocols/ssl/{main.bro => main.zeek} | 4 +- ...zilla-ca-list.bro => mozilla-ca-list.zeek} | 0 .../syslog/{__load__.bro => __load__.zeek} | 0 .../syslog/{consts.bro => consts.zeek} | 0 .../protocols/syslog/{main.bro => main.zeek} | 0 .../tunnels/{__load__.bro => __load__.zeek} | 0 .../xmpp/{__load__.bro => __load__.zeek} | 0 .../protocols/xmpp/{main.bro => main.zeek} | 0 .../{active-http.bro => active-http.zeek} | 0 scripts/base/utils/{addrs.bro => addrs.zeek} | 0 .../utils/{conn-ids.bro => conn-ids.zeek} | 0 scripts/base/utils/{dir.bro => dir.zeek} | 0 ...nd-hosts.bro => directions-and-hosts.zeek} | 0 scripts/base/utils/{email.bro => email.zeek} | 0 scripts/base/utils/{exec.bro => exec.zeek} | 0 scripts/base/utils/{files.bro => files.zeek} | 0 ...geoip-distance.bro => geoip-distance.zeek} | 0 .../utils/{hash_hrw.bro => hash_hrw.zeek} | 0 scripts/base/utils/{json.bro => json.zeek} | 0 .../base/utils/{numbers.bro => numbers.zeek} | 0 scripts/base/utils/{paths.bro => paths.zeek} | 0 .../utils/{patterns.bro => patterns.zeek} | 0 scripts/base/utils/{queue.bro => queue.zeek} | 0 scripts/base/utils/{site.bro => site.zeek} | 0 .../base/utils/{strings.bro => strings.zeek} | 0 .../utils/{thresholds.bro => thresholds.zeek} | 0 scripts/base/utils/{time.bro => time.zeek} | 0 scripts/base/utils/{urls.bro => urls.zeek} | 0 scripts/broxygen/__load__.bro | 17 --- scripts/broxygen/__load__.zeek | 17 +++ .../broxygen/{example.bro => example.zeek} | 0 .../x509/{log-ocsp.bro => log-ocsp.zeek} | 0 .../{controllee.bro => controllee.zeek} | 0 .../{controller.bro => controller.zeek} | 0 ...ct-protocols.bro => detect-protocols.zeek} | 0 ...ogging.bro => packet-segment-logging.zeek} | 0 .../files/{detect-MHR.bro => detect-MHR.zeek} | 0 ...-files.bro => entropy-test-all-files.zeek} | 0 ...t-all-files.bro => extract-all-files.zeek} | 0 ...hash-all-files.bro => hash-all-files.zeek} | 0 .../intel/{do_expire.bro => do_expire.zeek} | 0 .../intel/{do_notice.bro => do_notice.zeek} | 0 .../intel/{removal.bro => removal.zeek} | 0 .../seen/{__load__.bro => __load__.zeek} | 0 ...-established.bro => conn-established.zeek} | 0 .../intel/seen/{dns.bro => dns.zeek} | 0 .../{file-hashes.bro => file-hashes.zeek} | 0 .../seen/{file-names.bro => file-names.zeek} | 0 .../{http-headers.bro => http-headers.zeek} | 0 .../seen/{http-url.bro => http-url.zeek} | 0 .../{pubkey-hashes.bro => pubkey-hashes.zeek} | 0 .../{smb-filenames.bro => smb-filenames.zeek} | 0 ...xtraction.bro => smtp-url-extraction.zeek} | 0 .../intel/seen/{smtp.bro => smtp.zeek} | 0 .../intel/seen/{ssl.bro => ssl.zeek} | 0 ...ere-locations.bro => where-locations.zeek} | 0 .../intel/seen/{x509.bro => x509.zeek} | 0 .../intel/{whitelist.bro => whitelist.zeek} | 0 .../notice/{__load__.bro => __load__.zeek} | 0 .../{hostnames.bro => hostnames.zeek} | 0 .../packet-filter/{shunt.bro => shunt.zeek} | 0 ...rsion-changes.bro => version-changes.zeek} | 0 .../{vulnerable.bro => vulnerable.zeek} | 0 ...ion.bro => windows-version-detection.zeek} | 0 .../barnyard2/{__load__.bro => __load__.zeek} | 0 .../barnyard2/{main.bro => main.zeek} | 0 .../barnyard2/{types.bro => types.zeek} | 0 .../{__load__.bro => __load__.zeek} | 0 .../collective-intel/{main.bro => main.zeek} | 0 .../{capture-loss.bro => capture-loss.zeek} | 0 .../{__load__.bro => __load__.zeek} | 0 .../detect-traceroute/{main.bro => main.zeek} | 0 .../{dump-events.bro => dump-events.zeek} | 0 ...load-balancing.bro => load-balancing.zeek} | 0 ...loaded-scripts.bro => loaded-scripts.zeek} | 0 .../misc/{profiling.bro => profiling.zeek} | 0 scripts/policy/misc/{scan.bro => scan.zeek} | 0 scripts/policy/misc/{stats.bro => stats.zeek} | 0 ...im-trace-file.bro => trim-trace-file.zeek} | 0 .../{weird-stats.bro => weird-stats.zeek} | 0 .../{known-hosts.bro => known-hosts.zeek} | 0 ...known-services.bro => known-services.zeek} | 0 .../{mac-logging.bro => mac-logging.zeek} | 0 .../{vlan-logging.bro => vlan-logging.zeek} | 0 .../conn/{weirds.bro => weirds.zeek} | 0 ...ated_events.bro => deprecated_events.zeek} | 0 .../dhcp/{msg-orig.bro => msg-orig.zeek} | 0 .../dhcp/{software.bro => software.zeek} | 0 .../dhcp/{sub-opts.bro => sub-opts.zeek} | 0 .../dns/{auth-addl.bro => auth-addl.zeek} | 0 ...l-names.bro => detect-external-names.zeek} | 0 ...teforcing.bro => detect-bruteforcing.zeek} | 0 .../protocols/ftp/{detect.bro => detect.zeek} | 0 .../ftp/{software.bro => software.zeek} | 0 .../{detect-sqli.bro => detect-sqli.zeek} | 0 ...detect-webapps.bro => detect-webapps.zeek} | 0 .../{header-names.bro => header-names.zeek} | 0 ...gins.bro => software-browser-plugins.zeek} | 0 .../http/{software.bro => software.zeek} | 0 ...ookies.bro => var-extraction-cookies.zeek} | 0 ...action-uri.bro => var-extraction-uri.zeek} | 0 ...ticket-logging.bro => ticket-logging.zeek} | 0 ...s-slaves.bro => known-masters-slaves.zeek} | 0 .../{track-memmap.bro => track-memmap.zeek} | 0 .../mysql/{software.bro => software.zeek} | 0 .../{indicate_ssl.bro => indicate_ssl.zeek} | 0 .../smb/{__load__.bro => __load__.zeek} | 0 .../smb/{log-cmds.bro => log-cmds.zeek} | 0 .../smtp/{blocklists.bro => blocklists.zeek} | 0 ...s-orig.bro => detect-suspicious-orig.zeek} | 0 ...ties-excerpt.bro => entities-excerpt.zeek} | 0 .../smtp/{software.bro => software.zeek} | 0 ...teforcing.bro => detect-bruteforcing.zeek} | 0 .../ssh/{geo-data.bro => geo-data.zeek} | 0 ...stnames.bro => interesting-hostnames.zeek} | 0 .../ssh/{software.bro => software.zeek} | 0 ...expiring-certs.bro => expiring-certs.zeek} | 0 ...t-certs-pem.bro => extract-certs-pem.zeek} | 0 .../ssl/{heartbleed.bro => heartbleed.zeek} | 0 .../ssl/{known-certs.bro => known-certs.zeek} | 0 ...certs-only.bro => log-hostcerts-only.zeek} | 0 .../protocols/ssl/{notary.bro => notary.zeek} | 0 ...validate-certs.bro => validate-certs.zeek} | 0 .../{validate-ocsp.bro => validate-ocsp.zeek} | 0 .../{validate-sct.bro => validate-sct.zeek} | 0 .../ssl/{weak-keys.bro => weak-keys.zeek} | 0 .../tuning/{__load__.bro => __load__.zeek} | 0 .../defaults/{__load__.bro => __load__.zeek} | 0 ..._limits.bro => extracted_file_limits.zeek} | 0 ...et-fragments.bro => packet-fragments.zeek} | 0 .../defaults/{warnings.bro => warnings.zeek} | 0 .../tuning/{json-logs.bro => json-logs.zeek} | 0 ...k-all-assets.bro => track-all-assets.zeek} | 0 scripts/site/{local.bro => local.zeek} | 0 scripts/test-all-policy.bro | 113 ------------------ scripts/test-all-policy.zeek | 113 ++++++++++++++++++ src/CMakeLists.txt | 6 +- src/Type.cc | 2 +- src/broxygen/ScriptInfo.cc | 4 +- src/broxygen/ScriptInfo.h | 2 +- src/broxygen/Target.h | 2 +- src/broxygen/broxygen.bif | 2 +- src/const.bif | 2 +- src/main.cc | 6 +- src/plugin/Manager.cc | 4 +- src/reporter.bif | 2 +- src/scan.l | 4 +- src/types.bif | 2 +- src/util.h | 2 +- 357 files changed, 169 insertions(+), 169 deletions(-) rename scripts/base/files/extract/{__load__.bro => __load__.zeek} (100%) rename scripts/base/files/extract/{main.bro => main.zeek} (100%) rename scripts/base/files/hash/{__load__.bro => __load__.zeek} (100%) rename scripts/base/files/hash/{main.bro => main.zeek} (100%) rename scripts/base/files/pe/{__load__.bro => __load__.zeek} (100%) rename scripts/base/files/pe/{consts.bro => consts.zeek} (100%) rename scripts/base/files/pe/{main.bro => main.zeek} (100%) rename scripts/base/files/unified2/{__load__.bro => __load__.zeek} (100%) rename scripts/base/files/unified2/{main.bro => main.zeek} (100%) rename scripts/base/files/x509/{__load__.bro => __load__.zeek} (100%) rename scripts/base/files/x509/{main.bro => main.zeek} (100%) rename scripts/base/frameworks/analyzer/{__load__.bro => __load__.zeek} (100%) rename scripts/base/frameworks/analyzer/{main.bro => main.zeek} (100%) rename scripts/base/frameworks/broker/{__load__.bro => __load__.zeek} (100%) rename scripts/base/frameworks/broker/{log.bro => log.zeek} (100%) rename scripts/base/frameworks/broker/{main.bro => main.zeek} (100%) rename scripts/base/frameworks/broker/{store.bro => store.zeek} (100%) rename scripts/base/frameworks/cluster/{__load__.bro => __load__.zeek} (100%) rename scripts/base/frameworks/cluster/{main.bro => main.zeek} (98%) rename scripts/base/frameworks/cluster/nodes/{logger.bro => logger.zeek} (100%) rename scripts/base/frameworks/cluster/nodes/{manager.bro => manager.zeek} (100%) rename scripts/base/frameworks/cluster/nodes/{proxy.bro => proxy.zeek} (100%) rename scripts/base/frameworks/cluster/nodes/{worker.bro => worker.zeek} (100%) rename scripts/base/frameworks/cluster/{pools.bro => pools.zeek} (100%) rename scripts/base/frameworks/cluster/{setup-connections.bro => setup-connections.zeek} (100%) rename scripts/base/frameworks/config/{__load__.bro => __load__.zeek} (100%) rename scripts/base/frameworks/config/{input.bro => input.zeek} (100%) rename scripts/base/frameworks/config/{main.bro => main.zeek} (100%) rename scripts/base/frameworks/config/{weird.bro => weird.zeek} (100%) rename scripts/base/frameworks/control/{__load__.bro => __load__.zeek} (100%) rename scripts/base/frameworks/control/{main.bro => main.zeek} (100%) rename scripts/base/frameworks/dpd/{__load__.bro => __load__.zeek} (100%) rename scripts/base/frameworks/dpd/{main.bro => main.zeek} (100%) rename scripts/base/frameworks/files/{__load__.bro => __load__.zeek} (100%) rename scripts/base/frameworks/files/magic/{__load__.bro => __load__.zeek} (100%) rename scripts/base/frameworks/files/{main.bro => main.zeek} (100%) rename scripts/base/frameworks/input/{__load__.bro => __load__.zeek} (100%) rename scripts/base/frameworks/input/{main.bro => main.zeek} (100%) rename scripts/base/frameworks/input/readers/{ascii.bro => ascii.zeek} (100%) rename scripts/base/frameworks/input/readers/{benchmark.bro => benchmark.zeek} (100%) rename scripts/base/frameworks/input/readers/{binary.bro => binary.zeek} (100%) rename scripts/base/frameworks/input/readers/{config.bro => config.zeek} (100%) rename scripts/base/frameworks/input/readers/{raw.bro => raw.zeek} (100%) rename scripts/base/frameworks/input/readers/{sqlite.bro => sqlite.zeek} (100%) rename scripts/base/frameworks/intel/{__load__.bro => __load__.zeek} (100%) rename scripts/base/frameworks/intel/{cluster.bro => cluster.zeek} (100%) rename scripts/base/frameworks/intel/{files.bro => files.zeek} (100%) rename scripts/base/frameworks/intel/{input.bro => input.zeek} (100%) rename scripts/base/frameworks/intel/{main.bro => main.zeek} (100%) rename scripts/base/frameworks/logging/{__load__.bro => __load__.zeek} (100%) rename scripts/base/frameworks/logging/{main.bro => main.zeek} (100%) rename scripts/base/frameworks/logging/postprocessors/{__load__.bro => __load__.zeek} (100%) rename scripts/base/frameworks/logging/postprocessors/{scp.bro => scp.zeek} (100%) rename scripts/base/frameworks/logging/postprocessors/{sftp.bro => sftp.zeek} (100%) rename scripts/base/frameworks/logging/writers/{ascii.bro => ascii.zeek} (100%) rename scripts/base/frameworks/logging/writers/{none.bro => none.zeek} (100%) rename scripts/base/frameworks/logging/writers/{sqlite.bro => sqlite.zeek} (100%) rename scripts/base/frameworks/netcontrol/{__load__.bro => __load__.zeek} (100%) rename scripts/base/frameworks/netcontrol/{catch-and-release.bro => catch-and-release.zeek} (100%) rename scripts/base/frameworks/netcontrol/{cluster.bro => cluster.zeek} (100%) rename scripts/base/frameworks/netcontrol/{drop.bro => drop.zeek} (100%) rename scripts/base/frameworks/netcontrol/{main.bro => main.zeek} (99%) rename scripts/base/frameworks/netcontrol/{non-cluster.bro => non-cluster.zeek} (100%) rename scripts/base/frameworks/netcontrol/{plugin.bro => plugin.zeek} (100%) rename scripts/base/frameworks/netcontrol/plugins/{__load__.bro => __load__.zeek} (100%) rename scripts/base/frameworks/netcontrol/plugins/{acld.bro => acld.zeek} (100%) rename scripts/base/frameworks/netcontrol/plugins/{broker.bro => broker.zeek} (100%) rename scripts/base/frameworks/netcontrol/plugins/{debug.bro => debug.zeek} (100%) rename scripts/base/frameworks/netcontrol/plugins/{openflow.bro => openflow.zeek} (100%) rename scripts/base/frameworks/netcontrol/plugins/{packetfilter.bro => packetfilter.zeek} (100%) rename scripts/base/frameworks/netcontrol/{shunt.bro => shunt.zeek} (100%) rename scripts/base/frameworks/netcontrol/{types.bro => types.zeek} (100%) rename scripts/base/frameworks/notice/{__load__.bro => __load__.zeek} (100%) rename scripts/base/frameworks/notice/actions/{add-geodata.bro => add-geodata.zeek} (100%) rename scripts/base/frameworks/notice/actions/{drop.bro => drop.zeek} (100%) rename scripts/base/frameworks/notice/actions/{email_admin.bro => email_admin.zeek} (100%) rename scripts/base/frameworks/notice/actions/{page.bro => page.zeek} (100%) rename scripts/base/frameworks/notice/actions/{pp-alarms.bro => pp-alarms.zeek} (100%) rename scripts/base/frameworks/notice/{main.bro => main.zeek} (100%) rename scripts/base/frameworks/notice/{weird.bro => weird.zeek} (100%) rename scripts/base/frameworks/openflow/{__load__.bro => __load__.zeek} (100%) rename scripts/base/frameworks/openflow/{cluster.bro => cluster.zeek} (100%) rename scripts/base/frameworks/openflow/{consts.bro => consts.zeek} (100%) rename scripts/base/frameworks/openflow/{main.bro => main.zeek} (99%) rename scripts/base/frameworks/openflow/{non-cluster.bro => non-cluster.zeek} (100%) rename scripts/base/frameworks/openflow/plugins/{__load__.bro => __load__.zeek} (100%) rename scripts/base/frameworks/openflow/plugins/{broker.bro => broker.zeek} (100%) rename scripts/base/frameworks/openflow/plugins/{log.bro => log.zeek} (100%) rename scripts/base/frameworks/openflow/plugins/{ryu.bro => ryu.zeek} (100%) rename scripts/base/frameworks/openflow/{types.bro => types.zeek} (100%) rename scripts/base/frameworks/packet-filter/{__load__.bro => __load__.zeek} (100%) rename scripts/base/frameworks/packet-filter/{cluster.bro => cluster.zeek} (100%) rename scripts/base/frameworks/packet-filter/{main.bro => main.zeek} (100%) rename scripts/base/frameworks/packet-filter/{netstats.bro => netstats.zeek} (100%) rename scripts/base/frameworks/packet-filter/{utils.bro => utils.zeek} (100%) rename scripts/base/frameworks/reporter/{__load__.bro => __load__.zeek} (100%) rename scripts/base/frameworks/reporter/{main.bro => main.zeek} (99%) rename scripts/base/frameworks/signatures/{__load__.bro => __load__.zeek} (100%) rename scripts/base/frameworks/signatures/{main.bro => main.zeek} (100%) rename scripts/base/frameworks/software/{__load__.bro => __load__.zeek} (100%) rename scripts/base/frameworks/software/{main.bro => main.zeek} (100%) rename scripts/base/frameworks/sumstats/{__load__.bro => __load__.zeek} (100%) rename scripts/base/frameworks/sumstats/{cluster.bro => cluster.zeek} (100%) rename scripts/base/frameworks/sumstats/{main.bro => main.zeek} (100%) rename scripts/base/frameworks/sumstats/{non-cluster.bro => non-cluster.zeek} (100%) rename scripts/base/frameworks/sumstats/plugins/{__load__.bro => __load__.zeek} (100%) rename scripts/base/frameworks/sumstats/plugins/{average.bro => average.zeek} (100%) rename scripts/base/frameworks/sumstats/plugins/{hll_unique.bro => hll_unique.zeek} (100%) rename scripts/base/frameworks/sumstats/plugins/{last.bro => last.zeek} (100%) rename scripts/base/frameworks/sumstats/plugins/{max.bro => max.zeek} (100%) rename scripts/base/frameworks/sumstats/plugins/{min.bro => min.zeek} (100%) rename scripts/base/frameworks/sumstats/plugins/{sample.bro => sample.zeek} (100%) rename scripts/base/frameworks/sumstats/plugins/{std-dev.bro => std-dev.zeek} (100%) rename scripts/base/frameworks/sumstats/plugins/{sum.bro => sum.zeek} (100%) rename scripts/base/frameworks/sumstats/plugins/{topk.bro => topk.zeek} (100%) rename scripts/base/frameworks/sumstats/plugins/{unique.bro => unique.zeek} (100%) rename scripts/base/frameworks/sumstats/plugins/{variance.bro => variance.zeek} (100%) rename scripts/base/frameworks/tunnels/{__load__.bro => __load__.zeek} (100%) rename scripts/base/frameworks/tunnels/{main.bro => main.zeek} (100%) rename scripts/base/{init-bare.bro => init-bare.zeek} (99%) rename scripts/base/{init-default.bro => init-default.zeek} (98%) rename scripts/base/{init-frameworks-and-bifs.bro => init-frameworks-and-bifs.zeek} (86%) rename scripts/base/misc/{find-checksum-offloading.bro => find-checksum-offloading.zeek} (100%) rename scripts/base/misc/{find-filtered-trace.bro => find-filtered-trace.zeek} (100%) rename scripts/base/misc/{version.bro => version.zeek} (100%) rename scripts/base/protocols/conn/{__load__.bro => __load__.zeek} (100%) rename scripts/base/protocols/conn/{contents.bro => contents.zeek} (100%) rename scripts/base/protocols/conn/{inactivity.bro => inactivity.zeek} (100%) rename scripts/base/protocols/conn/{main.bro => main.zeek} (100%) rename scripts/base/protocols/conn/{polling.bro => polling.zeek} (100%) rename scripts/base/protocols/conn/{thresholds.bro => thresholds.zeek} (100%) rename scripts/base/protocols/dce-rpc/{__load__.bro => __load__.zeek} (100%) rename scripts/base/protocols/dce-rpc/{consts.bro => consts.zeek} (100%) rename scripts/base/protocols/dce-rpc/{main.bro => main.zeek} (100%) rename scripts/base/protocols/dhcp/{__load__.bro => __load__.zeek} (100%) rename scripts/base/protocols/dhcp/{consts.bro => consts.zeek} (100%) rename scripts/base/protocols/dhcp/{main.bro => main.zeek} (100%) rename scripts/base/protocols/dnp3/{__load__.bro => __load__.zeek} (100%) rename scripts/base/protocols/dnp3/{consts.bro => consts.zeek} (100%) rename scripts/base/protocols/dnp3/{main.bro => main.zeek} (100%) rename scripts/base/protocols/dns/{__load__.bro => __load__.zeek} (100%) rename scripts/base/protocols/dns/{consts.bro => consts.zeek} (100%) rename scripts/base/protocols/dns/{main.bro => main.zeek} (100%) rename scripts/base/protocols/ftp/{__load__.bro => __load__.zeek} (100%) rename scripts/base/protocols/ftp/{files.bro => files.zeek} (100%) rename scripts/base/protocols/ftp/{gridftp.bro => gridftp.zeek} (100%) rename scripts/base/protocols/ftp/{info.bro => info.zeek} (100%) rename scripts/base/protocols/ftp/{main.bro => main.zeek} (100%) rename scripts/base/protocols/ftp/{utils-commands.bro => utils-commands.zeek} (100%) rename scripts/base/protocols/ftp/{utils.bro => utils.zeek} (100%) rename scripts/base/protocols/http/{__load__.bro => __load__.zeek} (100%) rename scripts/base/protocols/http/{entities.bro => entities.zeek} (100%) rename scripts/base/protocols/http/{files.bro => files.zeek} (100%) rename scripts/base/protocols/http/{main.bro => main.zeek} (100%) rename scripts/base/protocols/http/{utils.bro => utils.zeek} (100%) rename scripts/base/protocols/imap/{__load__.bro => __load__.zeek} (100%) rename scripts/base/protocols/imap/{main.bro => main.zeek} (100%) rename scripts/base/protocols/irc/{__load__.bro => __load__.zeek} (100%) rename scripts/base/protocols/irc/{dcc-send.bro => dcc-send.zeek} (100%) rename scripts/base/protocols/irc/{files.bro => files.zeek} (100%) rename scripts/base/protocols/irc/{main.bro => main.zeek} (100%) rename scripts/base/protocols/krb/{__load__.bro => __load__.zeek} (100%) rename scripts/base/protocols/krb/{consts.bro => consts.zeek} (100%) rename scripts/base/protocols/krb/{files.bro => files.zeek} (100%) rename scripts/base/protocols/krb/{main.bro => main.zeek} (100%) rename scripts/base/protocols/modbus/{__load__.bro => __load__.zeek} (100%) rename scripts/base/protocols/modbus/{consts.bro => consts.zeek} (100%) rename scripts/base/protocols/modbus/{main.bro => main.zeek} (100%) rename scripts/base/protocols/mysql/{__load__.bro => __load__.zeek} (100%) rename scripts/base/protocols/mysql/{consts.bro => consts.zeek} (100%) rename scripts/base/protocols/mysql/{main.bro => main.zeek} (100%) rename scripts/base/protocols/ntlm/{__load__.bro => __load__.zeek} (100%) rename scripts/base/protocols/ntlm/{main.bro => main.zeek} (100%) rename scripts/base/protocols/pop3/{__load__.bro => __load__.zeek} (100%) rename scripts/base/protocols/radius/{__load__.bro => __load__.zeek} (100%) rename scripts/base/protocols/radius/{consts.bro => consts.zeek} (100%) rename scripts/base/protocols/radius/{main.bro => main.zeek} (100%) rename scripts/base/protocols/rdp/{__load__.bro => __load__.zeek} (100%) rename scripts/base/protocols/rdp/{consts.bro => consts.zeek} (100%) rename scripts/base/protocols/rdp/{main.bro => main.zeek} (100%) rename scripts/base/protocols/rfb/{__load__.bro => __load__.zeek} (100%) rename scripts/base/protocols/rfb/{main.bro => main.zeek} (100%) rename scripts/base/protocols/sip/{__load__.bro => __load__.zeek} (100%) rename scripts/base/protocols/sip/{main.bro => main.zeek} (100%) rename scripts/base/protocols/smb/{__load__.bro => __load__.zeek} (100%) rename scripts/base/protocols/smb/{const-dos-error.bro => const-dos-error.zeek} (100%) rename scripts/base/protocols/smb/{const-nt-status.bro => const-nt-status.zeek} (100%) rename scripts/base/protocols/smb/{consts.bro => consts.zeek} (99%) rename scripts/base/protocols/smb/{files.bro => files.zeek} (100%) rename scripts/base/protocols/smb/{main.bro => main.zeek} (100%) rename scripts/base/protocols/smb/{smb1-main.bro => smb1-main.zeek} (100%) rename scripts/base/protocols/smb/{smb2-main.bro => smb2-main.zeek} (100%) rename scripts/base/protocols/smtp/{__load__.bro => __load__.zeek} (100%) rename scripts/base/protocols/smtp/{entities.bro => entities.zeek} (100%) rename scripts/base/protocols/smtp/{files.bro => files.zeek} (100%) rename scripts/base/protocols/smtp/{main.bro => main.zeek} (100%) rename scripts/base/protocols/snmp/{__load__.bro => __load__.zeek} (100%) rename scripts/base/protocols/snmp/{main.bro => main.zeek} (100%) rename scripts/base/protocols/socks/{__load__.bro => __load__.zeek} (100%) rename scripts/base/protocols/socks/{consts.bro => consts.zeek} (100%) rename scripts/base/protocols/socks/{main.bro => main.zeek} (100%) rename scripts/base/protocols/ssh/{__load__.bro => __load__.zeek} (100%) rename scripts/base/protocols/ssh/{main.bro => main.zeek} (100%) rename scripts/base/protocols/ssl/{__load__.bro => __load__.zeek} (100%) rename scripts/base/protocols/ssl/{consts.bro => consts.zeek} (100%) rename scripts/base/protocols/ssl/{ct-list.bro => ct-list.zeek} (100%) rename scripts/base/protocols/ssl/{files.bro => files.zeek} (100%) rename scripts/base/protocols/ssl/{main.bro => main.zeek} (99%) rename scripts/base/protocols/ssl/{mozilla-ca-list.bro => mozilla-ca-list.zeek} (100%) rename scripts/base/protocols/syslog/{__load__.bro => __load__.zeek} (100%) rename scripts/base/protocols/syslog/{consts.bro => consts.zeek} (100%) rename scripts/base/protocols/syslog/{main.bro => main.zeek} (100%) rename scripts/base/protocols/tunnels/{__load__.bro => __load__.zeek} (100%) rename scripts/base/protocols/xmpp/{__load__.bro => __load__.zeek} (100%) rename scripts/base/protocols/xmpp/{main.bro => main.zeek} (100%) rename scripts/base/utils/{active-http.bro => active-http.zeek} (100%) rename scripts/base/utils/{addrs.bro => addrs.zeek} (100%) rename scripts/base/utils/{conn-ids.bro => conn-ids.zeek} (100%) rename scripts/base/utils/{dir.bro => dir.zeek} (100%) rename scripts/base/utils/{directions-and-hosts.bro => directions-and-hosts.zeek} (100%) rename scripts/base/utils/{email.bro => email.zeek} (100%) rename scripts/base/utils/{exec.bro => exec.zeek} (100%) rename scripts/base/utils/{files.bro => files.zeek} (100%) rename scripts/base/utils/{geoip-distance.bro => geoip-distance.zeek} (100%) rename scripts/base/utils/{hash_hrw.bro => hash_hrw.zeek} (100%) rename scripts/base/utils/{json.bro => json.zeek} (100%) rename scripts/base/utils/{numbers.bro => numbers.zeek} (100%) rename scripts/base/utils/{paths.bro => paths.zeek} (100%) rename scripts/base/utils/{patterns.bro => patterns.zeek} (100%) rename scripts/base/utils/{queue.bro => queue.zeek} (100%) rename scripts/base/utils/{site.bro => site.zeek} (100%) rename scripts/base/utils/{strings.bro => strings.zeek} (100%) rename scripts/base/utils/{thresholds.bro => thresholds.zeek} (100%) rename scripts/base/utils/{time.bro => time.zeek} (100%) rename scripts/base/utils/{urls.bro => urls.zeek} (100%) delete mode 100644 scripts/broxygen/__load__.bro create mode 100644 scripts/broxygen/__load__.zeek rename scripts/broxygen/{example.bro => example.zeek} (100%) rename scripts/policy/files/x509/{log-ocsp.bro => log-ocsp.zeek} (100%) rename scripts/policy/frameworks/control/{controllee.bro => controllee.zeek} (100%) rename scripts/policy/frameworks/control/{controller.bro => controller.zeek} (100%) rename scripts/policy/frameworks/dpd/{detect-protocols.bro => detect-protocols.zeek} (100%) rename scripts/policy/frameworks/dpd/{packet-segment-logging.bro => packet-segment-logging.zeek} (100%) rename scripts/policy/frameworks/files/{detect-MHR.bro => detect-MHR.zeek} (100%) rename scripts/policy/frameworks/files/{entropy-test-all-files.bro => entropy-test-all-files.zeek} (100%) rename scripts/policy/frameworks/files/{extract-all-files.bro => extract-all-files.zeek} (100%) rename scripts/policy/frameworks/files/{hash-all-files.bro => hash-all-files.zeek} (100%) rename scripts/policy/frameworks/intel/{do_expire.bro => do_expire.zeek} (100%) rename scripts/policy/frameworks/intel/{do_notice.bro => do_notice.zeek} (100%) rename scripts/policy/frameworks/intel/{removal.bro => removal.zeek} (100%) rename scripts/policy/frameworks/intel/seen/{__load__.bro => __load__.zeek} (100%) rename scripts/policy/frameworks/intel/seen/{conn-established.bro => conn-established.zeek} (100%) rename scripts/policy/frameworks/intel/seen/{dns.bro => dns.zeek} (100%) rename scripts/policy/frameworks/intel/seen/{file-hashes.bro => file-hashes.zeek} (100%) rename scripts/policy/frameworks/intel/seen/{file-names.bro => file-names.zeek} (100%) rename scripts/policy/frameworks/intel/seen/{http-headers.bro => http-headers.zeek} (100%) rename scripts/policy/frameworks/intel/seen/{http-url.bro => http-url.zeek} (100%) rename scripts/policy/frameworks/intel/seen/{pubkey-hashes.bro => pubkey-hashes.zeek} (100%) rename scripts/policy/frameworks/intel/seen/{smb-filenames.bro => smb-filenames.zeek} (100%) rename scripts/policy/frameworks/intel/seen/{smtp-url-extraction.bro => smtp-url-extraction.zeek} (100%) rename scripts/policy/frameworks/intel/seen/{smtp.bro => smtp.zeek} (100%) rename scripts/policy/frameworks/intel/seen/{ssl.bro => ssl.zeek} (100%) rename scripts/policy/frameworks/intel/seen/{where-locations.bro => where-locations.zeek} (100%) rename scripts/policy/frameworks/intel/seen/{x509.bro => x509.zeek} (100%) rename scripts/policy/frameworks/intel/{whitelist.bro => whitelist.zeek} (100%) rename scripts/policy/frameworks/notice/{__load__.bro => __load__.zeek} (100%) rename scripts/policy/frameworks/notice/extend-email/{hostnames.bro => hostnames.zeek} (100%) rename scripts/policy/frameworks/packet-filter/{shunt.bro => shunt.zeek} (100%) rename scripts/policy/frameworks/software/{version-changes.bro => version-changes.zeek} (100%) rename scripts/policy/frameworks/software/{vulnerable.bro => vulnerable.zeek} (100%) rename scripts/policy/frameworks/software/{windows-version-detection.bro => windows-version-detection.zeek} (100%) rename scripts/policy/integration/barnyard2/{__load__.bro => __load__.zeek} (100%) rename scripts/policy/integration/barnyard2/{main.bro => main.zeek} (100%) rename scripts/policy/integration/barnyard2/{types.bro => types.zeek} (100%) rename scripts/policy/integration/collective-intel/{__load__.bro => __load__.zeek} (100%) rename scripts/policy/integration/collective-intel/{main.bro => main.zeek} (100%) rename scripts/policy/misc/{capture-loss.bro => capture-loss.zeek} (100%) rename scripts/policy/misc/detect-traceroute/{__load__.bro => __load__.zeek} (100%) rename scripts/policy/misc/detect-traceroute/{main.bro => main.zeek} (100%) rename scripts/policy/misc/{dump-events.bro => dump-events.zeek} (100%) rename scripts/policy/misc/{load-balancing.bro => load-balancing.zeek} (100%) rename scripts/policy/misc/{loaded-scripts.bro => loaded-scripts.zeek} (100%) rename scripts/policy/misc/{profiling.bro => profiling.zeek} (100%) rename scripts/policy/misc/{scan.bro => scan.zeek} (100%) rename scripts/policy/misc/{stats.bro => stats.zeek} (100%) rename scripts/policy/misc/{trim-trace-file.bro => trim-trace-file.zeek} (100%) rename scripts/policy/misc/{weird-stats.bro => weird-stats.zeek} (100%) rename scripts/policy/protocols/conn/{known-hosts.bro => known-hosts.zeek} (100%) rename scripts/policy/protocols/conn/{known-services.bro => known-services.zeek} (100%) rename scripts/policy/protocols/conn/{mac-logging.bro => mac-logging.zeek} (100%) rename scripts/policy/protocols/conn/{vlan-logging.bro => vlan-logging.zeek} (100%) rename scripts/policy/protocols/conn/{weirds.bro => weirds.zeek} (100%) rename scripts/policy/protocols/dhcp/{deprecated_events.bro => deprecated_events.zeek} (100%) rename scripts/policy/protocols/dhcp/{msg-orig.bro => msg-orig.zeek} (100%) rename scripts/policy/protocols/dhcp/{software.bro => software.zeek} (100%) rename scripts/policy/protocols/dhcp/{sub-opts.bro => sub-opts.zeek} (100%) rename scripts/policy/protocols/dns/{auth-addl.bro => auth-addl.zeek} (100%) rename scripts/policy/protocols/dns/{detect-external-names.bro => detect-external-names.zeek} (100%) rename scripts/policy/protocols/ftp/{detect-bruteforcing.bro => detect-bruteforcing.zeek} (100%) rename scripts/policy/protocols/ftp/{detect.bro => detect.zeek} (100%) rename scripts/policy/protocols/ftp/{software.bro => software.zeek} (100%) rename scripts/policy/protocols/http/{detect-sqli.bro => detect-sqli.zeek} (100%) rename scripts/policy/protocols/http/{detect-webapps.bro => detect-webapps.zeek} (100%) rename scripts/policy/protocols/http/{header-names.bro => header-names.zeek} (100%) rename scripts/policy/protocols/http/{software-browser-plugins.bro => software-browser-plugins.zeek} (100%) rename scripts/policy/protocols/http/{software.bro => software.zeek} (100%) rename scripts/policy/protocols/http/{var-extraction-cookies.bro => var-extraction-cookies.zeek} (100%) rename scripts/policy/protocols/http/{var-extraction-uri.bro => var-extraction-uri.zeek} (100%) rename scripts/policy/protocols/krb/{ticket-logging.bro => ticket-logging.zeek} (100%) rename scripts/policy/protocols/modbus/{known-masters-slaves.bro => known-masters-slaves.zeek} (100%) rename scripts/policy/protocols/modbus/{track-memmap.bro => track-memmap.zeek} (100%) rename scripts/policy/protocols/mysql/{software.bro => software.zeek} (100%) rename scripts/policy/protocols/rdp/{indicate_ssl.bro => indicate_ssl.zeek} (100%) rename scripts/policy/protocols/smb/{__load__.bro => __load__.zeek} (100%) rename scripts/policy/protocols/smb/{log-cmds.bro => log-cmds.zeek} (100%) rename scripts/policy/protocols/smtp/{blocklists.bro => blocklists.zeek} (100%) rename scripts/policy/protocols/smtp/{detect-suspicious-orig.bro => detect-suspicious-orig.zeek} (100%) rename scripts/policy/protocols/smtp/{entities-excerpt.bro => entities-excerpt.zeek} (100%) rename scripts/policy/protocols/smtp/{software.bro => software.zeek} (100%) rename scripts/policy/protocols/ssh/{detect-bruteforcing.bro => detect-bruteforcing.zeek} (100%) rename scripts/policy/protocols/ssh/{geo-data.bro => geo-data.zeek} (100%) rename scripts/policy/protocols/ssh/{interesting-hostnames.bro => interesting-hostnames.zeek} (100%) rename scripts/policy/protocols/ssh/{software.bro => software.zeek} (100%) rename scripts/policy/protocols/ssl/{expiring-certs.bro => expiring-certs.zeek} (100%) rename scripts/policy/protocols/ssl/{extract-certs-pem.bro => extract-certs-pem.zeek} (100%) rename scripts/policy/protocols/ssl/{heartbleed.bro => heartbleed.zeek} (100%) rename scripts/policy/protocols/ssl/{known-certs.bro => known-certs.zeek} (100%) rename scripts/policy/protocols/ssl/{log-hostcerts-only.bro => log-hostcerts-only.zeek} (100%) rename scripts/policy/protocols/ssl/{notary.bro => notary.zeek} (100%) rename scripts/policy/protocols/ssl/{validate-certs.bro => validate-certs.zeek} (100%) rename scripts/policy/protocols/ssl/{validate-ocsp.bro => validate-ocsp.zeek} (100%) rename scripts/policy/protocols/ssl/{validate-sct.bro => validate-sct.zeek} (100%) rename scripts/policy/protocols/ssl/{weak-keys.bro => weak-keys.zeek} (100%) rename scripts/policy/tuning/{__load__.bro => __load__.zeek} (100%) rename scripts/policy/tuning/defaults/{__load__.bro => __load__.zeek} (100%) rename scripts/policy/tuning/defaults/{extracted_file_limits.bro => extracted_file_limits.zeek} (100%) rename scripts/policy/tuning/defaults/{packet-fragments.bro => packet-fragments.zeek} (100%) rename scripts/policy/tuning/defaults/{warnings.bro => warnings.zeek} (100%) rename scripts/policy/tuning/{json-logs.bro => json-logs.zeek} (100%) rename scripts/policy/tuning/{track-all-assets.bro => track-all-assets.zeek} (100%) rename scripts/site/{local.bro => local.zeek} (100%) delete mode 100644 scripts/test-all-policy.bro create mode 100644 scripts/test-all-policy.zeek diff --git a/scripts/CMakeLists.txt b/scripts/CMakeLists.txt index 96c682871a..189c9b9df8 100644 --- a/scripts/CMakeLists.txt +++ b/scripts/CMakeLists.txt @@ -2,8 +2,8 @@ include(InstallPackageConfigFile) install(DIRECTORY ./ DESTINATION ${BRO_SCRIPT_INSTALL_PATH} FILES_MATCHING PATTERN "site/local*" EXCLUDE - PATTERN "test-all-policy.bro" EXCLUDE - PATTERN "*.bro" + PATTERN "test-all-policy.zeek" EXCLUDE + PATTERN "*.zeek" PATTERN "*.sig" PATTERN "*.fp" ) @@ -11,6 +11,6 @@ install(DIRECTORY ./ DESTINATION ${BRO_SCRIPT_INSTALL_PATH} FILES_MATCHING # Install all local* scripts as config files since they are meant to be # user modify-able. InstallPackageConfigFile( - ${CMAKE_CURRENT_SOURCE_DIR}/site/local.bro + ${CMAKE_CURRENT_SOURCE_DIR}/site/local.zeek ${BRO_SCRIPT_INSTALL_PATH}/site - local.bro) + local.zeek) diff --git a/scripts/base/files/extract/__load__.bro b/scripts/base/files/extract/__load__.zeek similarity index 100% rename from scripts/base/files/extract/__load__.bro rename to scripts/base/files/extract/__load__.zeek diff --git a/scripts/base/files/extract/main.bro b/scripts/base/files/extract/main.zeek similarity index 100% rename from scripts/base/files/extract/main.bro rename to scripts/base/files/extract/main.zeek diff --git a/scripts/base/files/hash/__load__.bro b/scripts/base/files/hash/__load__.zeek similarity index 100% rename from scripts/base/files/hash/__load__.bro rename to scripts/base/files/hash/__load__.zeek diff --git a/scripts/base/files/hash/main.bro b/scripts/base/files/hash/main.zeek similarity index 100% rename from scripts/base/files/hash/main.bro rename to scripts/base/files/hash/main.zeek diff --git a/scripts/base/files/pe/__load__.bro b/scripts/base/files/pe/__load__.zeek similarity index 100% rename from scripts/base/files/pe/__load__.bro rename to scripts/base/files/pe/__load__.zeek diff --git a/scripts/base/files/pe/consts.bro b/scripts/base/files/pe/consts.zeek similarity index 100% rename from scripts/base/files/pe/consts.bro rename to scripts/base/files/pe/consts.zeek diff --git a/scripts/base/files/pe/main.bro b/scripts/base/files/pe/main.zeek similarity index 100% rename from scripts/base/files/pe/main.bro rename to scripts/base/files/pe/main.zeek diff --git a/scripts/base/files/unified2/__load__.bro b/scripts/base/files/unified2/__load__.zeek similarity index 100% rename from scripts/base/files/unified2/__load__.bro rename to scripts/base/files/unified2/__load__.zeek diff --git a/scripts/base/files/unified2/main.bro b/scripts/base/files/unified2/main.zeek similarity index 100% rename from scripts/base/files/unified2/main.bro rename to scripts/base/files/unified2/main.zeek diff --git a/scripts/base/files/x509/__load__.bro b/scripts/base/files/x509/__load__.zeek similarity index 100% rename from scripts/base/files/x509/__load__.bro rename to scripts/base/files/x509/__load__.zeek diff --git a/scripts/base/files/x509/main.bro b/scripts/base/files/x509/main.zeek similarity index 100% rename from scripts/base/files/x509/main.bro rename to scripts/base/files/x509/main.zeek diff --git a/scripts/base/frameworks/analyzer/__load__.bro b/scripts/base/frameworks/analyzer/__load__.zeek similarity index 100% rename from scripts/base/frameworks/analyzer/__load__.bro rename to scripts/base/frameworks/analyzer/__load__.zeek diff --git a/scripts/base/frameworks/analyzer/main.bro b/scripts/base/frameworks/analyzer/main.zeek similarity index 100% rename from scripts/base/frameworks/analyzer/main.bro rename to scripts/base/frameworks/analyzer/main.zeek diff --git a/scripts/base/frameworks/broker/__load__.bro b/scripts/base/frameworks/broker/__load__.zeek similarity index 100% rename from scripts/base/frameworks/broker/__load__.bro rename to scripts/base/frameworks/broker/__load__.zeek diff --git a/scripts/base/frameworks/broker/log.bro b/scripts/base/frameworks/broker/log.zeek similarity index 100% rename from scripts/base/frameworks/broker/log.bro rename to scripts/base/frameworks/broker/log.zeek diff --git a/scripts/base/frameworks/broker/main.bro b/scripts/base/frameworks/broker/main.zeek similarity index 100% rename from scripts/base/frameworks/broker/main.bro rename to scripts/base/frameworks/broker/main.zeek diff --git a/scripts/base/frameworks/broker/store.bro b/scripts/base/frameworks/broker/store.zeek similarity index 100% rename from scripts/base/frameworks/broker/store.bro rename to scripts/base/frameworks/broker/store.zeek diff --git a/scripts/base/frameworks/cluster/__load__.bro b/scripts/base/frameworks/cluster/__load__.zeek similarity index 100% rename from scripts/base/frameworks/cluster/__load__.bro rename to scripts/base/frameworks/cluster/__load__.zeek diff --git a/scripts/base/frameworks/cluster/main.bro b/scripts/base/frameworks/cluster/main.zeek similarity index 98% rename from scripts/base/frameworks/cluster/main.bro rename to scripts/base/frameworks/cluster/main.zeek index 2d492454d4..2cb0401eea 100644 --- a/scripts/base/frameworks/cluster/main.bro +++ b/scripts/base/frameworks/cluster/main.zeek @@ -1,6 +1,6 @@ ##! A framework for establishing and controlling a cluster of Bro instances. ##! In order to use the cluster framework, a script named -##! ``cluster-layout.bro`` must exist somewhere in Bro's script search path +##! ``cluster-layout.zeek`` must exist somewhere in Bro's script search path ##! which has a cluster definition of the :bro:id:`Cluster::nodes` variable. ##! The ``CLUSTER_NODE`` environment variable or :bro:id:`Cluster::node` ##! must also be sent and the cluster framework loaded as a package like @@ -192,7 +192,7 @@ export { global worker_count: count = 0; ## The cluster layout definition. This should be placed into a filter - ## named cluster-layout.bro somewhere in the BROPATH. It will be + ## named cluster-layout.zeek somewhere in the BROPATH. It will be ## automatically loaded if the CLUSTER_NODE environment variable is set. ## Note that BroControl handles all of this automatically. ## The table is typically indexed by node names/labels (e.g. "manager" @@ -200,7 +200,7 @@ export { const nodes: table[string] of Node = {} &redef; ## Indicates whether or not the manager will act as the logger and receive - ## logs. This value should be set in the cluster-layout.bro script (the + ## logs. This value should be set in the cluster-layout.zeek script (the ## value should be true only if no logger is specified in Cluster::nodes). ## Note that BroControl handles this automatically. const manager_is_logger = T &redef; diff --git a/scripts/base/frameworks/cluster/nodes/logger.bro b/scripts/base/frameworks/cluster/nodes/logger.zeek similarity index 100% rename from scripts/base/frameworks/cluster/nodes/logger.bro rename to scripts/base/frameworks/cluster/nodes/logger.zeek diff --git a/scripts/base/frameworks/cluster/nodes/manager.bro b/scripts/base/frameworks/cluster/nodes/manager.zeek similarity index 100% rename from scripts/base/frameworks/cluster/nodes/manager.bro rename to scripts/base/frameworks/cluster/nodes/manager.zeek diff --git a/scripts/base/frameworks/cluster/nodes/proxy.bro b/scripts/base/frameworks/cluster/nodes/proxy.zeek similarity index 100% rename from scripts/base/frameworks/cluster/nodes/proxy.bro rename to scripts/base/frameworks/cluster/nodes/proxy.zeek diff --git a/scripts/base/frameworks/cluster/nodes/worker.bro b/scripts/base/frameworks/cluster/nodes/worker.zeek similarity index 100% rename from scripts/base/frameworks/cluster/nodes/worker.bro rename to scripts/base/frameworks/cluster/nodes/worker.zeek diff --git a/scripts/base/frameworks/cluster/pools.bro b/scripts/base/frameworks/cluster/pools.zeek similarity index 100% rename from scripts/base/frameworks/cluster/pools.bro rename to scripts/base/frameworks/cluster/pools.zeek diff --git a/scripts/base/frameworks/cluster/setup-connections.bro b/scripts/base/frameworks/cluster/setup-connections.zeek similarity index 100% rename from scripts/base/frameworks/cluster/setup-connections.bro rename to scripts/base/frameworks/cluster/setup-connections.zeek diff --git a/scripts/base/frameworks/config/__load__.bro b/scripts/base/frameworks/config/__load__.zeek similarity index 100% rename from scripts/base/frameworks/config/__load__.bro rename to scripts/base/frameworks/config/__load__.zeek diff --git a/scripts/base/frameworks/config/input.bro b/scripts/base/frameworks/config/input.zeek similarity index 100% rename from scripts/base/frameworks/config/input.bro rename to scripts/base/frameworks/config/input.zeek diff --git a/scripts/base/frameworks/config/main.bro b/scripts/base/frameworks/config/main.zeek similarity index 100% rename from scripts/base/frameworks/config/main.bro rename to scripts/base/frameworks/config/main.zeek diff --git a/scripts/base/frameworks/config/weird.bro b/scripts/base/frameworks/config/weird.zeek similarity index 100% rename from scripts/base/frameworks/config/weird.bro rename to scripts/base/frameworks/config/weird.zeek diff --git a/scripts/base/frameworks/control/__load__.bro b/scripts/base/frameworks/control/__load__.zeek similarity index 100% rename from scripts/base/frameworks/control/__load__.bro rename to scripts/base/frameworks/control/__load__.zeek diff --git a/scripts/base/frameworks/control/main.bro b/scripts/base/frameworks/control/main.zeek similarity index 100% rename from scripts/base/frameworks/control/main.bro rename to scripts/base/frameworks/control/main.zeek diff --git a/scripts/base/frameworks/dpd/__load__.bro b/scripts/base/frameworks/dpd/__load__.zeek similarity index 100% rename from scripts/base/frameworks/dpd/__load__.bro rename to scripts/base/frameworks/dpd/__load__.zeek diff --git a/scripts/base/frameworks/dpd/main.bro b/scripts/base/frameworks/dpd/main.zeek similarity index 100% rename from scripts/base/frameworks/dpd/main.bro rename to scripts/base/frameworks/dpd/main.zeek diff --git a/scripts/base/frameworks/files/__load__.bro b/scripts/base/frameworks/files/__load__.zeek similarity index 100% rename from scripts/base/frameworks/files/__load__.bro rename to scripts/base/frameworks/files/__load__.zeek diff --git a/scripts/base/frameworks/files/magic/__load__.bro b/scripts/base/frameworks/files/magic/__load__.zeek similarity index 100% rename from scripts/base/frameworks/files/magic/__load__.bro rename to scripts/base/frameworks/files/magic/__load__.zeek diff --git a/scripts/base/frameworks/files/main.bro b/scripts/base/frameworks/files/main.zeek similarity index 100% rename from scripts/base/frameworks/files/main.bro rename to scripts/base/frameworks/files/main.zeek diff --git a/scripts/base/frameworks/input/__load__.bro b/scripts/base/frameworks/input/__load__.zeek similarity index 100% rename from scripts/base/frameworks/input/__load__.bro rename to scripts/base/frameworks/input/__load__.zeek diff --git a/scripts/base/frameworks/input/main.bro b/scripts/base/frameworks/input/main.zeek similarity index 100% rename from scripts/base/frameworks/input/main.bro rename to scripts/base/frameworks/input/main.zeek diff --git a/scripts/base/frameworks/input/readers/ascii.bro b/scripts/base/frameworks/input/readers/ascii.zeek similarity index 100% rename from scripts/base/frameworks/input/readers/ascii.bro rename to scripts/base/frameworks/input/readers/ascii.zeek diff --git a/scripts/base/frameworks/input/readers/benchmark.bro b/scripts/base/frameworks/input/readers/benchmark.zeek similarity index 100% rename from scripts/base/frameworks/input/readers/benchmark.bro rename to scripts/base/frameworks/input/readers/benchmark.zeek diff --git a/scripts/base/frameworks/input/readers/binary.bro b/scripts/base/frameworks/input/readers/binary.zeek similarity index 100% rename from scripts/base/frameworks/input/readers/binary.bro rename to scripts/base/frameworks/input/readers/binary.zeek diff --git a/scripts/base/frameworks/input/readers/config.bro b/scripts/base/frameworks/input/readers/config.zeek similarity index 100% rename from scripts/base/frameworks/input/readers/config.bro rename to scripts/base/frameworks/input/readers/config.zeek diff --git a/scripts/base/frameworks/input/readers/raw.bro b/scripts/base/frameworks/input/readers/raw.zeek similarity index 100% rename from scripts/base/frameworks/input/readers/raw.bro rename to scripts/base/frameworks/input/readers/raw.zeek diff --git a/scripts/base/frameworks/input/readers/sqlite.bro b/scripts/base/frameworks/input/readers/sqlite.zeek similarity index 100% rename from scripts/base/frameworks/input/readers/sqlite.bro rename to scripts/base/frameworks/input/readers/sqlite.zeek diff --git a/scripts/base/frameworks/intel/__load__.bro b/scripts/base/frameworks/intel/__load__.zeek similarity index 100% rename from scripts/base/frameworks/intel/__load__.bro rename to scripts/base/frameworks/intel/__load__.zeek diff --git a/scripts/base/frameworks/intel/cluster.bro b/scripts/base/frameworks/intel/cluster.zeek similarity index 100% rename from scripts/base/frameworks/intel/cluster.bro rename to scripts/base/frameworks/intel/cluster.zeek diff --git a/scripts/base/frameworks/intel/files.bro b/scripts/base/frameworks/intel/files.zeek similarity index 100% rename from scripts/base/frameworks/intel/files.bro rename to scripts/base/frameworks/intel/files.zeek diff --git a/scripts/base/frameworks/intel/input.bro b/scripts/base/frameworks/intel/input.zeek similarity index 100% rename from scripts/base/frameworks/intel/input.bro rename to scripts/base/frameworks/intel/input.zeek diff --git a/scripts/base/frameworks/intel/main.bro b/scripts/base/frameworks/intel/main.zeek similarity index 100% rename from scripts/base/frameworks/intel/main.bro rename to scripts/base/frameworks/intel/main.zeek diff --git a/scripts/base/frameworks/logging/__load__.bro b/scripts/base/frameworks/logging/__load__.zeek similarity index 100% rename from scripts/base/frameworks/logging/__load__.bro rename to scripts/base/frameworks/logging/__load__.zeek diff --git a/scripts/base/frameworks/logging/main.bro b/scripts/base/frameworks/logging/main.zeek similarity index 100% rename from scripts/base/frameworks/logging/main.bro rename to scripts/base/frameworks/logging/main.zeek diff --git a/scripts/base/frameworks/logging/postprocessors/__load__.bro b/scripts/base/frameworks/logging/postprocessors/__load__.zeek similarity index 100% rename from scripts/base/frameworks/logging/postprocessors/__load__.bro rename to scripts/base/frameworks/logging/postprocessors/__load__.zeek diff --git a/scripts/base/frameworks/logging/postprocessors/scp.bro b/scripts/base/frameworks/logging/postprocessors/scp.zeek similarity index 100% rename from scripts/base/frameworks/logging/postprocessors/scp.bro rename to scripts/base/frameworks/logging/postprocessors/scp.zeek diff --git a/scripts/base/frameworks/logging/postprocessors/sftp.bro b/scripts/base/frameworks/logging/postprocessors/sftp.zeek similarity index 100% rename from scripts/base/frameworks/logging/postprocessors/sftp.bro rename to scripts/base/frameworks/logging/postprocessors/sftp.zeek diff --git a/scripts/base/frameworks/logging/writers/ascii.bro b/scripts/base/frameworks/logging/writers/ascii.zeek similarity index 100% rename from scripts/base/frameworks/logging/writers/ascii.bro rename to scripts/base/frameworks/logging/writers/ascii.zeek diff --git a/scripts/base/frameworks/logging/writers/none.bro b/scripts/base/frameworks/logging/writers/none.zeek similarity index 100% rename from scripts/base/frameworks/logging/writers/none.bro rename to scripts/base/frameworks/logging/writers/none.zeek diff --git a/scripts/base/frameworks/logging/writers/sqlite.bro b/scripts/base/frameworks/logging/writers/sqlite.zeek similarity index 100% rename from scripts/base/frameworks/logging/writers/sqlite.bro rename to scripts/base/frameworks/logging/writers/sqlite.zeek diff --git a/scripts/base/frameworks/netcontrol/__load__.bro b/scripts/base/frameworks/netcontrol/__load__.zeek similarity index 100% rename from scripts/base/frameworks/netcontrol/__load__.bro rename to scripts/base/frameworks/netcontrol/__load__.zeek diff --git a/scripts/base/frameworks/netcontrol/catch-and-release.bro b/scripts/base/frameworks/netcontrol/catch-and-release.zeek similarity index 100% rename from scripts/base/frameworks/netcontrol/catch-and-release.bro rename to scripts/base/frameworks/netcontrol/catch-and-release.zeek diff --git a/scripts/base/frameworks/netcontrol/cluster.bro b/scripts/base/frameworks/netcontrol/cluster.zeek similarity index 100% rename from scripts/base/frameworks/netcontrol/cluster.bro rename to scripts/base/frameworks/netcontrol/cluster.zeek diff --git a/scripts/base/frameworks/netcontrol/drop.bro b/scripts/base/frameworks/netcontrol/drop.zeek similarity index 100% rename from scripts/base/frameworks/netcontrol/drop.bro rename to scripts/base/frameworks/netcontrol/drop.zeek diff --git a/scripts/base/frameworks/netcontrol/main.bro b/scripts/base/frameworks/netcontrol/main.zeek similarity index 99% rename from scripts/base/frameworks/netcontrol/main.bro rename to scripts/base/frameworks/netcontrol/main.zeek index a9418508af..110a0488dd 100644 --- a/scripts/base/frameworks/netcontrol/main.bro +++ b/scripts/base/frameworks/netcontrol/main.zeek @@ -43,8 +43,8 @@ export { # ### High-level API. # ### - # ### Note - other high level primitives are in catch-and-release.bro, shunt.bro and - # ### drop.bro + # ### Note - other high level primitives are in catch-and-release.zeek, + # ### shunt.zeek and drop.zeek ## Allows all traffic involving a specific IP address to be forwarded. ## diff --git a/scripts/base/frameworks/netcontrol/non-cluster.bro b/scripts/base/frameworks/netcontrol/non-cluster.zeek similarity index 100% rename from scripts/base/frameworks/netcontrol/non-cluster.bro rename to scripts/base/frameworks/netcontrol/non-cluster.zeek diff --git a/scripts/base/frameworks/netcontrol/plugin.bro b/scripts/base/frameworks/netcontrol/plugin.zeek similarity index 100% rename from scripts/base/frameworks/netcontrol/plugin.bro rename to scripts/base/frameworks/netcontrol/plugin.zeek diff --git a/scripts/base/frameworks/netcontrol/plugins/__load__.bro b/scripts/base/frameworks/netcontrol/plugins/__load__.zeek similarity index 100% rename from scripts/base/frameworks/netcontrol/plugins/__load__.bro rename to scripts/base/frameworks/netcontrol/plugins/__load__.zeek diff --git a/scripts/base/frameworks/netcontrol/plugins/acld.bro b/scripts/base/frameworks/netcontrol/plugins/acld.zeek similarity index 100% rename from scripts/base/frameworks/netcontrol/plugins/acld.bro rename to scripts/base/frameworks/netcontrol/plugins/acld.zeek diff --git a/scripts/base/frameworks/netcontrol/plugins/broker.bro b/scripts/base/frameworks/netcontrol/plugins/broker.zeek similarity index 100% rename from scripts/base/frameworks/netcontrol/plugins/broker.bro rename to scripts/base/frameworks/netcontrol/plugins/broker.zeek diff --git a/scripts/base/frameworks/netcontrol/plugins/debug.bro b/scripts/base/frameworks/netcontrol/plugins/debug.zeek similarity index 100% rename from scripts/base/frameworks/netcontrol/plugins/debug.bro rename to scripts/base/frameworks/netcontrol/plugins/debug.zeek diff --git a/scripts/base/frameworks/netcontrol/plugins/openflow.bro b/scripts/base/frameworks/netcontrol/plugins/openflow.zeek similarity index 100% rename from scripts/base/frameworks/netcontrol/plugins/openflow.bro rename to scripts/base/frameworks/netcontrol/plugins/openflow.zeek diff --git a/scripts/base/frameworks/netcontrol/plugins/packetfilter.bro b/scripts/base/frameworks/netcontrol/plugins/packetfilter.zeek similarity index 100% rename from scripts/base/frameworks/netcontrol/plugins/packetfilter.bro rename to scripts/base/frameworks/netcontrol/plugins/packetfilter.zeek diff --git a/scripts/base/frameworks/netcontrol/shunt.bro b/scripts/base/frameworks/netcontrol/shunt.zeek similarity index 100% rename from scripts/base/frameworks/netcontrol/shunt.bro rename to scripts/base/frameworks/netcontrol/shunt.zeek diff --git a/scripts/base/frameworks/netcontrol/types.bro b/scripts/base/frameworks/netcontrol/types.zeek similarity index 100% rename from scripts/base/frameworks/netcontrol/types.bro rename to scripts/base/frameworks/netcontrol/types.zeek diff --git a/scripts/base/frameworks/notice/__load__.bro b/scripts/base/frameworks/notice/__load__.zeek similarity index 100% rename from scripts/base/frameworks/notice/__load__.bro rename to scripts/base/frameworks/notice/__load__.zeek diff --git a/scripts/base/frameworks/notice/actions/add-geodata.bro b/scripts/base/frameworks/notice/actions/add-geodata.zeek similarity index 100% rename from scripts/base/frameworks/notice/actions/add-geodata.bro rename to scripts/base/frameworks/notice/actions/add-geodata.zeek diff --git a/scripts/base/frameworks/notice/actions/drop.bro b/scripts/base/frameworks/notice/actions/drop.zeek similarity index 100% rename from scripts/base/frameworks/notice/actions/drop.bro rename to scripts/base/frameworks/notice/actions/drop.zeek diff --git a/scripts/base/frameworks/notice/actions/email_admin.bro b/scripts/base/frameworks/notice/actions/email_admin.zeek similarity index 100% rename from scripts/base/frameworks/notice/actions/email_admin.bro rename to scripts/base/frameworks/notice/actions/email_admin.zeek diff --git a/scripts/base/frameworks/notice/actions/page.bro b/scripts/base/frameworks/notice/actions/page.zeek similarity index 100% rename from scripts/base/frameworks/notice/actions/page.bro rename to scripts/base/frameworks/notice/actions/page.zeek diff --git a/scripts/base/frameworks/notice/actions/pp-alarms.bro b/scripts/base/frameworks/notice/actions/pp-alarms.zeek similarity index 100% rename from scripts/base/frameworks/notice/actions/pp-alarms.bro rename to scripts/base/frameworks/notice/actions/pp-alarms.zeek diff --git a/scripts/base/frameworks/notice/main.bro b/scripts/base/frameworks/notice/main.zeek similarity index 100% rename from scripts/base/frameworks/notice/main.bro rename to scripts/base/frameworks/notice/main.zeek diff --git a/scripts/base/frameworks/notice/weird.bro b/scripts/base/frameworks/notice/weird.zeek similarity index 100% rename from scripts/base/frameworks/notice/weird.bro rename to scripts/base/frameworks/notice/weird.zeek diff --git a/scripts/base/frameworks/openflow/__load__.bro b/scripts/base/frameworks/openflow/__load__.zeek similarity index 100% rename from scripts/base/frameworks/openflow/__load__.bro rename to scripts/base/frameworks/openflow/__load__.zeek diff --git a/scripts/base/frameworks/openflow/cluster.bro b/scripts/base/frameworks/openflow/cluster.zeek similarity index 100% rename from scripts/base/frameworks/openflow/cluster.bro rename to scripts/base/frameworks/openflow/cluster.zeek diff --git a/scripts/base/frameworks/openflow/consts.bro b/scripts/base/frameworks/openflow/consts.zeek similarity index 100% rename from scripts/base/frameworks/openflow/consts.bro rename to scripts/base/frameworks/openflow/consts.zeek diff --git a/scripts/base/frameworks/openflow/main.bro b/scripts/base/frameworks/openflow/main.zeek similarity index 99% rename from scripts/base/frameworks/openflow/main.bro rename to scripts/base/frameworks/openflow/main.zeek index 5740e90056..ecddea7cb3 100644 --- a/scripts/base/frameworks/openflow/main.bro +++ b/scripts/base/frameworks/openflow/main.zeek @@ -251,7 +251,7 @@ function controller_init_done(controller: Controller) event OpenFlow::controller_activated(controller$state$_name, controller); } -# Functions that are called from cluster.bro and non-cluster.bro +# Functions that are called from cluster.zeek and non-cluster.zeek function register_controller_impl(tpe: OpenFlow::Plugin, name: string, controller: Controller) { diff --git a/scripts/base/frameworks/openflow/non-cluster.bro b/scripts/base/frameworks/openflow/non-cluster.zeek similarity index 100% rename from scripts/base/frameworks/openflow/non-cluster.bro rename to scripts/base/frameworks/openflow/non-cluster.zeek diff --git a/scripts/base/frameworks/openflow/plugins/__load__.bro b/scripts/base/frameworks/openflow/plugins/__load__.zeek similarity index 100% rename from scripts/base/frameworks/openflow/plugins/__load__.bro rename to scripts/base/frameworks/openflow/plugins/__load__.zeek diff --git a/scripts/base/frameworks/openflow/plugins/broker.bro b/scripts/base/frameworks/openflow/plugins/broker.zeek similarity index 100% rename from scripts/base/frameworks/openflow/plugins/broker.bro rename to scripts/base/frameworks/openflow/plugins/broker.zeek diff --git a/scripts/base/frameworks/openflow/plugins/log.bro b/scripts/base/frameworks/openflow/plugins/log.zeek similarity index 100% rename from scripts/base/frameworks/openflow/plugins/log.bro rename to scripts/base/frameworks/openflow/plugins/log.zeek diff --git a/scripts/base/frameworks/openflow/plugins/ryu.bro b/scripts/base/frameworks/openflow/plugins/ryu.zeek similarity index 100% rename from scripts/base/frameworks/openflow/plugins/ryu.bro rename to scripts/base/frameworks/openflow/plugins/ryu.zeek diff --git a/scripts/base/frameworks/openflow/types.bro b/scripts/base/frameworks/openflow/types.zeek similarity index 100% rename from scripts/base/frameworks/openflow/types.bro rename to scripts/base/frameworks/openflow/types.zeek diff --git a/scripts/base/frameworks/packet-filter/__load__.bro b/scripts/base/frameworks/packet-filter/__load__.zeek similarity index 100% rename from scripts/base/frameworks/packet-filter/__load__.bro rename to scripts/base/frameworks/packet-filter/__load__.zeek diff --git a/scripts/base/frameworks/packet-filter/cluster.bro b/scripts/base/frameworks/packet-filter/cluster.zeek similarity index 100% rename from scripts/base/frameworks/packet-filter/cluster.bro rename to scripts/base/frameworks/packet-filter/cluster.zeek diff --git a/scripts/base/frameworks/packet-filter/main.bro b/scripts/base/frameworks/packet-filter/main.zeek similarity index 100% rename from scripts/base/frameworks/packet-filter/main.bro rename to scripts/base/frameworks/packet-filter/main.zeek diff --git a/scripts/base/frameworks/packet-filter/netstats.bro b/scripts/base/frameworks/packet-filter/netstats.zeek similarity index 100% rename from scripts/base/frameworks/packet-filter/netstats.bro rename to scripts/base/frameworks/packet-filter/netstats.zeek diff --git a/scripts/base/frameworks/packet-filter/utils.bro b/scripts/base/frameworks/packet-filter/utils.zeek similarity index 100% rename from scripts/base/frameworks/packet-filter/utils.bro rename to scripts/base/frameworks/packet-filter/utils.zeek diff --git a/scripts/base/frameworks/reporter/__load__.bro b/scripts/base/frameworks/reporter/__load__.zeek similarity index 100% rename from scripts/base/frameworks/reporter/__load__.bro rename to scripts/base/frameworks/reporter/__load__.zeek diff --git a/scripts/base/frameworks/reporter/main.bro b/scripts/base/frameworks/reporter/main.zeek similarity index 99% rename from scripts/base/frameworks/reporter/main.bro rename to scripts/base/frameworks/reporter/main.zeek index 8cba29bdc2..ea97048049 100644 --- a/scripts/base/frameworks/reporter/main.bro +++ b/scripts/base/frameworks/reporter/main.zeek @@ -9,7 +9,7 @@ ##! Note that this framework deals with the handling of internally generated ##! reporter messages, for the interface ##! into actually creating reporter messages from the scripting layer, use -##! the built-in functions in :doc:`/scripts/base/bif/reporter.bif.bro`. +##! the built-in functions in :doc:`/scripts/base/bif/reporter.bif.zeek`. module Reporter; diff --git a/scripts/base/frameworks/signatures/__load__.bro b/scripts/base/frameworks/signatures/__load__.zeek similarity index 100% rename from scripts/base/frameworks/signatures/__load__.bro rename to scripts/base/frameworks/signatures/__load__.zeek diff --git a/scripts/base/frameworks/signatures/main.bro b/scripts/base/frameworks/signatures/main.zeek similarity index 100% rename from scripts/base/frameworks/signatures/main.bro rename to scripts/base/frameworks/signatures/main.zeek diff --git a/scripts/base/frameworks/software/__load__.bro b/scripts/base/frameworks/software/__load__.zeek similarity index 100% rename from scripts/base/frameworks/software/__load__.bro rename to scripts/base/frameworks/software/__load__.zeek diff --git a/scripts/base/frameworks/software/main.bro b/scripts/base/frameworks/software/main.zeek similarity index 100% rename from scripts/base/frameworks/software/main.bro rename to scripts/base/frameworks/software/main.zeek diff --git a/scripts/base/frameworks/sumstats/__load__.bro b/scripts/base/frameworks/sumstats/__load__.zeek similarity index 100% rename from scripts/base/frameworks/sumstats/__load__.bro rename to scripts/base/frameworks/sumstats/__load__.zeek diff --git a/scripts/base/frameworks/sumstats/cluster.bro b/scripts/base/frameworks/sumstats/cluster.zeek similarity index 100% rename from scripts/base/frameworks/sumstats/cluster.bro rename to scripts/base/frameworks/sumstats/cluster.zeek diff --git a/scripts/base/frameworks/sumstats/main.bro b/scripts/base/frameworks/sumstats/main.zeek similarity index 100% rename from scripts/base/frameworks/sumstats/main.bro rename to scripts/base/frameworks/sumstats/main.zeek diff --git a/scripts/base/frameworks/sumstats/non-cluster.bro b/scripts/base/frameworks/sumstats/non-cluster.zeek similarity index 100% rename from scripts/base/frameworks/sumstats/non-cluster.bro rename to scripts/base/frameworks/sumstats/non-cluster.zeek diff --git a/scripts/base/frameworks/sumstats/plugins/__load__.bro b/scripts/base/frameworks/sumstats/plugins/__load__.zeek similarity index 100% rename from scripts/base/frameworks/sumstats/plugins/__load__.bro rename to scripts/base/frameworks/sumstats/plugins/__load__.zeek diff --git a/scripts/base/frameworks/sumstats/plugins/average.bro b/scripts/base/frameworks/sumstats/plugins/average.zeek similarity index 100% rename from scripts/base/frameworks/sumstats/plugins/average.bro rename to scripts/base/frameworks/sumstats/plugins/average.zeek diff --git a/scripts/base/frameworks/sumstats/plugins/hll_unique.bro b/scripts/base/frameworks/sumstats/plugins/hll_unique.zeek similarity index 100% rename from scripts/base/frameworks/sumstats/plugins/hll_unique.bro rename to scripts/base/frameworks/sumstats/plugins/hll_unique.zeek diff --git a/scripts/base/frameworks/sumstats/plugins/last.bro b/scripts/base/frameworks/sumstats/plugins/last.zeek similarity index 100% rename from scripts/base/frameworks/sumstats/plugins/last.bro rename to scripts/base/frameworks/sumstats/plugins/last.zeek diff --git a/scripts/base/frameworks/sumstats/plugins/max.bro b/scripts/base/frameworks/sumstats/plugins/max.zeek similarity index 100% rename from scripts/base/frameworks/sumstats/plugins/max.bro rename to scripts/base/frameworks/sumstats/plugins/max.zeek diff --git a/scripts/base/frameworks/sumstats/plugins/min.bro b/scripts/base/frameworks/sumstats/plugins/min.zeek similarity index 100% rename from scripts/base/frameworks/sumstats/plugins/min.bro rename to scripts/base/frameworks/sumstats/plugins/min.zeek diff --git a/scripts/base/frameworks/sumstats/plugins/sample.bro b/scripts/base/frameworks/sumstats/plugins/sample.zeek similarity index 100% rename from scripts/base/frameworks/sumstats/plugins/sample.bro rename to scripts/base/frameworks/sumstats/plugins/sample.zeek diff --git a/scripts/base/frameworks/sumstats/plugins/std-dev.bro b/scripts/base/frameworks/sumstats/plugins/std-dev.zeek similarity index 100% rename from scripts/base/frameworks/sumstats/plugins/std-dev.bro rename to scripts/base/frameworks/sumstats/plugins/std-dev.zeek diff --git a/scripts/base/frameworks/sumstats/plugins/sum.bro b/scripts/base/frameworks/sumstats/plugins/sum.zeek similarity index 100% rename from scripts/base/frameworks/sumstats/plugins/sum.bro rename to scripts/base/frameworks/sumstats/plugins/sum.zeek diff --git a/scripts/base/frameworks/sumstats/plugins/topk.bro b/scripts/base/frameworks/sumstats/plugins/topk.zeek similarity index 100% rename from scripts/base/frameworks/sumstats/plugins/topk.bro rename to scripts/base/frameworks/sumstats/plugins/topk.zeek diff --git a/scripts/base/frameworks/sumstats/plugins/unique.bro b/scripts/base/frameworks/sumstats/plugins/unique.zeek similarity index 100% rename from scripts/base/frameworks/sumstats/plugins/unique.bro rename to scripts/base/frameworks/sumstats/plugins/unique.zeek diff --git a/scripts/base/frameworks/sumstats/plugins/variance.bro b/scripts/base/frameworks/sumstats/plugins/variance.zeek similarity index 100% rename from scripts/base/frameworks/sumstats/plugins/variance.bro rename to scripts/base/frameworks/sumstats/plugins/variance.zeek diff --git a/scripts/base/frameworks/tunnels/__load__.bro b/scripts/base/frameworks/tunnels/__load__.zeek similarity index 100% rename from scripts/base/frameworks/tunnels/__load__.bro rename to scripts/base/frameworks/tunnels/__load__.zeek diff --git a/scripts/base/frameworks/tunnels/main.bro b/scripts/base/frameworks/tunnels/main.zeek similarity index 100% rename from scripts/base/frameworks/tunnels/main.bro rename to scripts/base/frameworks/tunnels/main.zeek diff --git a/scripts/base/init-bare.bro b/scripts/base/init-bare.zeek similarity index 99% rename from scripts/base/init-bare.bro rename to scripts/base/init-bare.zeek index 0c32cebcc5..3c1c6f98fb 100644 --- a/scripts/base/init-bare.bro +++ b/scripts/base/init-bare.zeek @@ -480,7 +480,7 @@ type NetStats: record { pkts_dropped: count &default=0; ##< Packets reported dropped by the system. ## Packets seen on the link. Note that this may differ ## from *pkts_recvd* because of a potential capture_filter. See - ## :doc:`/scripts/base/frameworks/packet-filter/main.bro`. Depending on the + ## :doc:`/scripts/base/frameworks/packet-filter/main.zeek`. Depending on the ## packet capture system, this value may not be available and will then ## be always set to zero. pkts_link: count &default=0; @@ -4629,13 +4629,13 @@ const log_max_size = 0.0 &redef; const log_encryption_key = "" &redef; ## Write profiling info into this file in regular intervals. The easiest way to -## activate profiling is loading :doc:`/scripts/policy/misc/profiling.bro`. +## activate profiling is loading :doc:`/scripts/policy/misc/profiling.zeek`. ## ## .. bro:see:: profiling_interval expensive_profiling_multiple segment_profiling global profiling_file: file &redef; ## Update interval for profiling (0 disables). The easiest way to activate -## profiling is loading :doc:`/scripts/policy/misc/profiling.bro`. +## profiling is loading :doc:`/scripts/policy/misc/profiling.zeek`. ## ## .. bro:see:: profiling_file expensive_profiling_multiple segment_profiling const profiling_interval = 0 secs &redef; diff --git a/scripts/base/init-default.bro b/scripts/base/init-default.zeek similarity index 98% rename from scripts/base/init-default.bro rename to scripts/base/init-default.zeek index 463f5c2942..6982b0b2f4 100644 --- a/scripts/base/init-default.bro +++ b/scripts/base/init-default.zeek @@ -25,7 +25,7 @@ @load base/utils/urls # This has some deep interplay between types and BiFs so it's -# loaded in base/init-bare.bro +# loaded in base/init-bare.zeek #@load base/frameworks/logging @load base/frameworks/notice @load base/frameworks/analyzer diff --git a/scripts/base/init-frameworks-and-bifs.bro b/scripts/base/init-frameworks-and-bifs.zeek similarity index 86% rename from scripts/base/init-frameworks-and-bifs.bro rename to scripts/base/init-frameworks-and-bifs.zeek index f772e2d223..19897e7ffb 100644 --- a/scripts/base/init-frameworks-and-bifs.bro +++ b/scripts/base/init-frameworks-and-bifs.zeek @@ -1,7 +1,7 @@ # Load these frameworks here because they use fairly deep integration with # BiFs and script-land defined types. They are also more likely to # make use of calling BIFs for variable initializations, and that -# can't be done until init-bare.bro has been loaded completely (hence +# can't be done until init-bare.zeek has been loaded completely (hence # the separate file). @load base/frameworks/logging @load base/frameworks/broker diff --git a/scripts/base/misc/find-checksum-offloading.bro b/scripts/base/misc/find-checksum-offloading.zeek similarity index 100% rename from scripts/base/misc/find-checksum-offloading.bro rename to scripts/base/misc/find-checksum-offloading.zeek diff --git a/scripts/base/misc/find-filtered-trace.bro b/scripts/base/misc/find-filtered-trace.zeek similarity index 100% rename from scripts/base/misc/find-filtered-trace.bro rename to scripts/base/misc/find-filtered-trace.zeek diff --git a/scripts/base/misc/version.bro b/scripts/base/misc/version.zeek similarity index 100% rename from scripts/base/misc/version.bro rename to scripts/base/misc/version.zeek diff --git a/scripts/base/protocols/conn/__load__.bro b/scripts/base/protocols/conn/__load__.zeek similarity index 100% rename from scripts/base/protocols/conn/__load__.bro rename to scripts/base/protocols/conn/__load__.zeek diff --git a/scripts/base/protocols/conn/contents.bro b/scripts/base/protocols/conn/contents.zeek similarity index 100% rename from scripts/base/protocols/conn/contents.bro rename to scripts/base/protocols/conn/contents.zeek diff --git a/scripts/base/protocols/conn/inactivity.bro b/scripts/base/protocols/conn/inactivity.zeek similarity index 100% rename from scripts/base/protocols/conn/inactivity.bro rename to scripts/base/protocols/conn/inactivity.zeek diff --git a/scripts/base/protocols/conn/main.bro b/scripts/base/protocols/conn/main.zeek similarity index 100% rename from scripts/base/protocols/conn/main.bro rename to scripts/base/protocols/conn/main.zeek diff --git a/scripts/base/protocols/conn/polling.bro b/scripts/base/protocols/conn/polling.zeek similarity index 100% rename from scripts/base/protocols/conn/polling.bro rename to scripts/base/protocols/conn/polling.zeek diff --git a/scripts/base/protocols/conn/thresholds.bro b/scripts/base/protocols/conn/thresholds.zeek similarity index 100% rename from scripts/base/protocols/conn/thresholds.bro rename to scripts/base/protocols/conn/thresholds.zeek diff --git a/scripts/base/protocols/dce-rpc/__load__.bro b/scripts/base/protocols/dce-rpc/__load__.zeek similarity index 100% rename from scripts/base/protocols/dce-rpc/__load__.bro rename to scripts/base/protocols/dce-rpc/__load__.zeek diff --git a/scripts/base/protocols/dce-rpc/consts.bro b/scripts/base/protocols/dce-rpc/consts.zeek similarity index 100% rename from scripts/base/protocols/dce-rpc/consts.bro rename to scripts/base/protocols/dce-rpc/consts.zeek diff --git a/scripts/base/protocols/dce-rpc/main.bro b/scripts/base/protocols/dce-rpc/main.zeek similarity index 100% rename from scripts/base/protocols/dce-rpc/main.bro rename to scripts/base/protocols/dce-rpc/main.zeek diff --git a/scripts/base/protocols/dhcp/__load__.bro b/scripts/base/protocols/dhcp/__load__.zeek similarity index 100% rename from scripts/base/protocols/dhcp/__load__.bro rename to scripts/base/protocols/dhcp/__load__.zeek diff --git a/scripts/base/protocols/dhcp/consts.bro b/scripts/base/protocols/dhcp/consts.zeek similarity index 100% rename from scripts/base/protocols/dhcp/consts.bro rename to scripts/base/protocols/dhcp/consts.zeek diff --git a/scripts/base/protocols/dhcp/main.bro b/scripts/base/protocols/dhcp/main.zeek similarity index 100% rename from scripts/base/protocols/dhcp/main.bro rename to scripts/base/protocols/dhcp/main.zeek diff --git a/scripts/base/protocols/dnp3/__load__.bro b/scripts/base/protocols/dnp3/__load__.zeek similarity index 100% rename from scripts/base/protocols/dnp3/__load__.bro rename to scripts/base/protocols/dnp3/__load__.zeek diff --git a/scripts/base/protocols/dnp3/consts.bro b/scripts/base/protocols/dnp3/consts.zeek similarity index 100% rename from scripts/base/protocols/dnp3/consts.bro rename to scripts/base/protocols/dnp3/consts.zeek diff --git a/scripts/base/protocols/dnp3/main.bro b/scripts/base/protocols/dnp3/main.zeek similarity index 100% rename from scripts/base/protocols/dnp3/main.bro rename to scripts/base/protocols/dnp3/main.zeek diff --git a/scripts/base/protocols/dns/__load__.bro b/scripts/base/protocols/dns/__load__.zeek similarity index 100% rename from scripts/base/protocols/dns/__load__.bro rename to scripts/base/protocols/dns/__load__.zeek diff --git a/scripts/base/protocols/dns/consts.bro b/scripts/base/protocols/dns/consts.zeek similarity index 100% rename from scripts/base/protocols/dns/consts.bro rename to scripts/base/protocols/dns/consts.zeek diff --git a/scripts/base/protocols/dns/main.bro b/scripts/base/protocols/dns/main.zeek similarity index 100% rename from scripts/base/protocols/dns/main.bro rename to scripts/base/protocols/dns/main.zeek diff --git a/scripts/base/protocols/ftp/__load__.bro b/scripts/base/protocols/ftp/__load__.zeek similarity index 100% rename from scripts/base/protocols/ftp/__load__.bro rename to scripts/base/protocols/ftp/__load__.zeek diff --git a/scripts/base/protocols/ftp/files.bro b/scripts/base/protocols/ftp/files.zeek similarity index 100% rename from scripts/base/protocols/ftp/files.bro rename to scripts/base/protocols/ftp/files.zeek diff --git a/scripts/base/protocols/ftp/gridftp.bro b/scripts/base/protocols/ftp/gridftp.zeek similarity index 100% rename from scripts/base/protocols/ftp/gridftp.bro rename to scripts/base/protocols/ftp/gridftp.zeek diff --git a/scripts/base/protocols/ftp/info.bro b/scripts/base/protocols/ftp/info.zeek similarity index 100% rename from scripts/base/protocols/ftp/info.bro rename to scripts/base/protocols/ftp/info.zeek diff --git a/scripts/base/protocols/ftp/main.bro b/scripts/base/protocols/ftp/main.zeek similarity index 100% rename from scripts/base/protocols/ftp/main.bro rename to scripts/base/protocols/ftp/main.zeek diff --git a/scripts/base/protocols/ftp/utils-commands.bro b/scripts/base/protocols/ftp/utils-commands.zeek similarity index 100% rename from scripts/base/protocols/ftp/utils-commands.bro rename to scripts/base/protocols/ftp/utils-commands.zeek diff --git a/scripts/base/protocols/ftp/utils.bro b/scripts/base/protocols/ftp/utils.zeek similarity index 100% rename from scripts/base/protocols/ftp/utils.bro rename to scripts/base/protocols/ftp/utils.zeek diff --git a/scripts/base/protocols/http/__load__.bro b/scripts/base/protocols/http/__load__.zeek similarity index 100% rename from scripts/base/protocols/http/__load__.bro rename to scripts/base/protocols/http/__load__.zeek diff --git a/scripts/base/protocols/http/entities.bro b/scripts/base/protocols/http/entities.zeek similarity index 100% rename from scripts/base/protocols/http/entities.bro rename to scripts/base/protocols/http/entities.zeek diff --git a/scripts/base/protocols/http/files.bro b/scripts/base/protocols/http/files.zeek similarity index 100% rename from scripts/base/protocols/http/files.bro rename to scripts/base/protocols/http/files.zeek diff --git a/scripts/base/protocols/http/main.bro b/scripts/base/protocols/http/main.zeek similarity index 100% rename from scripts/base/protocols/http/main.bro rename to scripts/base/protocols/http/main.zeek diff --git a/scripts/base/protocols/http/utils.bro b/scripts/base/protocols/http/utils.zeek similarity index 100% rename from scripts/base/protocols/http/utils.bro rename to scripts/base/protocols/http/utils.zeek diff --git a/scripts/base/protocols/imap/__load__.bro b/scripts/base/protocols/imap/__load__.zeek similarity index 100% rename from scripts/base/protocols/imap/__load__.bro rename to scripts/base/protocols/imap/__load__.zeek diff --git a/scripts/base/protocols/imap/main.bro b/scripts/base/protocols/imap/main.zeek similarity index 100% rename from scripts/base/protocols/imap/main.bro rename to scripts/base/protocols/imap/main.zeek diff --git a/scripts/base/protocols/irc/__load__.bro b/scripts/base/protocols/irc/__load__.zeek similarity index 100% rename from scripts/base/protocols/irc/__load__.bro rename to scripts/base/protocols/irc/__load__.zeek diff --git a/scripts/base/protocols/irc/dcc-send.bro b/scripts/base/protocols/irc/dcc-send.zeek similarity index 100% rename from scripts/base/protocols/irc/dcc-send.bro rename to scripts/base/protocols/irc/dcc-send.zeek diff --git a/scripts/base/protocols/irc/files.bro b/scripts/base/protocols/irc/files.zeek similarity index 100% rename from scripts/base/protocols/irc/files.bro rename to scripts/base/protocols/irc/files.zeek diff --git a/scripts/base/protocols/irc/main.bro b/scripts/base/protocols/irc/main.zeek similarity index 100% rename from scripts/base/protocols/irc/main.bro rename to scripts/base/protocols/irc/main.zeek diff --git a/scripts/base/protocols/krb/__load__.bro b/scripts/base/protocols/krb/__load__.zeek similarity index 100% rename from scripts/base/protocols/krb/__load__.bro rename to scripts/base/protocols/krb/__load__.zeek diff --git a/scripts/base/protocols/krb/consts.bro b/scripts/base/protocols/krb/consts.zeek similarity index 100% rename from scripts/base/protocols/krb/consts.bro rename to scripts/base/protocols/krb/consts.zeek diff --git a/scripts/base/protocols/krb/files.bro b/scripts/base/protocols/krb/files.zeek similarity index 100% rename from scripts/base/protocols/krb/files.bro rename to scripts/base/protocols/krb/files.zeek diff --git a/scripts/base/protocols/krb/main.bro b/scripts/base/protocols/krb/main.zeek similarity index 100% rename from scripts/base/protocols/krb/main.bro rename to scripts/base/protocols/krb/main.zeek diff --git a/scripts/base/protocols/modbus/__load__.bro b/scripts/base/protocols/modbus/__load__.zeek similarity index 100% rename from scripts/base/protocols/modbus/__load__.bro rename to scripts/base/protocols/modbus/__load__.zeek diff --git a/scripts/base/protocols/modbus/consts.bro b/scripts/base/protocols/modbus/consts.zeek similarity index 100% rename from scripts/base/protocols/modbus/consts.bro rename to scripts/base/protocols/modbus/consts.zeek diff --git a/scripts/base/protocols/modbus/main.bro b/scripts/base/protocols/modbus/main.zeek similarity index 100% rename from scripts/base/protocols/modbus/main.bro rename to scripts/base/protocols/modbus/main.zeek diff --git a/scripts/base/protocols/mysql/__load__.bro b/scripts/base/protocols/mysql/__load__.zeek similarity index 100% rename from scripts/base/protocols/mysql/__load__.bro rename to scripts/base/protocols/mysql/__load__.zeek diff --git a/scripts/base/protocols/mysql/consts.bro b/scripts/base/protocols/mysql/consts.zeek similarity index 100% rename from scripts/base/protocols/mysql/consts.bro rename to scripts/base/protocols/mysql/consts.zeek diff --git a/scripts/base/protocols/mysql/main.bro b/scripts/base/protocols/mysql/main.zeek similarity index 100% rename from scripts/base/protocols/mysql/main.bro rename to scripts/base/protocols/mysql/main.zeek diff --git a/scripts/base/protocols/ntlm/__load__.bro b/scripts/base/protocols/ntlm/__load__.zeek similarity index 100% rename from scripts/base/protocols/ntlm/__load__.bro rename to scripts/base/protocols/ntlm/__load__.zeek diff --git a/scripts/base/protocols/ntlm/main.bro b/scripts/base/protocols/ntlm/main.zeek similarity index 100% rename from scripts/base/protocols/ntlm/main.bro rename to scripts/base/protocols/ntlm/main.zeek diff --git a/scripts/base/protocols/pop3/__load__.bro b/scripts/base/protocols/pop3/__load__.zeek similarity index 100% rename from scripts/base/protocols/pop3/__load__.bro rename to scripts/base/protocols/pop3/__load__.zeek diff --git a/scripts/base/protocols/radius/__load__.bro b/scripts/base/protocols/radius/__load__.zeek similarity index 100% rename from scripts/base/protocols/radius/__load__.bro rename to scripts/base/protocols/radius/__load__.zeek diff --git a/scripts/base/protocols/radius/consts.bro b/scripts/base/protocols/radius/consts.zeek similarity index 100% rename from scripts/base/protocols/radius/consts.bro rename to scripts/base/protocols/radius/consts.zeek diff --git a/scripts/base/protocols/radius/main.bro b/scripts/base/protocols/radius/main.zeek similarity index 100% rename from scripts/base/protocols/radius/main.bro rename to scripts/base/protocols/radius/main.zeek diff --git a/scripts/base/protocols/rdp/__load__.bro b/scripts/base/protocols/rdp/__load__.zeek similarity index 100% rename from scripts/base/protocols/rdp/__load__.bro rename to scripts/base/protocols/rdp/__load__.zeek diff --git a/scripts/base/protocols/rdp/consts.bro b/scripts/base/protocols/rdp/consts.zeek similarity index 100% rename from scripts/base/protocols/rdp/consts.bro rename to scripts/base/protocols/rdp/consts.zeek diff --git a/scripts/base/protocols/rdp/main.bro b/scripts/base/protocols/rdp/main.zeek similarity index 100% rename from scripts/base/protocols/rdp/main.bro rename to scripts/base/protocols/rdp/main.zeek diff --git a/scripts/base/protocols/rfb/__load__.bro b/scripts/base/protocols/rfb/__load__.zeek similarity index 100% rename from scripts/base/protocols/rfb/__load__.bro rename to scripts/base/protocols/rfb/__load__.zeek diff --git a/scripts/base/protocols/rfb/main.bro b/scripts/base/protocols/rfb/main.zeek similarity index 100% rename from scripts/base/protocols/rfb/main.bro rename to scripts/base/protocols/rfb/main.zeek diff --git a/scripts/base/protocols/sip/__load__.bro b/scripts/base/protocols/sip/__load__.zeek similarity index 100% rename from scripts/base/protocols/sip/__load__.bro rename to scripts/base/protocols/sip/__load__.zeek diff --git a/scripts/base/protocols/sip/main.bro b/scripts/base/protocols/sip/main.zeek similarity index 100% rename from scripts/base/protocols/sip/main.bro rename to scripts/base/protocols/sip/main.zeek diff --git a/scripts/base/protocols/smb/__load__.bro b/scripts/base/protocols/smb/__load__.zeek similarity index 100% rename from scripts/base/protocols/smb/__load__.bro rename to scripts/base/protocols/smb/__load__.zeek diff --git a/scripts/base/protocols/smb/const-dos-error.bro b/scripts/base/protocols/smb/const-dos-error.zeek similarity index 100% rename from scripts/base/protocols/smb/const-dos-error.bro rename to scripts/base/protocols/smb/const-dos-error.zeek diff --git a/scripts/base/protocols/smb/const-nt-status.bro b/scripts/base/protocols/smb/const-nt-status.zeek similarity index 100% rename from scripts/base/protocols/smb/const-nt-status.bro rename to scripts/base/protocols/smb/const-nt-status.zeek diff --git a/scripts/base/protocols/smb/consts.bro b/scripts/base/protocols/smb/consts.zeek similarity index 99% rename from scripts/base/protocols/smb/consts.bro rename to scripts/base/protocols/smb/consts.zeek index f36d029be9..32a03dd17d 100644 --- a/scripts/base/protocols/smb/consts.bro +++ b/scripts/base/protocols/smb/consts.zeek @@ -12,7 +12,7 @@ export { ## Heuristic detection of named pipes when the pipe ## mapping isn't seen. This variable is defined in - ## init-bare.bro. + ## init-bare.zeek. redef SMB::pipe_filenames = { "spoolss", "winreg", diff --git a/scripts/base/protocols/smb/files.bro b/scripts/base/protocols/smb/files.zeek similarity index 100% rename from scripts/base/protocols/smb/files.bro rename to scripts/base/protocols/smb/files.zeek diff --git a/scripts/base/protocols/smb/main.bro b/scripts/base/protocols/smb/main.zeek similarity index 100% rename from scripts/base/protocols/smb/main.bro rename to scripts/base/protocols/smb/main.zeek diff --git a/scripts/base/protocols/smb/smb1-main.bro b/scripts/base/protocols/smb/smb1-main.zeek similarity index 100% rename from scripts/base/protocols/smb/smb1-main.bro rename to scripts/base/protocols/smb/smb1-main.zeek diff --git a/scripts/base/protocols/smb/smb2-main.bro b/scripts/base/protocols/smb/smb2-main.zeek similarity index 100% rename from scripts/base/protocols/smb/smb2-main.bro rename to scripts/base/protocols/smb/smb2-main.zeek diff --git a/scripts/base/protocols/smtp/__load__.bro b/scripts/base/protocols/smtp/__load__.zeek similarity index 100% rename from scripts/base/protocols/smtp/__load__.bro rename to scripts/base/protocols/smtp/__load__.zeek diff --git a/scripts/base/protocols/smtp/entities.bro b/scripts/base/protocols/smtp/entities.zeek similarity index 100% rename from scripts/base/protocols/smtp/entities.bro rename to scripts/base/protocols/smtp/entities.zeek diff --git a/scripts/base/protocols/smtp/files.bro b/scripts/base/protocols/smtp/files.zeek similarity index 100% rename from scripts/base/protocols/smtp/files.bro rename to scripts/base/protocols/smtp/files.zeek diff --git a/scripts/base/protocols/smtp/main.bro b/scripts/base/protocols/smtp/main.zeek similarity index 100% rename from scripts/base/protocols/smtp/main.bro rename to scripts/base/protocols/smtp/main.zeek diff --git a/scripts/base/protocols/snmp/__load__.bro b/scripts/base/protocols/snmp/__load__.zeek similarity index 100% rename from scripts/base/protocols/snmp/__load__.bro rename to scripts/base/protocols/snmp/__load__.zeek diff --git a/scripts/base/protocols/snmp/main.bro b/scripts/base/protocols/snmp/main.zeek similarity index 100% rename from scripts/base/protocols/snmp/main.bro rename to scripts/base/protocols/snmp/main.zeek diff --git a/scripts/base/protocols/socks/__load__.bro b/scripts/base/protocols/socks/__load__.zeek similarity index 100% rename from scripts/base/protocols/socks/__load__.bro rename to scripts/base/protocols/socks/__load__.zeek diff --git a/scripts/base/protocols/socks/consts.bro b/scripts/base/protocols/socks/consts.zeek similarity index 100% rename from scripts/base/protocols/socks/consts.bro rename to scripts/base/protocols/socks/consts.zeek diff --git a/scripts/base/protocols/socks/main.bro b/scripts/base/protocols/socks/main.zeek similarity index 100% rename from scripts/base/protocols/socks/main.bro rename to scripts/base/protocols/socks/main.zeek diff --git a/scripts/base/protocols/ssh/__load__.bro b/scripts/base/protocols/ssh/__load__.zeek similarity index 100% rename from scripts/base/protocols/ssh/__load__.bro rename to scripts/base/protocols/ssh/__load__.zeek diff --git a/scripts/base/protocols/ssh/main.bro b/scripts/base/protocols/ssh/main.zeek similarity index 100% rename from scripts/base/protocols/ssh/main.bro rename to scripts/base/protocols/ssh/main.zeek diff --git a/scripts/base/protocols/ssl/__load__.bro b/scripts/base/protocols/ssl/__load__.zeek similarity index 100% rename from scripts/base/protocols/ssl/__load__.bro rename to scripts/base/protocols/ssl/__load__.zeek diff --git a/scripts/base/protocols/ssl/consts.bro b/scripts/base/protocols/ssl/consts.zeek similarity index 100% rename from scripts/base/protocols/ssl/consts.bro rename to scripts/base/protocols/ssl/consts.zeek diff --git a/scripts/base/protocols/ssl/ct-list.bro b/scripts/base/protocols/ssl/ct-list.zeek similarity index 100% rename from scripts/base/protocols/ssl/ct-list.bro rename to scripts/base/protocols/ssl/ct-list.zeek diff --git a/scripts/base/protocols/ssl/files.bro b/scripts/base/protocols/ssl/files.zeek similarity index 100% rename from scripts/base/protocols/ssl/files.bro rename to scripts/base/protocols/ssl/files.zeek diff --git a/scripts/base/protocols/ssl/main.bro b/scripts/base/protocols/ssl/main.zeek similarity index 99% rename from scripts/base/protocols/ssl/main.bro rename to scripts/base/protocols/ssl/main.zeek index 8abb6e1d3f..73a8639891 100644 --- a/scripts/base/protocols/ssl/main.bro +++ b/scripts/base/protocols/ssl/main.zeek @@ -69,7 +69,7 @@ export { logged: bool &default=F; }; - ## The default root CA bundle. By default, the mozilla-ca-list.bro + ## The default root CA bundle. By default, the mozilla-ca-list.zeek ## script sets this to Mozilla's root CA list. const root_certs: table[string] of string = {} &redef; @@ -88,7 +88,7 @@ export { url: string; }; - ## The Certificate Transparency log bundle. By default, the ct-list.bro + ## The Certificate Transparency log bundle. By default, the ct-list.zeek ## script sets this to the current list of known logs. Entries ## are indexed by (binary) log-id. option ct_logs: table[string] of CTInfo = {}; diff --git a/scripts/base/protocols/ssl/mozilla-ca-list.bro b/scripts/base/protocols/ssl/mozilla-ca-list.zeek similarity index 100% rename from scripts/base/protocols/ssl/mozilla-ca-list.bro rename to scripts/base/protocols/ssl/mozilla-ca-list.zeek diff --git a/scripts/base/protocols/syslog/__load__.bro b/scripts/base/protocols/syslog/__load__.zeek similarity index 100% rename from scripts/base/protocols/syslog/__load__.bro rename to scripts/base/protocols/syslog/__load__.zeek diff --git a/scripts/base/protocols/syslog/consts.bro b/scripts/base/protocols/syslog/consts.zeek similarity index 100% rename from scripts/base/protocols/syslog/consts.bro rename to scripts/base/protocols/syslog/consts.zeek diff --git a/scripts/base/protocols/syslog/main.bro b/scripts/base/protocols/syslog/main.zeek similarity index 100% rename from scripts/base/protocols/syslog/main.bro rename to scripts/base/protocols/syslog/main.zeek diff --git a/scripts/base/protocols/tunnels/__load__.bro b/scripts/base/protocols/tunnels/__load__.zeek similarity index 100% rename from scripts/base/protocols/tunnels/__load__.bro rename to scripts/base/protocols/tunnels/__load__.zeek diff --git a/scripts/base/protocols/xmpp/__load__.bro b/scripts/base/protocols/xmpp/__load__.zeek similarity index 100% rename from scripts/base/protocols/xmpp/__load__.bro rename to scripts/base/protocols/xmpp/__load__.zeek diff --git a/scripts/base/protocols/xmpp/main.bro b/scripts/base/protocols/xmpp/main.zeek similarity index 100% rename from scripts/base/protocols/xmpp/main.bro rename to scripts/base/protocols/xmpp/main.zeek diff --git a/scripts/base/utils/active-http.bro b/scripts/base/utils/active-http.zeek similarity index 100% rename from scripts/base/utils/active-http.bro rename to scripts/base/utils/active-http.zeek diff --git a/scripts/base/utils/addrs.bro b/scripts/base/utils/addrs.zeek similarity index 100% rename from scripts/base/utils/addrs.bro rename to scripts/base/utils/addrs.zeek diff --git a/scripts/base/utils/conn-ids.bro b/scripts/base/utils/conn-ids.zeek similarity index 100% rename from scripts/base/utils/conn-ids.bro rename to scripts/base/utils/conn-ids.zeek diff --git a/scripts/base/utils/dir.bro b/scripts/base/utils/dir.zeek similarity index 100% rename from scripts/base/utils/dir.bro rename to scripts/base/utils/dir.zeek diff --git a/scripts/base/utils/directions-and-hosts.bro b/scripts/base/utils/directions-and-hosts.zeek similarity index 100% rename from scripts/base/utils/directions-and-hosts.bro rename to scripts/base/utils/directions-and-hosts.zeek diff --git a/scripts/base/utils/email.bro b/scripts/base/utils/email.zeek similarity index 100% rename from scripts/base/utils/email.bro rename to scripts/base/utils/email.zeek diff --git a/scripts/base/utils/exec.bro b/scripts/base/utils/exec.zeek similarity index 100% rename from scripts/base/utils/exec.bro rename to scripts/base/utils/exec.zeek diff --git a/scripts/base/utils/files.bro b/scripts/base/utils/files.zeek similarity index 100% rename from scripts/base/utils/files.bro rename to scripts/base/utils/files.zeek diff --git a/scripts/base/utils/geoip-distance.bro b/scripts/base/utils/geoip-distance.zeek similarity index 100% rename from scripts/base/utils/geoip-distance.bro rename to scripts/base/utils/geoip-distance.zeek diff --git a/scripts/base/utils/hash_hrw.bro b/scripts/base/utils/hash_hrw.zeek similarity index 100% rename from scripts/base/utils/hash_hrw.bro rename to scripts/base/utils/hash_hrw.zeek diff --git a/scripts/base/utils/json.bro b/scripts/base/utils/json.zeek similarity index 100% rename from scripts/base/utils/json.bro rename to scripts/base/utils/json.zeek diff --git a/scripts/base/utils/numbers.bro b/scripts/base/utils/numbers.zeek similarity index 100% rename from scripts/base/utils/numbers.bro rename to scripts/base/utils/numbers.zeek diff --git a/scripts/base/utils/paths.bro b/scripts/base/utils/paths.zeek similarity index 100% rename from scripts/base/utils/paths.bro rename to scripts/base/utils/paths.zeek diff --git a/scripts/base/utils/patterns.bro b/scripts/base/utils/patterns.zeek similarity index 100% rename from scripts/base/utils/patterns.bro rename to scripts/base/utils/patterns.zeek diff --git a/scripts/base/utils/queue.bro b/scripts/base/utils/queue.zeek similarity index 100% rename from scripts/base/utils/queue.bro rename to scripts/base/utils/queue.zeek diff --git a/scripts/base/utils/site.bro b/scripts/base/utils/site.zeek similarity index 100% rename from scripts/base/utils/site.bro rename to scripts/base/utils/site.zeek diff --git a/scripts/base/utils/strings.bro b/scripts/base/utils/strings.zeek similarity index 100% rename from scripts/base/utils/strings.bro rename to scripts/base/utils/strings.zeek diff --git a/scripts/base/utils/thresholds.bro b/scripts/base/utils/thresholds.zeek similarity index 100% rename from scripts/base/utils/thresholds.bro rename to scripts/base/utils/thresholds.zeek diff --git a/scripts/base/utils/time.bro b/scripts/base/utils/time.zeek similarity index 100% rename from scripts/base/utils/time.bro rename to scripts/base/utils/time.zeek diff --git a/scripts/base/utils/urls.bro b/scripts/base/utils/urls.zeek similarity index 100% rename from scripts/base/utils/urls.bro rename to scripts/base/utils/urls.zeek diff --git a/scripts/broxygen/__load__.bro b/scripts/broxygen/__load__.bro deleted file mode 100644 index 5d4ac5ea03..0000000000 --- a/scripts/broxygen/__load__.bro +++ /dev/null @@ -1,17 +0,0 @@ -@load test-all-policy.bro - -# Scripts which are commented out in test-all-policy.bro. -@load protocols/ssl/notary.bro -@load frameworks/control/controllee.bro -@load frameworks/control/controller.bro -@load frameworks/files/extract-all-files.bro -@load policy/misc/dump-events.bro -@load policy/protocols/dhcp/deprecated_events.bro -@load policy/protocols/smb/__load__.bro - -@load ./example.bro - -event bro_init() - { - terminate(); - } diff --git a/scripts/broxygen/__load__.zeek b/scripts/broxygen/__load__.zeek new file mode 100644 index 0000000000..51e119a2c6 --- /dev/null +++ b/scripts/broxygen/__load__.zeek @@ -0,0 +1,17 @@ +@load test-all-policy.zeek + +# Scripts which are commented out in test-all-policy.zeek. +@load protocols/ssl/notary.zeek +@load frameworks/control/controllee.zeek +@load frameworks/control/controller.zeek +@load frameworks/files/extract-all-files.zeek +@load policy/misc/dump-events.zeek +@load policy/protocols/dhcp/deprecated_events.zeek +@load policy/protocols/smb/__load__.zeek + +@load ./example.zeek + +event bro_init() + { + terminate(); + } diff --git a/scripts/broxygen/example.bro b/scripts/broxygen/example.zeek similarity index 100% rename from scripts/broxygen/example.bro rename to scripts/broxygen/example.zeek diff --git a/scripts/policy/files/x509/log-ocsp.bro b/scripts/policy/files/x509/log-ocsp.zeek similarity index 100% rename from scripts/policy/files/x509/log-ocsp.bro rename to scripts/policy/files/x509/log-ocsp.zeek diff --git a/scripts/policy/frameworks/control/controllee.bro b/scripts/policy/frameworks/control/controllee.zeek similarity index 100% rename from scripts/policy/frameworks/control/controllee.bro rename to scripts/policy/frameworks/control/controllee.zeek diff --git a/scripts/policy/frameworks/control/controller.bro b/scripts/policy/frameworks/control/controller.zeek similarity index 100% rename from scripts/policy/frameworks/control/controller.bro rename to scripts/policy/frameworks/control/controller.zeek diff --git a/scripts/policy/frameworks/dpd/detect-protocols.bro b/scripts/policy/frameworks/dpd/detect-protocols.zeek similarity index 100% rename from scripts/policy/frameworks/dpd/detect-protocols.bro rename to scripts/policy/frameworks/dpd/detect-protocols.zeek diff --git a/scripts/policy/frameworks/dpd/packet-segment-logging.bro b/scripts/policy/frameworks/dpd/packet-segment-logging.zeek similarity index 100% rename from scripts/policy/frameworks/dpd/packet-segment-logging.bro rename to scripts/policy/frameworks/dpd/packet-segment-logging.zeek diff --git a/scripts/policy/frameworks/files/detect-MHR.bro b/scripts/policy/frameworks/files/detect-MHR.zeek similarity index 100% rename from scripts/policy/frameworks/files/detect-MHR.bro rename to scripts/policy/frameworks/files/detect-MHR.zeek diff --git a/scripts/policy/frameworks/files/entropy-test-all-files.bro b/scripts/policy/frameworks/files/entropy-test-all-files.zeek similarity index 100% rename from scripts/policy/frameworks/files/entropy-test-all-files.bro rename to scripts/policy/frameworks/files/entropy-test-all-files.zeek diff --git a/scripts/policy/frameworks/files/extract-all-files.bro b/scripts/policy/frameworks/files/extract-all-files.zeek similarity index 100% rename from scripts/policy/frameworks/files/extract-all-files.bro rename to scripts/policy/frameworks/files/extract-all-files.zeek diff --git a/scripts/policy/frameworks/files/hash-all-files.bro b/scripts/policy/frameworks/files/hash-all-files.zeek similarity index 100% rename from scripts/policy/frameworks/files/hash-all-files.bro rename to scripts/policy/frameworks/files/hash-all-files.zeek diff --git a/scripts/policy/frameworks/intel/do_expire.bro b/scripts/policy/frameworks/intel/do_expire.zeek similarity index 100% rename from scripts/policy/frameworks/intel/do_expire.bro rename to scripts/policy/frameworks/intel/do_expire.zeek diff --git a/scripts/policy/frameworks/intel/do_notice.bro b/scripts/policy/frameworks/intel/do_notice.zeek similarity index 100% rename from scripts/policy/frameworks/intel/do_notice.bro rename to scripts/policy/frameworks/intel/do_notice.zeek diff --git a/scripts/policy/frameworks/intel/removal.bro b/scripts/policy/frameworks/intel/removal.zeek similarity index 100% rename from scripts/policy/frameworks/intel/removal.bro rename to scripts/policy/frameworks/intel/removal.zeek diff --git a/scripts/policy/frameworks/intel/seen/__load__.bro b/scripts/policy/frameworks/intel/seen/__load__.zeek similarity index 100% rename from scripts/policy/frameworks/intel/seen/__load__.bro rename to scripts/policy/frameworks/intel/seen/__load__.zeek diff --git a/scripts/policy/frameworks/intel/seen/conn-established.bro b/scripts/policy/frameworks/intel/seen/conn-established.zeek similarity index 100% rename from scripts/policy/frameworks/intel/seen/conn-established.bro rename to scripts/policy/frameworks/intel/seen/conn-established.zeek diff --git a/scripts/policy/frameworks/intel/seen/dns.bro b/scripts/policy/frameworks/intel/seen/dns.zeek similarity index 100% rename from scripts/policy/frameworks/intel/seen/dns.bro rename to scripts/policy/frameworks/intel/seen/dns.zeek diff --git a/scripts/policy/frameworks/intel/seen/file-hashes.bro b/scripts/policy/frameworks/intel/seen/file-hashes.zeek similarity index 100% rename from scripts/policy/frameworks/intel/seen/file-hashes.bro rename to scripts/policy/frameworks/intel/seen/file-hashes.zeek diff --git a/scripts/policy/frameworks/intel/seen/file-names.bro b/scripts/policy/frameworks/intel/seen/file-names.zeek similarity index 100% rename from scripts/policy/frameworks/intel/seen/file-names.bro rename to scripts/policy/frameworks/intel/seen/file-names.zeek diff --git a/scripts/policy/frameworks/intel/seen/http-headers.bro b/scripts/policy/frameworks/intel/seen/http-headers.zeek similarity index 100% rename from scripts/policy/frameworks/intel/seen/http-headers.bro rename to scripts/policy/frameworks/intel/seen/http-headers.zeek diff --git a/scripts/policy/frameworks/intel/seen/http-url.bro b/scripts/policy/frameworks/intel/seen/http-url.zeek similarity index 100% rename from scripts/policy/frameworks/intel/seen/http-url.bro rename to scripts/policy/frameworks/intel/seen/http-url.zeek diff --git a/scripts/policy/frameworks/intel/seen/pubkey-hashes.bro b/scripts/policy/frameworks/intel/seen/pubkey-hashes.zeek similarity index 100% rename from scripts/policy/frameworks/intel/seen/pubkey-hashes.bro rename to scripts/policy/frameworks/intel/seen/pubkey-hashes.zeek diff --git a/scripts/policy/frameworks/intel/seen/smb-filenames.bro b/scripts/policy/frameworks/intel/seen/smb-filenames.zeek similarity index 100% rename from scripts/policy/frameworks/intel/seen/smb-filenames.bro rename to scripts/policy/frameworks/intel/seen/smb-filenames.zeek diff --git a/scripts/policy/frameworks/intel/seen/smtp-url-extraction.bro b/scripts/policy/frameworks/intel/seen/smtp-url-extraction.zeek similarity index 100% rename from scripts/policy/frameworks/intel/seen/smtp-url-extraction.bro rename to scripts/policy/frameworks/intel/seen/smtp-url-extraction.zeek diff --git a/scripts/policy/frameworks/intel/seen/smtp.bro b/scripts/policy/frameworks/intel/seen/smtp.zeek similarity index 100% rename from scripts/policy/frameworks/intel/seen/smtp.bro rename to scripts/policy/frameworks/intel/seen/smtp.zeek diff --git a/scripts/policy/frameworks/intel/seen/ssl.bro b/scripts/policy/frameworks/intel/seen/ssl.zeek similarity index 100% rename from scripts/policy/frameworks/intel/seen/ssl.bro rename to scripts/policy/frameworks/intel/seen/ssl.zeek diff --git a/scripts/policy/frameworks/intel/seen/where-locations.bro b/scripts/policy/frameworks/intel/seen/where-locations.zeek similarity index 100% rename from scripts/policy/frameworks/intel/seen/where-locations.bro rename to scripts/policy/frameworks/intel/seen/where-locations.zeek diff --git a/scripts/policy/frameworks/intel/seen/x509.bro b/scripts/policy/frameworks/intel/seen/x509.zeek similarity index 100% rename from scripts/policy/frameworks/intel/seen/x509.bro rename to scripts/policy/frameworks/intel/seen/x509.zeek diff --git a/scripts/policy/frameworks/intel/whitelist.bro b/scripts/policy/frameworks/intel/whitelist.zeek similarity index 100% rename from scripts/policy/frameworks/intel/whitelist.bro rename to scripts/policy/frameworks/intel/whitelist.zeek diff --git a/scripts/policy/frameworks/notice/__load__.bro b/scripts/policy/frameworks/notice/__load__.zeek similarity index 100% rename from scripts/policy/frameworks/notice/__load__.bro rename to scripts/policy/frameworks/notice/__load__.zeek diff --git a/scripts/policy/frameworks/notice/extend-email/hostnames.bro b/scripts/policy/frameworks/notice/extend-email/hostnames.zeek similarity index 100% rename from scripts/policy/frameworks/notice/extend-email/hostnames.bro rename to scripts/policy/frameworks/notice/extend-email/hostnames.zeek diff --git a/scripts/policy/frameworks/packet-filter/shunt.bro b/scripts/policy/frameworks/packet-filter/shunt.zeek similarity index 100% rename from scripts/policy/frameworks/packet-filter/shunt.bro rename to scripts/policy/frameworks/packet-filter/shunt.zeek diff --git a/scripts/policy/frameworks/software/version-changes.bro b/scripts/policy/frameworks/software/version-changes.zeek similarity index 100% rename from scripts/policy/frameworks/software/version-changes.bro rename to scripts/policy/frameworks/software/version-changes.zeek diff --git a/scripts/policy/frameworks/software/vulnerable.bro b/scripts/policy/frameworks/software/vulnerable.zeek similarity index 100% rename from scripts/policy/frameworks/software/vulnerable.bro rename to scripts/policy/frameworks/software/vulnerable.zeek diff --git a/scripts/policy/frameworks/software/windows-version-detection.bro b/scripts/policy/frameworks/software/windows-version-detection.zeek similarity index 100% rename from scripts/policy/frameworks/software/windows-version-detection.bro rename to scripts/policy/frameworks/software/windows-version-detection.zeek diff --git a/scripts/policy/integration/barnyard2/__load__.bro b/scripts/policy/integration/barnyard2/__load__.zeek similarity index 100% rename from scripts/policy/integration/barnyard2/__load__.bro rename to scripts/policy/integration/barnyard2/__load__.zeek diff --git a/scripts/policy/integration/barnyard2/main.bro b/scripts/policy/integration/barnyard2/main.zeek similarity index 100% rename from scripts/policy/integration/barnyard2/main.bro rename to scripts/policy/integration/barnyard2/main.zeek diff --git a/scripts/policy/integration/barnyard2/types.bro b/scripts/policy/integration/barnyard2/types.zeek similarity index 100% rename from scripts/policy/integration/barnyard2/types.bro rename to scripts/policy/integration/barnyard2/types.zeek diff --git a/scripts/policy/integration/collective-intel/__load__.bro b/scripts/policy/integration/collective-intel/__load__.zeek similarity index 100% rename from scripts/policy/integration/collective-intel/__load__.bro rename to scripts/policy/integration/collective-intel/__load__.zeek diff --git a/scripts/policy/integration/collective-intel/main.bro b/scripts/policy/integration/collective-intel/main.zeek similarity index 100% rename from scripts/policy/integration/collective-intel/main.bro rename to scripts/policy/integration/collective-intel/main.zeek diff --git a/scripts/policy/misc/capture-loss.bro b/scripts/policy/misc/capture-loss.zeek similarity index 100% rename from scripts/policy/misc/capture-loss.bro rename to scripts/policy/misc/capture-loss.zeek diff --git a/scripts/policy/misc/detect-traceroute/__load__.bro b/scripts/policy/misc/detect-traceroute/__load__.zeek similarity index 100% rename from scripts/policy/misc/detect-traceroute/__load__.bro rename to scripts/policy/misc/detect-traceroute/__load__.zeek diff --git a/scripts/policy/misc/detect-traceroute/main.bro b/scripts/policy/misc/detect-traceroute/main.zeek similarity index 100% rename from scripts/policy/misc/detect-traceroute/main.bro rename to scripts/policy/misc/detect-traceroute/main.zeek diff --git a/scripts/policy/misc/dump-events.bro b/scripts/policy/misc/dump-events.zeek similarity index 100% rename from scripts/policy/misc/dump-events.bro rename to scripts/policy/misc/dump-events.zeek diff --git a/scripts/policy/misc/load-balancing.bro b/scripts/policy/misc/load-balancing.zeek similarity index 100% rename from scripts/policy/misc/load-balancing.bro rename to scripts/policy/misc/load-balancing.zeek diff --git a/scripts/policy/misc/loaded-scripts.bro b/scripts/policy/misc/loaded-scripts.zeek similarity index 100% rename from scripts/policy/misc/loaded-scripts.bro rename to scripts/policy/misc/loaded-scripts.zeek diff --git a/scripts/policy/misc/profiling.bro b/scripts/policy/misc/profiling.zeek similarity index 100% rename from scripts/policy/misc/profiling.bro rename to scripts/policy/misc/profiling.zeek diff --git a/scripts/policy/misc/scan.bro b/scripts/policy/misc/scan.zeek similarity index 100% rename from scripts/policy/misc/scan.bro rename to scripts/policy/misc/scan.zeek diff --git a/scripts/policy/misc/stats.bro b/scripts/policy/misc/stats.zeek similarity index 100% rename from scripts/policy/misc/stats.bro rename to scripts/policy/misc/stats.zeek diff --git a/scripts/policy/misc/trim-trace-file.bro b/scripts/policy/misc/trim-trace-file.zeek similarity index 100% rename from scripts/policy/misc/trim-trace-file.bro rename to scripts/policy/misc/trim-trace-file.zeek diff --git a/scripts/policy/misc/weird-stats.bro b/scripts/policy/misc/weird-stats.zeek similarity index 100% rename from scripts/policy/misc/weird-stats.bro rename to scripts/policy/misc/weird-stats.zeek diff --git a/scripts/policy/protocols/conn/known-hosts.bro b/scripts/policy/protocols/conn/known-hosts.zeek similarity index 100% rename from scripts/policy/protocols/conn/known-hosts.bro rename to scripts/policy/protocols/conn/known-hosts.zeek diff --git a/scripts/policy/protocols/conn/known-services.bro b/scripts/policy/protocols/conn/known-services.zeek similarity index 100% rename from scripts/policy/protocols/conn/known-services.bro rename to scripts/policy/protocols/conn/known-services.zeek diff --git a/scripts/policy/protocols/conn/mac-logging.bro b/scripts/policy/protocols/conn/mac-logging.zeek similarity index 100% rename from scripts/policy/protocols/conn/mac-logging.bro rename to scripts/policy/protocols/conn/mac-logging.zeek diff --git a/scripts/policy/protocols/conn/vlan-logging.bro b/scripts/policy/protocols/conn/vlan-logging.zeek similarity index 100% rename from scripts/policy/protocols/conn/vlan-logging.bro rename to scripts/policy/protocols/conn/vlan-logging.zeek diff --git a/scripts/policy/protocols/conn/weirds.bro b/scripts/policy/protocols/conn/weirds.zeek similarity index 100% rename from scripts/policy/protocols/conn/weirds.bro rename to scripts/policy/protocols/conn/weirds.zeek diff --git a/scripts/policy/protocols/dhcp/deprecated_events.bro b/scripts/policy/protocols/dhcp/deprecated_events.zeek similarity index 100% rename from scripts/policy/protocols/dhcp/deprecated_events.bro rename to scripts/policy/protocols/dhcp/deprecated_events.zeek diff --git a/scripts/policy/protocols/dhcp/msg-orig.bro b/scripts/policy/protocols/dhcp/msg-orig.zeek similarity index 100% rename from scripts/policy/protocols/dhcp/msg-orig.bro rename to scripts/policy/protocols/dhcp/msg-orig.zeek diff --git a/scripts/policy/protocols/dhcp/software.bro b/scripts/policy/protocols/dhcp/software.zeek similarity index 100% rename from scripts/policy/protocols/dhcp/software.bro rename to scripts/policy/protocols/dhcp/software.zeek diff --git a/scripts/policy/protocols/dhcp/sub-opts.bro b/scripts/policy/protocols/dhcp/sub-opts.zeek similarity index 100% rename from scripts/policy/protocols/dhcp/sub-opts.bro rename to scripts/policy/protocols/dhcp/sub-opts.zeek diff --git a/scripts/policy/protocols/dns/auth-addl.bro b/scripts/policy/protocols/dns/auth-addl.zeek similarity index 100% rename from scripts/policy/protocols/dns/auth-addl.bro rename to scripts/policy/protocols/dns/auth-addl.zeek diff --git a/scripts/policy/protocols/dns/detect-external-names.bro b/scripts/policy/protocols/dns/detect-external-names.zeek similarity index 100% rename from scripts/policy/protocols/dns/detect-external-names.bro rename to scripts/policy/protocols/dns/detect-external-names.zeek diff --git a/scripts/policy/protocols/ftp/detect-bruteforcing.bro b/scripts/policy/protocols/ftp/detect-bruteforcing.zeek similarity index 100% rename from scripts/policy/protocols/ftp/detect-bruteforcing.bro rename to scripts/policy/protocols/ftp/detect-bruteforcing.zeek diff --git a/scripts/policy/protocols/ftp/detect.bro b/scripts/policy/protocols/ftp/detect.zeek similarity index 100% rename from scripts/policy/protocols/ftp/detect.bro rename to scripts/policy/protocols/ftp/detect.zeek diff --git a/scripts/policy/protocols/ftp/software.bro b/scripts/policy/protocols/ftp/software.zeek similarity index 100% rename from scripts/policy/protocols/ftp/software.bro rename to scripts/policy/protocols/ftp/software.zeek diff --git a/scripts/policy/protocols/http/detect-sqli.bro b/scripts/policy/protocols/http/detect-sqli.zeek similarity index 100% rename from scripts/policy/protocols/http/detect-sqli.bro rename to scripts/policy/protocols/http/detect-sqli.zeek diff --git a/scripts/policy/protocols/http/detect-webapps.bro b/scripts/policy/protocols/http/detect-webapps.zeek similarity index 100% rename from scripts/policy/protocols/http/detect-webapps.bro rename to scripts/policy/protocols/http/detect-webapps.zeek diff --git a/scripts/policy/protocols/http/header-names.bro b/scripts/policy/protocols/http/header-names.zeek similarity index 100% rename from scripts/policy/protocols/http/header-names.bro rename to scripts/policy/protocols/http/header-names.zeek diff --git a/scripts/policy/protocols/http/software-browser-plugins.bro b/scripts/policy/protocols/http/software-browser-plugins.zeek similarity index 100% rename from scripts/policy/protocols/http/software-browser-plugins.bro rename to scripts/policy/protocols/http/software-browser-plugins.zeek diff --git a/scripts/policy/protocols/http/software.bro b/scripts/policy/protocols/http/software.zeek similarity index 100% rename from scripts/policy/protocols/http/software.bro rename to scripts/policy/protocols/http/software.zeek diff --git a/scripts/policy/protocols/http/var-extraction-cookies.bro b/scripts/policy/protocols/http/var-extraction-cookies.zeek similarity index 100% rename from scripts/policy/protocols/http/var-extraction-cookies.bro rename to scripts/policy/protocols/http/var-extraction-cookies.zeek diff --git a/scripts/policy/protocols/http/var-extraction-uri.bro b/scripts/policy/protocols/http/var-extraction-uri.zeek similarity index 100% rename from scripts/policy/protocols/http/var-extraction-uri.bro rename to scripts/policy/protocols/http/var-extraction-uri.zeek diff --git a/scripts/policy/protocols/krb/ticket-logging.bro b/scripts/policy/protocols/krb/ticket-logging.zeek similarity index 100% rename from scripts/policy/protocols/krb/ticket-logging.bro rename to scripts/policy/protocols/krb/ticket-logging.zeek diff --git a/scripts/policy/protocols/modbus/known-masters-slaves.bro b/scripts/policy/protocols/modbus/known-masters-slaves.zeek similarity index 100% rename from scripts/policy/protocols/modbus/known-masters-slaves.bro rename to scripts/policy/protocols/modbus/known-masters-slaves.zeek diff --git a/scripts/policy/protocols/modbus/track-memmap.bro b/scripts/policy/protocols/modbus/track-memmap.zeek similarity index 100% rename from scripts/policy/protocols/modbus/track-memmap.bro rename to scripts/policy/protocols/modbus/track-memmap.zeek diff --git a/scripts/policy/protocols/mysql/software.bro b/scripts/policy/protocols/mysql/software.zeek similarity index 100% rename from scripts/policy/protocols/mysql/software.bro rename to scripts/policy/protocols/mysql/software.zeek diff --git a/scripts/policy/protocols/rdp/indicate_ssl.bro b/scripts/policy/protocols/rdp/indicate_ssl.zeek similarity index 100% rename from scripts/policy/protocols/rdp/indicate_ssl.bro rename to scripts/policy/protocols/rdp/indicate_ssl.zeek diff --git a/scripts/policy/protocols/smb/__load__.bro b/scripts/policy/protocols/smb/__load__.zeek similarity index 100% rename from scripts/policy/protocols/smb/__load__.bro rename to scripts/policy/protocols/smb/__load__.zeek diff --git a/scripts/policy/protocols/smb/log-cmds.bro b/scripts/policy/protocols/smb/log-cmds.zeek similarity index 100% rename from scripts/policy/protocols/smb/log-cmds.bro rename to scripts/policy/protocols/smb/log-cmds.zeek diff --git a/scripts/policy/protocols/smtp/blocklists.bro b/scripts/policy/protocols/smtp/blocklists.zeek similarity index 100% rename from scripts/policy/protocols/smtp/blocklists.bro rename to scripts/policy/protocols/smtp/blocklists.zeek diff --git a/scripts/policy/protocols/smtp/detect-suspicious-orig.bro b/scripts/policy/protocols/smtp/detect-suspicious-orig.zeek similarity index 100% rename from scripts/policy/protocols/smtp/detect-suspicious-orig.bro rename to scripts/policy/protocols/smtp/detect-suspicious-orig.zeek diff --git a/scripts/policy/protocols/smtp/entities-excerpt.bro b/scripts/policy/protocols/smtp/entities-excerpt.zeek similarity index 100% rename from scripts/policy/protocols/smtp/entities-excerpt.bro rename to scripts/policy/protocols/smtp/entities-excerpt.zeek diff --git a/scripts/policy/protocols/smtp/software.bro b/scripts/policy/protocols/smtp/software.zeek similarity index 100% rename from scripts/policy/protocols/smtp/software.bro rename to scripts/policy/protocols/smtp/software.zeek diff --git a/scripts/policy/protocols/ssh/detect-bruteforcing.bro b/scripts/policy/protocols/ssh/detect-bruteforcing.zeek similarity index 100% rename from scripts/policy/protocols/ssh/detect-bruteforcing.bro rename to scripts/policy/protocols/ssh/detect-bruteforcing.zeek diff --git a/scripts/policy/protocols/ssh/geo-data.bro b/scripts/policy/protocols/ssh/geo-data.zeek similarity index 100% rename from scripts/policy/protocols/ssh/geo-data.bro rename to scripts/policy/protocols/ssh/geo-data.zeek diff --git a/scripts/policy/protocols/ssh/interesting-hostnames.bro b/scripts/policy/protocols/ssh/interesting-hostnames.zeek similarity index 100% rename from scripts/policy/protocols/ssh/interesting-hostnames.bro rename to scripts/policy/protocols/ssh/interesting-hostnames.zeek diff --git a/scripts/policy/protocols/ssh/software.bro b/scripts/policy/protocols/ssh/software.zeek similarity index 100% rename from scripts/policy/protocols/ssh/software.bro rename to scripts/policy/protocols/ssh/software.zeek diff --git a/scripts/policy/protocols/ssl/expiring-certs.bro b/scripts/policy/protocols/ssl/expiring-certs.zeek similarity index 100% rename from scripts/policy/protocols/ssl/expiring-certs.bro rename to scripts/policy/protocols/ssl/expiring-certs.zeek diff --git a/scripts/policy/protocols/ssl/extract-certs-pem.bro b/scripts/policy/protocols/ssl/extract-certs-pem.zeek similarity index 100% rename from scripts/policy/protocols/ssl/extract-certs-pem.bro rename to scripts/policy/protocols/ssl/extract-certs-pem.zeek diff --git a/scripts/policy/protocols/ssl/heartbleed.bro b/scripts/policy/protocols/ssl/heartbleed.zeek similarity index 100% rename from scripts/policy/protocols/ssl/heartbleed.bro rename to scripts/policy/protocols/ssl/heartbleed.zeek diff --git a/scripts/policy/protocols/ssl/known-certs.bro b/scripts/policy/protocols/ssl/known-certs.zeek similarity index 100% rename from scripts/policy/protocols/ssl/known-certs.bro rename to scripts/policy/protocols/ssl/known-certs.zeek diff --git a/scripts/policy/protocols/ssl/log-hostcerts-only.bro b/scripts/policy/protocols/ssl/log-hostcerts-only.zeek similarity index 100% rename from scripts/policy/protocols/ssl/log-hostcerts-only.bro rename to scripts/policy/protocols/ssl/log-hostcerts-only.zeek diff --git a/scripts/policy/protocols/ssl/notary.bro b/scripts/policy/protocols/ssl/notary.zeek similarity index 100% rename from scripts/policy/protocols/ssl/notary.bro rename to scripts/policy/protocols/ssl/notary.zeek diff --git a/scripts/policy/protocols/ssl/validate-certs.bro b/scripts/policy/protocols/ssl/validate-certs.zeek similarity index 100% rename from scripts/policy/protocols/ssl/validate-certs.bro rename to scripts/policy/protocols/ssl/validate-certs.zeek diff --git a/scripts/policy/protocols/ssl/validate-ocsp.bro b/scripts/policy/protocols/ssl/validate-ocsp.zeek similarity index 100% rename from scripts/policy/protocols/ssl/validate-ocsp.bro rename to scripts/policy/protocols/ssl/validate-ocsp.zeek diff --git a/scripts/policy/protocols/ssl/validate-sct.bro b/scripts/policy/protocols/ssl/validate-sct.zeek similarity index 100% rename from scripts/policy/protocols/ssl/validate-sct.bro rename to scripts/policy/protocols/ssl/validate-sct.zeek diff --git a/scripts/policy/protocols/ssl/weak-keys.bro b/scripts/policy/protocols/ssl/weak-keys.zeek similarity index 100% rename from scripts/policy/protocols/ssl/weak-keys.bro rename to scripts/policy/protocols/ssl/weak-keys.zeek diff --git a/scripts/policy/tuning/__load__.bro b/scripts/policy/tuning/__load__.zeek similarity index 100% rename from scripts/policy/tuning/__load__.bro rename to scripts/policy/tuning/__load__.zeek diff --git a/scripts/policy/tuning/defaults/__load__.bro b/scripts/policy/tuning/defaults/__load__.zeek similarity index 100% rename from scripts/policy/tuning/defaults/__load__.bro rename to scripts/policy/tuning/defaults/__load__.zeek diff --git a/scripts/policy/tuning/defaults/extracted_file_limits.bro b/scripts/policy/tuning/defaults/extracted_file_limits.zeek similarity index 100% rename from scripts/policy/tuning/defaults/extracted_file_limits.bro rename to scripts/policy/tuning/defaults/extracted_file_limits.zeek diff --git a/scripts/policy/tuning/defaults/packet-fragments.bro b/scripts/policy/tuning/defaults/packet-fragments.zeek similarity index 100% rename from scripts/policy/tuning/defaults/packet-fragments.bro rename to scripts/policy/tuning/defaults/packet-fragments.zeek diff --git a/scripts/policy/tuning/defaults/warnings.bro b/scripts/policy/tuning/defaults/warnings.zeek similarity index 100% rename from scripts/policy/tuning/defaults/warnings.bro rename to scripts/policy/tuning/defaults/warnings.zeek diff --git a/scripts/policy/tuning/json-logs.bro b/scripts/policy/tuning/json-logs.zeek similarity index 100% rename from scripts/policy/tuning/json-logs.bro rename to scripts/policy/tuning/json-logs.zeek diff --git a/scripts/policy/tuning/track-all-assets.bro b/scripts/policy/tuning/track-all-assets.zeek similarity index 100% rename from scripts/policy/tuning/track-all-assets.bro rename to scripts/policy/tuning/track-all-assets.zeek diff --git a/scripts/site/local.bro b/scripts/site/local.zeek similarity index 100% rename from scripts/site/local.bro rename to scripts/site/local.zeek diff --git a/scripts/test-all-policy.bro b/scripts/test-all-policy.bro deleted file mode 100644 index be2efbbc19..0000000000 --- a/scripts/test-all-policy.bro +++ /dev/null @@ -1,113 +0,0 @@ -# This file loads ALL policy scripts that are part of the Bro distribution. -# -# This is rarely makes sense, and is for testing only. -# -# Note that we have a unit test that makes sure that all policy files shipped are -# actually loaded here. If we have files that are part of the distribution yet -# can't be loaded here, these must still be listed here with their load command -# commented out. - -# The base/ scripts are all loaded by default and not included here. - -# @load frameworks/control/controllee.bro -# @load frameworks/control/controller.bro -@load frameworks/dpd/detect-protocols.bro -@load frameworks/dpd/packet-segment-logging.bro -@load frameworks/intel/do_notice.bro -@load frameworks/intel/do_expire.bro -@load frameworks/intel/whitelist.bro -@load frameworks/intel/removal.bro -@load frameworks/intel/seen/__load__.bro -@load frameworks/intel/seen/conn-established.bro -@load frameworks/intel/seen/dns.bro -@load frameworks/intel/seen/file-hashes.bro -@load frameworks/intel/seen/file-names.bro -@load frameworks/intel/seen/http-headers.bro -@load frameworks/intel/seen/http-url.bro -@load frameworks/intel/seen/pubkey-hashes.bro -@load frameworks/intel/seen/smb-filenames.bro -@load frameworks/intel/seen/smtp-url-extraction.bro -@load frameworks/intel/seen/smtp.bro -@load frameworks/intel/seen/ssl.bro -@load frameworks/intel/seen/where-locations.bro -@load frameworks/intel/seen/x509.bro -@load frameworks/files/detect-MHR.bro -@load frameworks/files/entropy-test-all-files.bro -#@load frameworks/files/extract-all-files.bro -@load frameworks/files/hash-all-files.bro -@load frameworks/notice/__load__.bro -@load frameworks/notice/extend-email/hostnames.bro -@load files/x509/log-ocsp.bro -@load frameworks/packet-filter/shunt.bro -@load frameworks/software/version-changes.bro -@load frameworks/software/vulnerable.bro -@load frameworks/software/windows-version-detection.bro -@load integration/barnyard2/__load__.bro -@load integration/barnyard2/main.bro -@load integration/barnyard2/types.bro -@load integration/collective-intel/__load__.bro -@load integration/collective-intel/main.bro -@load misc/capture-loss.bro -@load misc/detect-traceroute/__load__.bro -@load misc/detect-traceroute/main.bro -# @load misc/dump-events.bro -@load misc/load-balancing.bro -@load misc/loaded-scripts.bro -@load misc/profiling.bro -@load misc/scan.bro -@load misc/stats.bro -@load misc/weird-stats.bro -@load misc/trim-trace-file.bro -@load protocols/conn/known-hosts.bro -@load protocols/conn/known-services.bro -@load protocols/conn/mac-logging.bro -@load protocols/conn/vlan-logging.bro -@load protocols/conn/weirds.bro -#@load protocols/dhcp/deprecated_events.bro -@load protocols/dhcp/msg-orig.bro -@load protocols/dhcp/software.bro -@load protocols/dhcp/sub-opts.bro -@load protocols/dns/auth-addl.bro -@load protocols/dns/detect-external-names.bro -@load protocols/ftp/detect-bruteforcing.bro -@load protocols/ftp/detect.bro -@load protocols/ftp/software.bro -@load protocols/http/detect-sqli.bro -@load protocols/http/detect-webapps.bro -@load protocols/http/header-names.bro -@load protocols/http/software-browser-plugins.bro -@load protocols/http/software.bro -@load protocols/http/var-extraction-cookies.bro -@load protocols/http/var-extraction-uri.bro -@load protocols/krb/ticket-logging.bro -@load protocols/modbus/known-masters-slaves.bro -@load protocols/modbus/track-memmap.bro -@load protocols/mysql/software.bro -@load protocols/rdp/indicate_ssl.bro -#@load protocols/smb/__load__.bro -@load protocols/smb/log-cmds.bro -@load protocols/smtp/blocklists.bro -@load protocols/smtp/detect-suspicious-orig.bro -@load protocols/smtp/entities-excerpt.bro -@load protocols/smtp/software.bro -@load protocols/ssh/detect-bruteforcing.bro -@load protocols/ssh/geo-data.bro -@load protocols/ssh/interesting-hostnames.bro -@load protocols/ssh/software.bro -@load protocols/ssl/expiring-certs.bro -@load protocols/ssl/extract-certs-pem.bro -@load protocols/ssl/heartbleed.bro -@load protocols/ssl/known-certs.bro -@load protocols/ssl/log-hostcerts-only.bro -#@load protocols/ssl/notary.bro -@load protocols/ssl/validate-certs.bro -@load protocols/ssl/validate-ocsp.bro -@load protocols/ssl/validate-sct.bro -@load protocols/ssl/weak-keys.bro -@load tuning/__load__.bro -@load tuning/defaults/__load__.bro -@load tuning/defaults/extracted_file_limits.bro -@load tuning/defaults/packet-fragments.bro -@load tuning/defaults/warnings.bro -@load tuning/json-logs.bro -@load tuning/track-all-assets.bro diff --git a/scripts/test-all-policy.zeek b/scripts/test-all-policy.zeek new file mode 100644 index 0000000000..26408b6d44 --- /dev/null +++ b/scripts/test-all-policy.zeek @@ -0,0 +1,113 @@ +# This file loads ALL policy scripts that are part of the Bro distribution. +# +# This is rarely makes sense, and is for testing only. +# +# Note that we have a unit test that makes sure that all policy files shipped are +# actually loaded here. If we have files that are part of the distribution yet +# can't be loaded here, these must still be listed here with their load command +# commented out. + +# The base/ scripts are all loaded by default and not included here. + +# @load frameworks/control/controllee.zeek +# @load frameworks/control/controller.zeek +@load frameworks/dpd/detect-protocols.zeek +@load frameworks/dpd/packet-segment-logging.zeek +@load frameworks/intel/do_notice.zeek +@load frameworks/intel/do_expire.zeek +@load frameworks/intel/whitelist.zeek +@load frameworks/intel/removal.zeek +@load frameworks/intel/seen/__load__.zeek +@load frameworks/intel/seen/conn-established.zeek +@load frameworks/intel/seen/dns.zeek +@load frameworks/intel/seen/file-hashes.zeek +@load frameworks/intel/seen/file-names.zeek +@load frameworks/intel/seen/http-headers.zeek +@load frameworks/intel/seen/http-url.zeek +@load frameworks/intel/seen/pubkey-hashes.zeek +@load frameworks/intel/seen/smb-filenames.zeek +@load frameworks/intel/seen/smtp-url-extraction.zeek +@load frameworks/intel/seen/smtp.zeek +@load frameworks/intel/seen/ssl.zeek +@load frameworks/intel/seen/where-locations.zeek +@load frameworks/intel/seen/x509.zeek +@load frameworks/files/detect-MHR.zeek +@load frameworks/files/entropy-test-all-files.zeek +#@load frameworks/files/extract-all-files.zeek +@load frameworks/files/hash-all-files.zeek +@load frameworks/notice/__load__.zeek +@load frameworks/notice/extend-email/hostnames.zeek +@load files/x509/log-ocsp.zeek +@load frameworks/packet-filter/shunt.zeek +@load frameworks/software/version-changes.zeek +@load frameworks/software/vulnerable.zeek +@load frameworks/software/windows-version-detection.zeek +@load integration/barnyard2/__load__.zeek +@load integration/barnyard2/main.zeek +@load integration/barnyard2/types.zeek +@load integration/collective-intel/__load__.zeek +@load integration/collective-intel/main.zeek +@load misc/capture-loss.zeek +@load misc/detect-traceroute/__load__.zeek +@load misc/detect-traceroute/main.zeek +# @load misc/dump-events.zeek +@load misc/load-balancing.zeek +@load misc/loaded-scripts.zeek +@load misc/profiling.zeek +@load misc/scan.zeek +@load misc/stats.zeek +@load misc/weird-stats.zeek +@load misc/trim-trace-file.zeek +@load protocols/conn/known-hosts.zeek +@load protocols/conn/known-services.zeek +@load protocols/conn/mac-logging.zeek +@load protocols/conn/vlan-logging.zeek +@load protocols/conn/weirds.zeek +#@load protocols/dhcp/deprecated_events.zeek +@load protocols/dhcp/msg-orig.zeek +@load protocols/dhcp/software.zeek +@load protocols/dhcp/sub-opts.zeek +@load protocols/dns/auth-addl.zeek +@load protocols/dns/detect-external-names.zeek +@load protocols/ftp/detect-bruteforcing.zeek +@load protocols/ftp/detect.zeek +@load protocols/ftp/software.zeek +@load protocols/http/detect-sqli.zeek +@load protocols/http/detect-webapps.zeek +@load protocols/http/header-names.zeek +@load protocols/http/software-browser-plugins.zeek +@load protocols/http/software.zeek +@load protocols/http/var-extraction-cookies.zeek +@load protocols/http/var-extraction-uri.zeek +@load protocols/krb/ticket-logging.zeek +@load protocols/modbus/known-masters-slaves.zeek +@load protocols/modbus/track-memmap.zeek +@load protocols/mysql/software.zeek +@load protocols/rdp/indicate_ssl.zeek +#@load protocols/smb/__load__.zeek +@load protocols/smb/log-cmds.zeek +@load protocols/smtp/blocklists.zeek +@load protocols/smtp/detect-suspicious-orig.zeek +@load protocols/smtp/entities-excerpt.zeek +@load protocols/smtp/software.zeek +@load protocols/ssh/detect-bruteforcing.zeek +@load protocols/ssh/geo-data.zeek +@load protocols/ssh/interesting-hostnames.zeek +@load protocols/ssh/software.zeek +@load protocols/ssl/expiring-certs.zeek +@load protocols/ssl/extract-certs-pem.zeek +@load protocols/ssl/heartbleed.zeek +@load protocols/ssl/known-certs.zeek +@load protocols/ssl/log-hostcerts-only.zeek +#@load protocols/ssl/notary.zeek +@load protocols/ssl/validate-certs.zeek +@load protocols/ssl/validate-ocsp.zeek +@load protocols/ssl/validate-sct.zeek +@load protocols/ssl/weak-keys.zeek +@load tuning/__load__.zeek +@load tuning/defaults/__load__.zeek +@load tuning/defaults/extracted_file_limits.zeek +@load tuning/defaults/packet-fragments.zeek +@load tuning/defaults/warnings.zeek +@load tuning/json-logs.zeek +@load tuning/track-all-assets.zeek diff --git a/src/CMakeLists.txt b/src/CMakeLists.txt index f3dfd42d85..35fb70f5de 100644 --- a/src/CMakeLists.txt +++ b/src/CMakeLists.txt @@ -385,17 +385,17 @@ add_dependencies(generate_outputs_stage2b generate_outputs_stage1) add_custom_target(generate_outputs) add_dependencies(generate_outputs generate_outputs_stage2a generate_outputs_stage2b) -# Build __load__.bro files for standard *.bif.bro. +# Build __load__.zeek files for standard *.bif.zeek. bro_bif_create_loader(bif_loader "${bro_BASE_BIF_SCRIPTS}") add_dependencies(bif_loader ${bro_SUBDIRS}) add_dependencies(bro bif_loader) -# Build __load__.bro files for plugins/*.bif.bro. +# Build __load__.zeek files for plugins/*.bif.zeek. bro_bif_create_loader(bif_loader_plugins "${bro_PLUGIN_BIF_SCRIPTS}") add_dependencies(bif_loader_plugins ${bro_SUBDIRS}) add_dependencies(bro bif_loader_plugins) -# Install *.bif.bro. +# Install *.bif.zeek. install(DIRECTORY ${CMAKE_BINARY_DIR}/scripts/base/bif DESTINATION ${BRO_SCRIPT_INSTALL_PATH}/base) # Create plugin directory at install time. diff --git a/src/Type.cc b/src/Type.cc index 77a5ac6d16..741f1cfc0f 100644 --- a/src/Type.cc +++ b/src/Type.cc @@ -1510,7 +1510,7 @@ void EnumType::CheckAndAddName(const string& module_name, const char* name, else { // We allow double-definitions if matching exactly. This is so that - // we can define an enum both in a *.bif and *.bro for avoiding + // we can define an enum both in a *.bif and *.zeek for avoiding // cyclic dependencies. string fullname = make_full_var_name(module_name.c_str(), name); if ( id->Name() != fullname diff --git a/src/broxygen/ScriptInfo.cc b/src/broxygen/ScriptInfo.cc index da6ba6b44a..7ecf212a44 100644 --- a/src/broxygen/ScriptInfo.cc +++ b/src/broxygen/ScriptInfo.cc @@ -253,12 +253,12 @@ void ScriptInfo::DoInitPostScript() // The following enum types are automatically created internally in Bro, // so just manually associating them with scripts for now. - if ( name == "base/frameworks/input/main.bro" ) + if ( name == "base/frameworks/input/main.zeek" ) { auto id = global_scope()->Lookup("Input::Reader"); types.push_back(new IdentifierInfo(id, this)); } - else if ( name == "base/frameworks/logging/main.bro" ) + else if ( name == "base/frameworks/logging/main.zeek" ) { auto id = global_scope()->Lookup("Log::Writer"); types.push_back(new IdentifierInfo(id, this)); diff --git a/src/broxygen/ScriptInfo.h b/src/broxygen/ScriptInfo.h index d7328ef7c8..dd43e15a4e 100644 --- a/src/broxygen/ScriptInfo.h +++ b/src/broxygen/ScriptInfo.h @@ -77,7 +77,7 @@ public: { redefs.insert(info); } /** - * @return Whether the script is a package loader (i.e. "__load__.bro"). + * @return Whether the script is a package loader (i.e. "__load__.zeek"). */ bool IsPkgLoader() const { return is_pkg_loader; } diff --git a/src/broxygen/Target.h b/src/broxygen/Target.h index 9a5a23107c..7f18697eaf 100644 --- a/src/broxygen/Target.h +++ b/src/broxygen/Target.h @@ -41,7 +41,7 @@ struct TargetFile { /** * A Broxygen target abstract base class. A target is generally any portion of * documentation that Bro can build. It's identified by a type (e.g. script, - * identifier, package), a pattern (e.g. "example.bro", "HTTP::Info"), and + * identifier, package), a pattern (e.g. "example.zeek", "HTTP::Info"), and * a path to an output file. */ class Target { diff --git a/src/broxygen/broxygen.bif b/src/broxygen/broxygen.bif index d1b3028edc..4b2f5653b2 100644 --- a/src/broxygen/broxygen.bif +++ b/src/broxygen/broxygen.bif @@ -35,7 +35,7 @@ function get_identifier_comments%(name: string%): string ## ## name: the name of a Bro script. It must be a relative path to where ## it is located within a particular component of BROPATH and use -## the same file name extension/suffix as the actual file (e.g. ".bro"). +## the same file name extension/suffix as the actual file (e.g. ".zeek"). ## ## Returns: summary comments associated with script with *name*. If ## *name* is not a known script, an empty string is returned. diff --git a/src/const.bif b/src/const.bif index 6d60ac707b..9da5950259 100644 --- a/src/const.bif +++ b/src/const.bif @@ -1,6 +1,6 @@ ##! Declaration of various scripting-layer constants that the Bro core uses ##! internally. Documentation and default values for the scripting-layer -##! variables themselves are found in :doc:`/scripts/base/init-bare.bro`. +##! variables themselves are found in :doc:`/scripts/base/init-bare.zeek`. const ignore_keep_alive_rexmit: bool; const skip_http_data: bool; diff --git a/src/main.cc b/src/main.cc index 473f3a72e7..782c49edde 100644 --- a/src/main.cc +++ b/src/main.cc @@ -823,11 +823,11 @@ int main(int argc, char** argv) broxygen_mgr = new broxygen::Manager(broxygen_config, bro_argv[0]); - add_essential_input_file("base/init-bare.bro"); - add_essential_input_file("base/init-frameworks-and-bifs.bro"); + add_essential_input_file("base/init-bare.zeek"); + add_essential_input_file("base/init-frameworks-and-bifs.zeek"); if ( ! bare_mode ) - add_input_file("base/init-default.bro"); + add_input_file("base/init-default.zeek"); plugin_mgr->SearchDynamicPlugins(bro_plugin_path()); diff --git a/src/plugin/Manager.cc b/src/plugin/Manager.cc index e098d955c1..47f7ba1ed9 100644 --- a/src/plugin/Manager.cc +++ b/src/plugin/Manager.cc @@ -185,7 +185,7 @@ bool Manager::ActivateDynamicPluginInternal(const std::string& name, bool ok_if_ string init; - // First load {scripts}/__preload__.bro automatically. + // First load {scripts}/__preload__.zeek automatically. for (const string& ext : script_extensions) { init = dir + "scripts/__preload__" + ext; @@ -198,7 +198,7 @@ bool Manager::ActivateDynamicPluginInternal(const std::string& name, bool ok_if_ } } - // Load {bif,scripts}/__load__.bro automatically. + // Load {bif,scripts}/__load__.zeek automatically. for (const string& ext : script_extensions) { init = dir + "lib/bif/__load__" + ext; diff --git a/src/reporter.bif b/src/reporter.bif index 4a58e2728b..038182574e 100644 --- a/src/reporter.bif +++ b/src/reporter.bif @@ -4,7 +4,7 @@ ##! If event handlers do exist, it's assumed they take care of determining ##! how/where to output the messages. ##! -##! See :doc:`/scripts/base/frameworks/reporter/main.bro` for a convenient +##! See :doc:`/scripts/base/frameworks/reporter/main.zeek` for a convenient ##! reporter message logging framework. module Reporter; diff --git a/src/scan.l b/src/scan.l index 4da18b125f..fb8ca20f8e 100644 --- a/src/scan.l +++ b/src/scan.l @@ -923,7 +923,7 @@ int yywrap() if ( ! did_builtin_init && file_stack.length() == 1 ) { // ### This is a gross hack - we know that the first file - // we parse is init-bare.bro, and after it it's safe to initialize + // we parse is init-bare.zeek, and after it it's safe to initialize // the built-ins. Furthermore, we want to initialize the // built-in's *right* after parsing bro.init, so that other // source files can use built-in's when initializing globals. @@ -961,7 +961,7 @@ int yywrap() // prefixed and flattened version of the loaded file in BROPATH. The // flattening involves taking the path in BROPATH in which the // scanned file lives and replacing '/' path separators with a '.' If - // the scanned file is "__load__.bro", that part of the flattened + // the scanned file is "__load__.zeek", that part of the flattened // file name is discarded. If the prefix is non-empty, it gets placed // in front of the flattened path, separated with another '.' std::list::iterator it; diff --git a/src/types.bif b/src/types.bif index babccb0f0d..79f5780f52 100644 --- a/src/types.bif +++ b/src/types.bif @@ -141,7 +141,7 @@ enum createmode_t %{ %} # Declare record types that we want to access from the event engine. These are -# defined in init-bare.bro. +# defined in init-bare.zeek. type info_t: record; type fattr_t: record; type sattr_t: record; diff --git a/src/util.h b/src/util.h index bd1566080f..b63b74a3f7 100644 --- a/src/util.h +++ b/src/util.h @@ -309,7 +309,7 @@ std::string implode_string_vector(const std::vector& v, /** * Flatten a script name by replacing '/' path separators with '.'. - * @param file A path to a Bro script. If it is a __load__.bro, that part + * @param file A path to a Bro script. If it is a __load__.zeek, that part * is discarded when constructing the flattened the name. * @param prefix A string to prepend to the flattened script name. * @return The flattened script name. From 4e0c1997a0f34901fc93efb93f215d9f3d3ce852 Mon Sep 17 00:00:00 2001 From: Daniel Thayer Date: Thu, 11 Apr 2019 23:32:58 -0500 Subject: [PATCH 65/88] Update tests and baselines due to renaming all scripts --- .../btest/Baseline/core.load-prefixes/output | 4 +- .../Baseline/core.pcap.filter-error/output | 2 +- .../canonified_loaded_scripts.log | 346 ++++----- .../Baseline/coverage.bare-mode-errors/errors | 36 +- .../canonified_loaded_scripts.log | 734 +++++++++--------- .../coverage.init-default/missing_loads | 20 +- .../Baseline/doc.broxygen.all_scripts/.stderr | 20 +- .../Baseline/doc.broxygen.example/example.rst | 6 +- .../Baseline/doc.broxygen.package/test.rst | 4 +- .../doc.broxygen.script_index/test.rst | 4 +- .../doc.broxygen.script_summary/test.rst | 2 +- .../language.index-assignment-invalid/out | 2 +- .../output | 2 +- .../out1 | 2 +- .../scripts.base.misc.version/.stderr | 8 +- testing/btest/core/ip-broken-header.bro | 2 +- testing/btest/core/load-prefixes.bro | 10 +- .../btest/coverage/bare-load-baseline.test | 2 +- testing/btest/coverage/bare-mode-errors.test | 2 +- testing/btest/coverage/find-bro-logs.test | 2 +- testing/btest/coverage/init-default.test | 16 +- testing/btest/coverage/test-all-policy.test | 14 +- testing/btest/doc/broxygen/example.bro | 4 +- testing/btest/doc/broxygen/script_summary.bro | 2 +- .../logging/ascii-json-optional.bro | 2 +- .../scripts/base/protocols/modbus/policy.bro | 4 +- .../base/protocols/ssl/cve-2015-3194.test | 2 +- .../base/protocols/ssl/keyexchange.test | 2 +- .../btest/scripts/policy/misc/dump-events.bro | 6 +- .../btest/scripts/policy/misc/weird-stats.bro | 2 +- .../protocols/ssl/validate-certs-no-cache.bro | 2 +- .../policy/protocols/ssl/validate-certs.bro | 2 +- .../policy/protocols/ssl/validate-sct.bro | 2 +- 33 files changed, 635 insertions(+), 635 deletions(-) diff --git a/testing/btest/Baseline/core.load-prefixes/output b/testing/btest/Baseline/core.load-prefixes/output index 2969d774cf..05e54cb3b9 100644 --- a/testing/btest/Baseline/core.load-prefixes/output +++ b/testing/btest/Baseline/core.load-prefixes/output @@ -1,4 +1,4 @@ -loaded lcl2.base.utils.site.bro -loaded lcl.base.utils.site.bro +loaded lcl2.base.utils.site.zeek +loaded lcl.base.utils.site.zeek loaded lcl2.base.protocols.http.bro loaded lcl.base.protocols.http.zeek diff --git a/testing/btest/Baseline/core.pcap.filter-error/output b/testing/btest/Baseline/core.pcap.filter-error/output index 82804bb483..f52fdf7e0a 100644 --- a/testing/btest/Baseline/core.pcap.filter-error/output +++ b/testing/btest/Baseline/core.pcap.filter-error/output @@ -1,3 +1,3 @@ -fatal error in /home/robin/bro/master/scripts/base/frameworks/packet-filter/./main.bro, line 282: Bad pcap filter 'kaputt' +fatal error in /home/robin/bro/master/scripts/base/frameworks/packet-filter/./main.zeek, line 282: Bad pcap filter 'kaputt' ---- error, cannot compile BPF filter "kaputt, too" diff --git a/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log b/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log index 4eeaa4b07b..f533fd8be2 100644 --- a/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log +++ b/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log @@ -6,177 +6,177 @@ #open 2018-06-08-16-37-15 #fields name #types string -scripts/base/init-bare.bro - build/scripts/base/bif/const.bif.bro - build/scripts/base/bif/types.bif.bro - build/scripts/base/bif/bro.bif.bro - build/scripts/base/bif/stats.bif.bro - build/scripts/base/bif/reporter.bif.bro - build/scripts/base/bif/strings.bif.bro - build/scripts/base/bif/option.bif.bro - build/scripts/base/bif/plugins/Bro_SNMP.types.bif.bro - build/scripts/base/bif/plugins/Bro_KRB.types.bif.bro - build/scripts/base/bif/event.bif.bro -scripts/base/init-frameworks-and-bifs.bro - scripts/base/frameworks/logging/__load__.bro - scripts/base/frameworks/logging/main.bro - build/scripts/base/bif/logging.bif.bro - scripts/base/frameworks/logging/postprocessors/__load__.bro - scripts/base/frameworks/logging/postprocessors/scp.bro - scripts/base/frameworks/logging/postprocessors/sftp.bro - scripts/base/frameworks/logging/writers/ascii.bro - scripts/base/frameworks/logging/writers/sqlite.bro - scripts/base/frameworks/logging/writers/none.bro - scripts/base/frameworks/broker/__load__.bro - scripts/base/frameworks/broker/main.bro - build/scripts/base/bif/comm.bif.bro - build/scripts/base/bif/messaging.bif.bro - scripts/base/frameworks/broker/store.bro - build/scripts/base/bif/data.bif.bro - build/scripts/base/bif/store.bif.bro - scripts/base/frameworks/broker/log.bro - scripts/base/frameworks/input/__load__.bro - scripts/base/frameworks/input/main.bro - build/scripts/base/bif/input.bif.bro - scripts/base/frameworks/input/readers/ascii.bro - scripts/base/frameworks/input/readers/raw.bro - scripts/base/frameworks/input/readers/benchmark.bro - scripts/base/frameworks/input/readers/binary.bro - scripts/base/frameworks/input/readers/config.bro - scripts/base/frameworks/input/readers/sqlite.bro - scripts/base/frameworks/analyzer/__load__.bro - scripts/base/frameworks/analyzer/main.bro - scripts/base/frameworks/packet-filter/utils.bro - build/scripts/base/bif/analyzer.bif.bro - scripts/base/frameworks/files/__load__.bro - scripts/base/frameworks/files/main.bro - build/scripts/base/bif/file_analysis.bif.bro - scripts/base/utils/site.bro - scripts/base/utils/patterns.bro - scripts/base/frameworks/files/magic/__load__.bro - build/scripts/base/bif/__load__.bro - build/scripts/base/bif/broxygen.bif.bro - build/scripts/base/bif/pcap.bif.bro - build/scripts/base/bif/bloom-filter.bif.bro - build/scripts/base/bif/cardinality-counter.bif.bro - build/scripts/base/bif/top-k.bif.bro - build/scripts/base/bif/plugins/__load__.bro - build/scripts/base/bif/plugins/Bro_ARP.events.bif.bro - build/scripts/base/bif/plugins/Bro_BackDoor.events.bif.bro - build/scripts/base/bif/plugins/Bro_BitTorrent.events.bif.bro - build/scripts/base/bif/plugins/Bro_ConnSize.events.bif.bro - build/scripts/base/bif/plugins/Bro_ConnSize.functions.bif.bro - build/scripts/base/bif/plugins/Bro_DCE_RPC.consts.bif.bro - build/scripts/base/bif/plugins/Bro_DCE_RPC.types.bif.bro - build/scripts/base/bif/plugins/Bro_DCE_RPC.events.bif.bro - build/scripts/base/bif/plugins/Bro_DHCP.events.bif.bro - build/scripts/base/bif/plugins/Bro_DHCP.types.bif.bro - build/scripts/base/bif/plugins/Bro_DNP3.events.bif.bro - build/scripts/base/bif/plugins/Bro_DNS.events.bif.bro - build/scripts/base/bif/plugins/Bro_File.events.bif.bro - build/scripts/base/bif/plugins/Bro_Finger.events.bif.bro - build/scripts/base/bif/plugins/Bro_FTP.events.bif.bro - build/scripts/base/bif/plugins/Bro_FTP.functions.bif.bro - build/scripts/base/bif/plugins/Bro_Gnutella.events.bif.bro - build/scripts/base/bif/plugins/Bro_GSSAPI.events.bif.bro - build/scripts/base/bif/plugins/Bro_GTPv1.events.bif.bro - build/scripts/base/bif/plugins/Bro_HTTP.events.bif.bro - build/scripts/base/bif/plugins/Bro_HTTP.functions.bif.bro - build/scripts/base/bif/plugins/Bro_ICMP.events.bif.bro - build/scripts/base/bif/plugins/Bro_Ident.events.bif.bro - build/scripts/base/bif/plugins/Bro_IMAP.events.bif.bro - build/scripts/base/bif/plugins/Bro_InterConn.events.bif.bro - build/scripts/base/bif/plugins/Bro_IRC.events.bif.bro - build/scripts/base/bif/plugins/Bro_KRB.events.bif.bro - build/scripts/base/bif/plugins/Bro_Login.events.bif.bro - build/scripts/base/bif/plugins/Bro_Login.functions.bif.bro - build/scripts/base/bif/plugins/Bro_MIME.events.bif.bro - build/scripts/base/bif/plugins/Bro_Modbus.events.bif.bro - build/scripts/base/bif/plugins/Bro_MySQL.events.bif.bro - build/scripts/base/bif/plugins/Bro_NCP.events.bif.bro - build/scripts/base/bif/plugins/Bro_NCP.consts.bif.bro - build/scripts/base/bif/plugins/Bro_NetBIOS.events.bif.bro - build/scripts/base/bif/plugins/Bro_NetBIOS.functions.bif.bro - build/scripts/base/bif/plugins/Bro_NTLM.types.bif.bro - build/scripts/base/bif/plugins/Bro_NTLM.events.bif.bro - build/scripts/base/bif/plugins/Bro_NTP.events.bif.bro - build/scripts/base/bif/plugins/Bro_POP3.events.bif.bro - build/scripts/base/bif/plugins/Bro_RADIUS.events.bif.bro - build/scripts/base/bif/plugins/Bro_RDP.events.bif.bro - build/scripts/base/bif/plugins/Bro_RDP.types.bif.bro - build/scripts/base/bif/plugins/Bro_RFB.events.bif.bro - build/scripts/base/bif/plugins/Bro_RPC.events.bif.bro - build/scripts/base/bif/plugins/Bro_SIP.events.bif.bro - build/scripts/base/bif/plugins/Bro_SNMP.events.bif.bro - build/scripts/base/bif/plugins/Bro_SMB.smb1_com_check_directory.bif.bro - build/scripts/base/bif/plugins/Bro_SMB.smb1_com_close.bif.bro - build/scripts/base/bif/plugins/Bro_SMB.smb1_com_create_directory.bif.bro - build/scripts/base/bif/plugins/Bro_SMB.smb1_com_echo.bif.bro - build/scripts/base/bif/plugins/Bro_SMB.smb1_com_logoff_andx.bif.bro - build/scripts/base/bif/plugins/Bro_SMB.smb1_com_negotiate.bif.bro - build/scripts/base/bif/plugins/Bro_SMB.smb1_com_nt_create_andx.bif.bro - build/scripts/base/bif/plugins/Bro_SMB.smb1_com_nt_cancel.bif.bro - build/scripts/base/bif/plugins/Bro_SMB.smb1_com_query_information.bif.bro - build/scripts/base/bif/plugins/Bro_SMB.smb1_com_read_andx.bif.bro - build/scripts/base/bif/plugins/Bro_SMB.smb1_com_session_setup_andx.bif.bro - build/scripts/base/bif/plugins/Bro_SMB.smb1_com_transaction.bif.bro - build/scripts/base/bif/plugins/Bro_SMB.smb1_com_transaction_secondary.bif.bro - build/scripts/base/bif/plugins/Bro_SMB.smb1_com_transaction2.bif.bro - build/scripts/base/bif/plugins/Bro_SMB.smb1_com_transaction2_secondary.bif.bro - build/scripts/base/bif/plugins/Bro_SMB.smb1_com_tree_connect_andx.bif.bro - build/scripts/base/bif/plugins/Bro_SMB.smb1_com_tree_disconnect.bif.bro - build/scripts/base/bif/plugins/Bro_SMB.smb1_com_write_andx.bif.bro - build/scripts/base/bif/plugins/Bro_SMB.smb1_events.bif.bro - build/scripts/base/bif/plugins/Bro_SMB.smb2_com_close.bif.bro - build/scripts/base/bif/plugins/Bro_SMB.smb2_com_create.bif.bro - build/scripts/base/bif/plugins/Bro_SMB.smb2_com_negotiate.bif.bro - build/scripts/base/bif/plugins/Bro_SMB.smb2_com_read.bif.bro - build/scripts/base/bif/plugins/Bro_SMB.smb2_com_session_setup.bif.bro - build/scripts/base/bif/plugins/Bro_SMB.smb2_com_set_info.bif.bro - build/scripts/base/bif/plugins/Bro_SMB.smb2_com_tree_connect.bif.bro - build/scripts/base/bif/plugins/Bro_SMB.smb2_com_tree_disconnect.bif.bro - build/scripts/base/bif/plugins/Bro_SMB.smb2_com_write.bif.bro - build/scripts/base/bif/plugins/Bro_SMB.smb2_com_transform_header.bif.bro - build/scripts/base/bif/plugins/Bro_SMB.smb2_events.bif.bro - build/scripts/base/bif/plugins/Bro_SMB.events.bif.bro - build/scripts/base/bif/plugins/Bro_SMB.consts.bif.bro - build/scripts/base/bif/plugins/Bro_SMB.types.bif.bro - build/scripts/base/bif/plugins/Bro_SMTP.events.bif.bro - build/scripts/base/bif/plugins/Bro_SMTP.functions.bif.bro - build/scripts/base/bif/plugins/Bro_SOCKS.events.bif.bro - build/scripts/base/bif/plugins/Bro_SSH.types.bif.bro - build/scripts/base/bif/plugins/Bro_SSH.events.bif.bro - build/scripts/base/bif/plugins/Bro_SSL.types.bif.bro - build/scripts/base/bif/plugins/Bro_SSL.events.bif.bro - build/scripts/base/bif/plugins/Bro_SSL.functions.bif.bro - build/scripts/base/bif/plugins/Bro_SteppingStone.events.bif.bro - build/scripts/base/bif/plugins/Bro_Syslog.events.bif.bro - build/scripts/base/bif/plugins/Bro_TCP.events.bif.bro - build/scripts/base/bif/plugins/Bro_TCP.functions.bif.bro - build/scripts/base/bif/plugins/Bro_Teredo.events.bif.bro - build/scripts/base/bif/plugins/Bro_UDP.events.bif.bro - build/scripts/base/bif/plugins/Bro_VXLAN.events.bif.bro - build/scripts/base/bif/plugins/Bro_XMPP.events.bif.bro - build/scripts/base/bif/plugins/Bro_FileEntropy.events.bif.bro - build/scripts/base/bif/plugins/Bro_FileExtract.events.bif.bro - build/scripts/base/bif/plugins/Bro_FileExtract.functions.bif.bro - build/scripts/base/bif/plugins/Bro_FileHash.events.bif.bro - build/scripts/base/bif/plugins/Bro_PE.events.bif.bro - build/scripts/base/bif/plugins/Bro_Unified2.events.bif.bro - build/scripts/base/bif/plugins/Bro_Unified2.types.bif.bro - build/scripts/base/bif/plugins/Bro_X509.events.bif.bro - build/scripts/base/bif/plugins/Bro_X509.types.bif.bro - build/scripts/base/bif/plugins/Bro_X509.functions.bif.bro - build/scripts/base/bif/plugins/Bro_X509.ocsp_events.bif.bro - build/scripts/base/bif/plugins/Bro_AsciiReader.ascii.bif.bro - build/scripts/base/bif/plugins/Bro_BenchmarkReader.benchmark.bif.bro - build/scripts/base/bif/plugins/Bro_BinaryReader.binary.bif.bro - build/scripts/base/bif/plugins/Bro_ConfigReader.config.bif.bro - build/scripts/base/bif/plugins/Bro_RawReader.raw.bif.bro - build/scripts/base/bif/plugins/Bro_SQLiteReader.sqlite.bif.bro - build/scripts/base/bif/plugins/Bro_AsciiWriter.ascii.bif.bro - build/scripts/base/bif/plugins/Bro_NoneWriter.none.bif.bro - build/scripts/base/bif/plugins/Bro_SQLiteWriter.sqlite.bif.bro -scripts/policy/misc/loaded-scripts.bro - scripts/base/utils/paths.bro +scripts/base/init-bare.zeek + build/scripts/base/bif/const.bif.zeek + build/scripts/base/bif/types.bif.zeek + build/scripts/base/bif/bro.bif.zeek + build/scripts/base/bif/stats.bif.zeek + build/scripts/base/bif/reporter.bif.zeek + build/scripts/base/bif/strings.bif.zeek + build/scripts/base/bif/option.bif.zeek + build/scripts/base/bif/plugins/Bro_SNMP.types.bif.zeek + build/scripts/base/bif/plugins/Bro_KRB.types.bif.zeek + build/scripts/base/bif/event.bif.zeek +scripts/base/init-frameworks-and-bifs.zeek + scripts/base/frameworks/logging/__load__.zeek + scripts/base/frameworks/logging/main.zeek + build/scripts/base/bif/logging.bif.zeek + scripts/base/frameworks/logging/postprocessors/__load__.zeek + scripts/base/frameworks/logging/postprocessors/scp.zeek + scripts/base/frameworks/logging/postprocessors/sftp.zeek + scripts/base/frameworks/logging/writers/ascii.zeek + scripts/base/frameworks/logging/writers/sqlite.zeek + scripts/base/frameworks/logging/writers/none.zeek + scripts/base/frameworks/broker/__load__.zeek + scripts/base/frameworks/broker/main.zeek + build/scripts/base/bif/comm.bif.zeek + build/scripts/base/bif/messaging.bif.zeek + scripts/base/frameworks/broker/store.zeek + build/scripts/base/bif/data.bif.zeek + build/scripts/base/bif/store.bif.zeek + scripts/base/frameworks/broker/log.zeek + scripts/base/frameworks/input/__load__.zeek + scripts/base/frameworks/input/main.zeek + build/scripts/base/bif/input.bif.zeek + scripts/base/frameworks/input/readers/ascii.zeek + scripts/base/frameworks/input/readers/raw.zeek + scripts/base/frameworks/input/readers/benchmark.zeek + scripts/base/frameworks/input/readers/binary.zeek + scripts/base/frameworks/input/readers/config.zeek + scripts/base/frameworks/input/readers/sqlite.zeek + scripts/base/frameworks/analyzer/__load__.zeek + scripts/base/frameworks/analyzer/main.zeek + scripts/base/frameworks/packet-filter/utils.zeek + build/scripts/base/bif/analyzer.bif.zeek + scripts/base/frameworks/files/__load__.zeek + scripts/base/frameworks/files/main.zeek + build/scripts/base/bif/file_analysis.bif.zeek + scripts/base/utils/site.zeek + scripts/base/utils/patterns.zeek + scripts/base/frameworks/files/magic/__load__.zeek + build/scripts/base/bif/__load__.zeek + build/scripts/base/bif/broxygen.bif.zeek + build/scripts/base/bif/pcap.bif.zeek + build/scripts/base/bif/bloom-filter.bif.zeek + build/scripts/base/bif/cardinality-counter.bif.zeek + build/scripts/base/bif/top-k.bif.zeek + build/scripts/base/bif/plugins/__load__.zeek + build/scripts/base/bif/plugins/Bro_ARP.events.bif.zeek + build/scripts/base/bif/plugins/Bro_BackDoor.events.bif.zeek + build/scripts/base/bif/plugins/Bro_BitTorrent.events.bif.zeek + build/scripts/base/bif/plugins/Bro_ConnSize.events.bif.zeek + build/scripts/base/bif/plugins/Bro_ConnSize.functions.bif.zeek + build/scripts/base/bif/plugins/Bro_DCE_RPC.consts.bif.zeek + build/scripts/base/bif/plugins/Bro_DCE_RPC.types.bif.zeek + build/scripts/base/bif/plugins/Bro_DCE_RPC.events.bif.zeek + build/scripts/base/bif/plugins/Bro_DHCP.events.bif.zeek + build/scripts/base/bif/plugins/Bro_DHCP.types.bif.zeek + build/scripts/base/bif/plugins/Bro_DNP3.events.bif.zeek + build/scripts/base/bif/plugins/Bro_DNS.events.bif.zeek + build/scripts/base/bif/plugins/Bro_File.events.bif.zeek + build/scripts/base/bif/plugins/Bro_Finger.events.bif.zeek + build/scripts/base/bif/plugins/Bro_FTP.events.bif.zeek + build/scripts/base/bif/plugins/Bro_FTP.functions.bif.zeek + build/scripts/base/bif/plugins/Bro_Gnutella.events.bif.zeek + build/scripts/base/bif/plugins/Bro_GSSAPI.events.bif.zeek + build/scripts/base/bif/plugins/Bro_GTPv1.events.bif.zeek + build/scripts/base/bif/plugins/Bro_HTTP.events.bif.zeek + build/scripts/base/bif/plugins/Bro_HTTP.functions.bif.zeek + build/scripts/base/bif/plugins/Bro_ICMP.events.bif.zeek + build/scripts/base/bif/plugins/Bro_Ident.events.bif.zeek + build/scripts/base/bif/plugins/Bro_IMAP.events.bif.zeek + build/scripts/base/bif/plugins/Bro_InterConn.events.bif.zeek + build/scripts/base/bif/plugins/Bro_IRC.events.bif.zeek + build/scripts/base/bif/plugins/Bro_KRB.events.bif.zeek + build/scripts/base/bif/plugins/Bro_Login.events.bif.zeek + build/scripts/base/bif/plugins/Bro_Login.functions.bif.zeek + build/scripts/base/bif/plugins/Bro_MIME.events.bif.zeek + build/scripts/base/bif/plugins/Bro_Modbus.events.bif.zeek + build/scripts/base/bif/plugins/Bro_MySQL.events.bif.zeek + build/scripts/base/bif/plugins/Bro_NCP.events.bif.zeek + build/scripts/base/bif/plugins/Bro_NCP.consts.bif.zeek + build/scripts/base/bif/plugins/Bro_NetBIOS.events.bif.zeek + build/scripts/base/bif/plugins/Bro_NetBIOS.functions.bif.zeek + build/scripts/base/bif/plugins/Bro_NTLM.types.bif.zeek + build/scripts/base/bif/plugins/Bro_NTLM.events.bif.zeek + build/scripts/base/bif/plugins/Bro_NTP.events.bif.zeek + build/scripts/base/bif/plugins/Bro_POP3.events.bif.zeek + build/scripts/base/bif/plugins/Bro_RADIUS.events.bif.zeek + build/scripts/base/bif/plugins/Bro_RDP.events.bif.zeek + build/scripts/base/bif/plugins/Bro_RDP.types.bif.zeek + build/scripts/base/bif/plugins/Bro_RFB.events.bif.zeek + build/scripts/base/bif/plugins/Bro_RPC.events.bif.zeek + build/scripts/base/bif/plugins/Bro_SIP.events.bif.zeek + build/scripts/base/bif/plugins/Bro_SNMP.events.bif.zeek + build/scripts/base/bif/plugins/Bro_SMB.smb1_com_check_directory.bif.zeek + build/scripts/base/bif/plugins/Bro_SMB.smb1_com_close.bif.zeek + build/scripts/base/bif/plugins/Bro_SMB.smb1_com_create_directory.bif.zeek + build/scripts/base/bif/plugins/Bro_SMB.smb1_com_echo.bif.zeek + build/scripts/base/bif/plugins/Bro_SMB.smb1_com_logoff_andx.bif.zeek + build/scripts/base/bif/plugins/Bro_SMB.smb1_com_negotiate.bif.zeek + build/scripts/base/bif/plugins/Bro_SMB.smb1_com_nt_create_andx.bif.zeek + build/scripts/base/bif/plugins/Bro_SMB.smb1_com_nt_cancel.bif.zeek + build/scripts/base/bif/plugins/Bro_SMB.smb1_com_query_information.bif.zeek + build/scripts/base/bif/plugins/Bro_SMB.smb1_com_read_andx.bif.zeek + build/scripts/base/bif/plugins/Bro_SMB.smb1_com_session_setup_andx.bif.zeek + build/scripts/base/bif/plugins/Bro_SMB.smb1_com_transaction.bif.zeek + build/scripts/base/bif/plugins/Bro_SMB.smb1_com_transaction_secondary.bif.zeek + build/scripts/base/bif/plugins/Bro_SMB.smb1_com_transaction2.bif.zeek + build/scripts/base/bif/plugins/Bro_SMB.smb1_com_transaction2_secondary.bif.zeek + build/scripts/base/bif/plugins/Bro_SMB.smb1_com_tree_connect_andx.bif.zeek + build/scripts/base/bif/plugins/Bro_SMB.smb1_com_tree_disconnect.bif.zeek + build/scripts/base/bif/plugins/Bro_SMB.smb1_com_write_andx.bif.zeek + build/scripts/base/bif/plugins/Bro_SMB.smb1_events.bif.zeek + build/scripts/base/bif/plugins/Bro_SMB.smb2_com_close.bif.zeek + build/scripts/base/bif/plugins/Bro_SMB.smb2_com_create.bif.zeek + build/scripts/base/bif/plugins/Bro_SMB.smb2_com_negotiate.bif.zeek + build/scripts/base/bif/plugins/Bro_SMB.smb2_com_read.bif.zeek + build/scripts/base/bif/plugins/Bro_SMB.smb2_com_session_setup.bif.zeek + build/scripts/base/bif/plugins/Bro_SMB.smb2_com_set_info.bif.zeek + build/scripts/base/bif/plugins/Bro_SMB.smb2_com_tree_connect.bif.zeek + build/scripts/base/bif/plugins/Bro_SMB.smb2_com_tree_disconnect.bif.zeek + build/scripts/base/bif/plugins/Bro_SMB.smb2_com_write.bif.zeek + build/scripts/base/bif/plugins/Bro_SMB.smb2_com_transform_header.bif.zeek + build/scripts/base/bif/plugins/Bro_SMB.smb2_events.bif.zeek + build/scripts/base/bif/plugins/Bro_SMB.events.bif.zeek + build/scripts/base/bif/plugins/Bro_SMB.consts.bif.zeek + build/scripts/base/bif/plugins/Bro_SMB.types.bif.zeek + build/scripts/base/bif/plugins/Bro_SMTP.events.bif.zeek + build/scripts/base/bif/plugins/Bro_SMTP.functions.bif.zeek + build/scripts/base/bif/plugins/Bro_SOCKS.events.bif.zeek + build/scripts/base/bif/plugins/Bro_SSH.types.bif.zeek + build/scripts/base/bif/plugins/Bro_SSH.events.bif.zeek + build/scripts/base/bif/plugins/Bro_SSL.types.bif.zeek + build/scripts/base/bif/plugins/Bro_SSL.events.bif.zeek + build/scripts/base/bif/plugins/Bro_SSL.functions.bif.zeek + build/scripts/base/bif/plugins/Bro_SteppingStone.events.bif.zeek + build/scripts/base/bif/plugins/Bro_Syslog.events.bif.zeek + build/scripts/base/bif/plugins/Bro_TCP.events.bif.zeek + build/scripts/base/bif/plugins/Bro_TCP.functions.bif.zeek + build/scripts/base/bif/plugins/Bro_Teredo.events.bif.zeek + build/scripts/base/bif/plugins/Bro_UDP.events.bif.zeek + build/scripts/base/bif/plugins/Bro_VXLAN.events.bif.zeek + build/scripts/base/bif/plugins/Bro_XMPP.events.bif.zeek + build/scripts/base/bif/plugins/Bro_FileEntropy.events.bif.zeek + build/scripts/base/bif/plugins/Bro_FileExtract.events.bif.zeek + build/scripts/base/bif/plugins/Bro_FileExtract.functions.bif.zeek + build/scripts/base/bif/plugins/Bro_FileHash.events.bif.zeek + build/scripts/base/bif/plugins/Bro_PE.events.bif.zeek + build/scripts/base/bif/plugins/Bro_Unified2.events.bif.zeek + build/scripts/base/bif/plugins/Bro_Unified2.types.bif.zeek + build/scripts/base/bif/plugins/Bro_X509.events.bif.zeek + build/scripts/base/bif/plugins/Bro_X509.types.bif.zeek + build/scripts/base/bif/plugins/Bro_X509.functions.bif.zeek + build/scripts/base/bif/plugins/Bro_X509.ocsp_events.bif.zeek + build/scripts/base/bif/plugins/Bro_AsciiReader.ascii.bif.zeek + build/scripts/base/bif/plugins/Bro_BenchmarkReader.benchmark.bif.zeek + build/scripts/base/bif/plugins/Bro_BinaryReader.binary.bif.zeek + build/scripts/base/bif/plugins/Bro_ConfigReader.config.bif.zeek + build/scripts/base/bif/plugins/Bro_RawReader.raw.bif.zeek + build/scripts/base/bif/plugins/Bro_SQLiteReader.sqlite.bif.zeek + build/scripts/base/bif/plugins/Bro_AsciiWriter.ascii.bif.zeek + build/scripts/base/bif/plugins/Bro_NoneWriter.none.bif.zeek + build/scripts/base/bif/plugins/Bro_SQLiteWriter.sqlite.bif.zeek +scripts/policy/misc/loaded-scripts.zeek + scripts/base/utils/paths.zeek #close 2018-06-08-16-37-15 diff --git a/testing/btest/Baseline/coverage.bare-mode-errors/errors b/testing/btest/Baseline/coverage.bare-mode-errors/errors index e11a4ca00f..68129bbab6 100644 --- a/testing/btest/Baseline/coverage.bare-mode-errors/errors +++ b/testing/btest/Baseline/coverage.bare-mode-errors/errors @@ -1,18 +1,18 @@ -warning in /Users/jon/projects/bro/bro/scripts/policy/protocols/dhcp/deprecated_events.bro, line 245: deprecated (dhcp_discover) -warning in /Users/jon/projects/bro/bro/scripts/policy/protocols/dhcp/deprecated_events.bro, line 248: deprecated (dhcp_offer) -warning in /Users/jon/projects/bro/bro/scripts/policy/protocols/dhcp/deprecated_events.bro, line 251: deprecated (dhcp_request) -warning in /Users/jon/projects/bro/bro/scripts/policy/protocols/dhcp/deprecated_events.bro, line 254: deprecated (dhcp_decline) -warning in /Users/jon/projects/bro/bro/scripts/policy/protocols/dhcp/deprecated_events.bro, line 257: deprecated (dhcp_ack) -warning in /Users/jon/projects/bro/bro/scripts/policy/protocols/dhcp/deprecated_events.bro, line 260: deprecated (dhcp_nak) -warning in /Users/jon/projects/bro/bro/scripts/policy/protocols/dhcp/deprecated_events.bro, line 263: deprecated (dhcp_release) -warning in /Users/jon/projects/bro/bro/scripts/policy/protocols/dhcp/deprecated_events.bro, line 266: deprecated (dhcp_inform) -warning in /Users/jon/projects/bro/bro/scripts/policy/protocols/smb/__load__.bro, line 1: deprecated script loaded from /Users/jon/projects/bro/bro/testing/btest/../../scripts//broxygen/__load__.bro:10 "Use '@load base/protocols/smb' instead" -warning in /Users/jon/projects/bro/bro/testing/btest/../../scripts//policy/protocols/dhcp/deprecated_events.bro, line 245: deprecated (dhcp_discover) -warning in /Users/jon/projects/bro/bro/testing/btest/../../scripts//policy/protocols/dhcp/deprecated_events.bro, line 248: deprecated (dhcp_offer) -warning in /Users/jon/projects/bro/bro/testing/btest/../../scripts//policy/protocols/dhcp/deprecated_events.bro, line 251: deprecated (dhcp_request) -warning in /Users/jon/projects/bro/bro/testing/btest/../../scripts//policy/protocols/dhcp/deprecated_events.bro, line 254: deprecated (dhcp_decline) -warning in /Users/jon/projects/bro/bro/testing/btest/../../scripts//policy/protocols/dhcp/deprecated_events.bro, line 257: deprecated (dhcp_ack) -warning in /Users/jon/projects/bro/bro/testing/btest/../../scripts//policy/protocols/dhcp/deprecated_events.bro, line 260: deprecated (dhcp_nak) -warning in /Users/jon/projects/bro/bro/testing/btest/../../scripts//policy/protocols/dhcp/deprecated_events.bro, line 263: deprecated (dhcp_release) -warning in /Users/jon/projects/bro/bro/testing/btest/../../scripts//policy/protocols/dhcp/deprecated_events.bro, line 266: deprecated (dhcp_inform) -warning in /Users/jon/projects/bro/bro/testing/btest/../../scripts//policy/protocols/smb/__load__.bro, line 1: deprecated script loaded from command line arguments "Use '@load base/protocols/smb' instead" +warning in /Users/jon/projects/bro/bro/scripts/policy/protocols/dhcp/deprecated_events.zeek, line 245: deprecated (dhcp_discover) +warning in /Users/jon/projects/bro/bro/scripts/policy/protocols/dhcp/deprecated_events.zeek, line 248: deprecated (dhcp_offer) +warning in /Users/jon/projects/bro/bro/scripts/policy/protocols/dhcp/deprecated_events.zeek, line 251: deprecated (dhcp_request) +warning in /Users/jon/projects/bro/bro/scripts/policy/protocols/dhcp/deprecated_events.zeek, line 254: deprecated (dhcp_decline) +warning in /Users/jon/projects/bro/bro/scripts/policy/protocols/dhcp/deprecated_events.zeek, line 257: deprecated (dhcp_ack) +warning in /Users/jon/projects/bro/bro/scripts/policy/protocols/dhcp/deprecated_events.zeek, line 260: deprecated (dhcp_nak) +warning in /Users/jon/projects/bro/bro/scripts/policy/protocols/dhcp/deprecated_events.zeek, line 263: deprecated (dhcp_release) +warning in /Users/jon/projects/bro/bro/scripts/policy/protocols/dhcp/deprecated_events.zeek, line 266: deprecated (dhcp_inform) +warning in /Users/jon/projects/bro/bro/scripts/policy/protocols/smb/__load__.zeek, line 1: deprecated script loaded from /Users/jon/projects/bro/bro/testing/btest/../../scripts//broxygen/__load__.zeek:10 "Use '@load base/protocols/smb' instead" +warning in /Users/jon/projects/bro/bro/testing/btest/../../scripts//policy/protocols/dhcp/deprecated_events.zeek, line 245: deprecated (dhcp_discover) +warning in /Users/jon/projects/bro/bro/testing/btest/../../scripts//policy/protocols/dhcp/deprecated_events.zeek, line 248: deprecated (dhcp_offer) +warning in /Users/jon/projects/bro/bro/testing/btest/../../scripts//policy/protocols/dhcp/deprecated_events.zeek, line 251: deprecated (dhcp_request) +warning in /Users/jon/projects/bro/bro/testing/btest/../../scripts//policy/protocols/dhcp/deprecated_events.zeek, line 254: deprecated (dhcp_decline) +warning in /Users/jon/projects/bro/bro/testing/btest/../../scripts//policy/protocols/dhcp/deprecated_events.zeek, line 257: deprecated (dhcp_ack) +warning in /Users/jon/projects/bro/bro/testing/btest/../../scripts//policy/protocols/dhcp/deprecated_events.zeek, line 260: deprecated (dhcp_nak) +warning in /Users/jon/projects/bro/bro/testing/btest/../../scripts//policy/protocols/dhcp/deprecated_events.zeek, line 263: deprecated (dhcp_release) +warning in /Users/jon/projects/bro/bro/testing/btest/../../scripts//policy/protocols/dhcp/deprecated_events.zeek, line 266: deprecated (dhcp_inform) +warning in /Users/jon/projects/bro/bro/testing/btest/../../scripts//policy/protocols/smb/__load__.zeek, line 1: deprecated script loaded from command line arguments "Use '@load base/protocols/smb' instead" diff --git a/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log b/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log index eaca1c489a..45185bed09 100644 --- a/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log +++ b/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log @@ -6,371 +6,371 @@ #open 2018-09-05-20-33-08 #fields name #types string -scripts/base/init-bare.bro - build/scripts/base/bif/const.bif.bro - build/scripts/base/bif/types.bif.bro - build/scripts/base/bif/bro.bif.bro - build/scripts/base/bif/stats.bif.bro - build/scripts/base/bif/reporter.bif.bro - build/scripts/base/bif/strings.bif.bro - build/scripts/base/bif/option.bif.bro - build/scripts/base/bif/plugins/Bro_SNMP.types.bif.bro - build/scripts/base/bif/plugins/Bro_KRB.types.bif.bro - build/scripts/base/bif/event.bif.bro -scripts/base/init-frameworks-and-bifs.bro - scripts/base/frameworks/logging/__load__.bro - scripts/base/frameworks/logging/main.bro - build/scripts/base/bif/logging.bif.bro - scripts/base/frameworks/logging/postprocessors/__load__.bro - scripts/base/frameworks/logging/postprocessors/scp.bro - scripts/base/frameworks/logging/postprocessors/sftp.bro - scripts/base/frameworks/logging/writers/ascii.bro - scripts/base/frameworks/logging/writers/sqlite.bro - scripts/base/frameworks/logging/writers/none.bro - scripts/base/frameworks/broker/__load__.bro - scripts/base/frameworks/broker/main.bro - build/scripts/base/bif/comm.bif.bro - build/scripts/base/bif/messaging.bif.bro - scripts/base/frameworks/broker/store.bro - build/scripts/base/bif/data.bif.bro - build/scripts/base/bif/store.bif.bro - scripts/base/frameworks/broker/log.bro - scripts/base/frameworks/input/__load__.bro - scripts/base/frameworks/input/main.bro - build/scripts/base/bif/input.bif.bro - scripts/base/frameworks/input/readers/ascii.bro - scripts/base/frameworks/input/readers/raw.bro - scripts/base/frameworks/input/readers/benchmark.bro - scripts/base/frameworks/input/readers/binary.bro - scripts/base/frameworks/input/readers/config.bro - scripts/base/frameworks/input/readers/sqlite.bro - scripts/base/frameworks/analyzer/__load__.bro - scripts/base/frameworks/analyzer/main.bro - scripts/base/frameworks/packet-filter/utils.bro - build/scripts/base/bif/analyzer.bif.bro - scripts/base/frameworks/files/__load__.bro - scripts/base/frameworks/files/main.bro - build/scripts/base/bif/file_analysis.bif.bro - scripts/base/utils/site.bro - scripts/base/utils/patterns.bro - scripts/base/frameworks/files/magic/__load__.bro - build/scripts/base/bif/__load__.bro - build/scripts/base/bif/broxygen.bif.bro - build/scripts/base/bif/pcap.bif.bro - build/scripts/base/bif/bloom-filter.bif.bro - build/scripts/base/bif/cardinality-counter.bif.bro - build/scripts/base/bif/top-k.bif.bro - build/scripts/base/bif/plugins/__load__.bro - build/scripts/base/bif/plugins/Bro_ARP.events.bif.bro - build/scripts/base/bif/plugins/Bro_BackDoor.events.bif.bro - build/scripts/base/bif/plugins/Bro_BitTorrent.events.bif.bro - build/scripts/base/bif/plugins/Bro_ConnSize.events.bif.bro - build/scripts/base/bif/plugins/Bro_ConnSize.functions.bif.bro - build/scripts/base/bif/plugins/Bro_DCE_RPC.consts.bif.bro - build/scripts/base/bif/plugins/Bro_DCE_RPC.types.bif.bro - build/scripts/base/bif/plugins/Bro_DCE_RPC.events.bif.bro - build/scripts/base/bif/plugins/Bro_DHCP.events.bif.bro - build/scripts/base/bif/plugins/Bro_DHCP.types.bif.bro - build/scripts/base/bif/plugins/Bro_DNP3.events.bif.bro - build/scripts/base/bif/plugins/Bro_DNS.events.bif.bro - build/scripts/base/bif/plugins/Bro_File.events.bif.bro - build/scripts/base/bif/plugins/Bro_Finger.events.bif.bro - build/scripts/base/bif/plugins/Bro_FTP.events.bif.bro - build/scripts/base/bif/plugins/Bro_FTP.functions.bif.bro - build/scripts/base/bif/plugins/Bro_Gnutella.events.bif.bro - build/scripts/base/bif/plugins/Bro_GSSAPI.events.bif.bro - build/scripts/base/bif/plugins/Bro_GTPv1.events.bif.bro - build/scripts/base/bif/plugins/Bro_HTTP.events.bif.bro - build/scripts/base/bif/plugins/Bro_HTTP.functions.bif.bro - build/scripts/base/bif/plugins/Bro_ICMP.events.bif.bro - build/scripts/base/bif/plugins/Bro_Ident.events.bif.bro - build/scripts/base/bif/plugins/Bro_IMAP.events.bif.bro - build/scripts/base/bif/plugins/Bro_InterConn.events.bif.bro - build/scripts/base/bif/plugins/Bro_IRC.events.bif.bro - build/scripts/base/bif/plugins/Bro_KRB.events.bif.bro - build/scripts/base/bif/plugins/Bro_Login.events.bif.bro - build/scripts/base/bif/plugins/Bro_Login.functions.bif.bro - build/scripts/base/bif/plugins/Bro_MIME.events.bif.bro - build/scripts/base/bif/plugins/Bro_Modbus.events.bif.bro - build/scripts/base/bif/plugins/Bro_MySQL.events.bif.bro - build/scripts/base/bif/plugins/Bro_NCP.events.bif.bro - build/scripts/base/bif/plugins/Bro_NCP.consts.bif.bro - build/scripts/base/bif/plugins/Bro_NetBIOS.events.bif.bro - build/scripts/base/bif/plugins/Bro_NetBIOS.functions.bif.bro - build/scripts/base/bif/plugins/Bro_NTLM.types.bif.bro - build/scripts/base/bif/plugins/Bro_NTLM.events.bif.bro - build/scripts/base/bif/plugins/Bro_NTP.events.bif.bro - build/scripts/base/bif/plugins/Bro_POP3.events.bif.bro - build/scripts/base/bif/plugins/Bro_RADIUS.events.bif.bro - build/scripts/base/bif/plugins/Bro_RDP.events.bif.bro - build/scripts/base/bif/plugins/Bro_RDP.types.bif.bro - build/scripts/base/bif/plugins/Bro_RFB.events.bif.bro - build/scripts/base/bif/plugins/Bro_RPC.events.bif.bro - build/scripts/base/bif/plugins/Bro_SIP.events.bif.bro - build/scripts/base/bif/plugins/Bro_SNMP.events.bif.bro - build/scripts/base/bif/plugins/Bro_SMB.smb1_com_check_directory.bif.bro - build/scripts/base/bif/plugins/Bro_SMB.smb1_com_close.bif.bro - build/scripts/base/bif/plugins/Bro_SMB.smb1_com_create_directory.bif.bro - build/scripts/base/bif/plugins/Bro_SMB.smb1_com_echo.bif.bro - build/scripts/base/bif/plugins/Bro_SMB.smb1_com_logoff_andx.bif.bro - build/scripts/base/bif/plugins/Bro_SMB.smb1_com_negotiate.bif.bro - build/scripts/base/bif/plugins/Bro_SMB.smb1_com_nt_create_andx.bif.bro - build/scripts/base/bif/plugins/Bro_SMB.smb1_com_nt_cancel.bif.bro - build/scripts/base/bif/plugins/Bro_SMB.smb1_com_query_information.bif.bro - build/scripts/base/bif/plugins/Bro_SMB.smb1_com_read_andx.bif.bro - build/scripts/base/bif/plugins/Bro_SMB.smb1_com_session_setup_andx.bif.bro - build/scripts/base/bif/plugins/Bro_SMB.smb1_com_transaction.bif.bro - build/scripts/base/bif/plugins/Bro_SMB.smb1_com_transaction_secondary.bif.bro - build/scripts/base/bif/plugins/Bro_SMB.smb1_com_transaction2.bif.bro - build/scripts/base/bif/plugins/Bro_SMB.smb1_com_transaction2_secondary.bif.bro - build/scripts/base/bif/plugins/Bro_SMB.smb1_com_tree_connect_andx.bif.bro - build/scripts/base/bif/plugins/Bro_SMB.smb1_com_tree_disconnect.bif.bro - build/scripts/base/bif/plugins/Bro_SMB.smb1_com_write_andx.bif.bro - build/scripts/base/bif/plugins/Bro_SMB.smb1_events.bif.bro - build/scripts/base/bif/plugins/Bro_SMB.smb2_com_close.bif.bro - build/scripts/base/bif/plugins/Bro_SMB.smb2_com_create.bif.bro - build/scripts/base/bif/plugins/Bro_SMB.smb2_com_negotiate.bif.bro - build/scripts/base/bif/plugins/Bro_SMB.smb2_com_read.bif.bro - build/scripts/base/bif/plugins/Bro_SMB.smb2_com_session_setup.bif.bro - build/scripts/base/bif/plugins/Bro_SMB.smb2_com_set_info.bif.bro - build/scripts/base/bif/plugins/Bro_SMB.smb2_com_tree_connect.bif.bro - build/scripts/base/bif/plugins/Bro_SMB.smb2_com_tree_disconnect.bif.bro - build/scripts/base/bif/plugins/Bro_SMB.smb2_com_write.bif.bro - build/scripts/base/bif/plugins/Bro_SMB.smb2_com_transform_header.bif.bro - build/scripts/base/bif/plugins/Bro_SMB.smb2_events.bif.bro - build/scripts/base/bif/plugins/Bro_SMB.events.bif.bro - build/scripts/base/bif/plugins/Bro_SMB.consts.bif.bro - build/scripts/base/bif/plugins/Bro_SMB.types.bif.bro - build/scripts/base/bif/plugins/Bro_SMTP.events.bif.bro - build/scripts/base/bif/plugins/Bro_SMTP.functions.bif.bro - build/scripts/base/bif/plugins/Bro_SOCKS.events.bif.bro - build/scripts/base/bif/plugins/Bro_SSH.types.bif.bro - build/scripts/base/bif/plugins/Bro_SSH.events.bif.bro - build/scripts/base/bif/plugins/Bro_SSL.types.bif.bro - build/scripts/base/bif/plugins/Bro_SSL.events.bif.bro - build/scripts/base/bif/plugins/Bro_SSL.functions.bif.bro - build/scripts/base/bif/plugins/Bro_SteppingStone.events.bif.bro - build/scripts/base/bif/plugins/Bro_Syslog.events.bif.bro - build/scripts/base/bif/plugins/Bro_TCP.events.bif.bro - build/scripts/base/bif/plugins/Bro_TCP.functions.bif.bro - build/scripts/base/bif/plugins/Bro_Teredo.events.bif.bro - build/scripts/base/bif/plugins/Bro_UDP.events.bif.bro - build/scripts/base/bif/plugins/Bro_VXLAN.events.bif.bro - build/scripts/base/bif/plugins/Bro_XMPP.events.bif.bro - build/scripts/base/bif/plugins/Bro_FileEntropy.events.bif.bro - build/scripts/base/bif/plugins/Bro_FileExtract.events.bif.bro - build/scripts/base/bif/plugins/Bro_FileExtract.functions.bif.bro - build/scripts/base/bif/plugins/Bro_FileHash.events.bif.bro - build/scripts/base/bif/plugins/Bro_PE.events.bif.bro - build/scripts/base/bif/plugins/Bro_Unified2.events.bif.bro - build/scripts/base/bif/plugins/Bro_Unified2.types.bif.bro - build/scripts/base/bif/plugins/Bro_X509.events.bif.bro - build/scripts/base/bif/plugins/Bro_X509.types.bif.bro - build/scripts/base/bif/plugins/Bro_X509.functions.bif.bro - build/scripts/base/bif/plugins/Bro_X509.ocsp_events.bif.bro - build/scripts/base/bif/plugins/Bro_AsciiReader.ascii.bif.bro - build/scripts/base/bif/plugins/Bro_BenchmarkReader.benchmark.bif.bro - build/scripts/base/bif/plugins/Bro_BinaryReader.binary.bif.bro - build/scripts/base/bif/plugins/Bro_ConfigReader.config.bif.bro - build/scripts/base/bif/plugins/Bro_RawReader.raw.bif.bro - build/scripts/base/bif/plugins/Bro_SQLiteReader.sqlite.bif.bro - build/scripts/base/bif/plugins/Bro_AsciiWriter.ascii.bif.bro - build/scripts/base/bif/plugins/Bro_NoneWriter.none.bif.bro - build/scripts/base/bif/plugins/Bro_SQLiteWriter.sqlite.bif.bro -scripts/base/init-default.bro - scripts/base/utils/active-http.bro - scripts/base/utils/exec.bro - scripts/base/utils/addrs.bro - scripts/base/utils/conn-ids.bro - scripts/base/utils/dir.bro - scripts/base/frameworks/reporter/__load__.bro - scripts/base/frameworks/reporter/main.bro - scripts/base/utils/paths.bro - scripts/base/utils/directions-and-hosts.bro - scripts/base/utils/email.bro - scripts/base/utils/files.bro - scripts/base/utils/geoip-distance.bro - scripts/base/utils/hash_hrw.bro - scripts/base/utils/numbers.bro - scripts/base/utils/queue.bro - scripts/base/utils/strings.bro - scripts/base/utils/thresholds.bro - scripts/base/utils/time.bro - scripts/base/utils/urls.bro - scripts/base/frameworks/notice/__load__.bro - scripts/base/frameworks/notice/main.bro - scripts/base/frameworks/cluster/__load__.bro - scripts/base/frameworks/cluster/main.bro - scripts/base/frameworks/control/__load__.bro - scripts/base/frameworks/control/main.bro - scripts/base/frameworks/cluster/pools.bro - scripts/base/frameworks/notice/weird.bro - scripts/base/frameworks/notice/actions/drop.bro - scripts/base/frameworks/netcontrol/__load__.bro - scripts/base/frameworks/netcontrol/types.bro - scripts/base/frameworks/netcontrol/main.bro - scripts/base/frameworks/netcontrol/plugin.bro - scripts/base/frameworks/netcontrol/plugins/__load__.bro - scripts/base/frameworks/netcontrol/plugins/debug.bro - scripts/base/frameworks/netcontrol/plugins/openflow.bro - scripts/base/frameworks/openflow/__load__.bro - scripts/base/frameworks/openflow/consts.bro - scripts/base/frameworks/openflow/types.bro - scripts/base/frameworks/openflow/main.bro - scripts/base/frameworks/openflow/plugins/__load__.bro - scripts/base/frameworks/openflow/plugins/ryu.bro - scripts/base/utils/json.bro - scripts/base/frameworks/openflow/plugins/log.bro - scripts/base/frameworks/openflow/plugins/broker.bro - scripts/base/frameworks/openflow/non-cluster.bro - scripts/base/frameworks/netcontrol/plugins/packetfilter.bro - scripts/base/frameworks/netcontrol/plugins/broker.bro - scripts/base/frameworks/netcontrol/plugins/acld.bro - scripts/base/frameworks/netcontrol/drop.bro - scripts/base/frameworks/netcontrol/shunt.bro - scripts/base/frameworks/netcontrol/catch-and-release.bro - scripts/base/frameworks/netcontrol/non-cluster.bro - scripts/base/frameworks/notice/actions/email_admin.bro - scripts/base/frameworks/notice/actions/page.bro - scripts/base/frameworks/notice/actions/add-geodata.bro - scripts/base/frameworks/notice/actions/pp-alarms.bro - scripts/base/frameworks/dpd/__load__.bro - scripts/base/frameworks/dpd/main.bro - scripts/base/frameworks/signatures/__load__.bro - scripts/base/frameworks/signatures/main.bro - scripts/base/frameworks/packet-filter/__load__.bro - scripts/base/frameworks/packet-filter/main.bro - scripts/base/frameworks/packet-filter/netstats.bro - scripts/base/frameworks/software/__load__.bro - scripts/base/frameworks/software/main.bro - scripts/base/frameworks/intel/__load__.bro - scripts/base/frameworks/intel/main.bro - scripts/base/frameworks/intel/files.bro - scripts/base/frameworks/intel/input.bro - scripts/base/frameworks/config/__load__.bro - scripts/base/frameworks/config/main.bro - scripts/base/frameworks/config/input.bro - scripts/base/frameworks/config/weird.bro - scripts/base/frameworks/sumstats/__load__.bro - scripts/base/frameworks/sumstats/main.bro - scripts/base/frameworks/sumstats/plugins/__load__.bro - scripts/base/frameworks/sumstats/plugins/average.bro - scripts/base/frameworks/sumstats/plugins/hll_unique.bro - scripts/base/frameworks/sumstats/plugins/last.bro - scripts/base/frameworks/sumstats/plugins/max.bro - scripts/base/frameworks/sumstats/plugins/min.bro - scripts/base/frameworks/sumstats/plugins/sample.bro - scripts/base/frameworks/sumstats/plugins/std-dev.bro - scripts/base/frameworks/sumstats/plugins/variance.bro - scripts/base/frameworks/sumstats/plugins/sum.bro - scripts/base/frameworks/sumstats/plugins/topk.bro - scripts/base/frameworks/sumstats/plugins/unique.bro - scripts/base/frameworks/sumstats/non-cluster.bro - scripts/base/frameworks/tunnels/__load__.bro - scripts/base/frameworks/tunnels/main.bro - scripts/base/protocols/conn/__load__.bro - scripts/base/protocols/conn/main.bro - scripts/base/protocols/conn/contents.bro - scripts/base/protocols/conn/inactivity.bro - scripts/base/protocols/conn/polling.bro - scripts/base/protocols/conn/thresholds.bro - scripts/base/protocols/dce-rpc/__load__.bro - scripts/base/protocols/dce-rpc/consts.bro - scripts/base/protocols/dce-rpc/main.bro - scripts/base/protocols/dhcp/__load__.bro - scripts/base/protocols/dhcp/consts.bro - scripts/base/protocols/dhcp/main.bro - scripts/base/protocols/dnp3/__load__.bro - scripts/base/protocols/dnp3/main.bro - scripts/base/protocols/dnp3/consts.bro - scripts/base/protocols/dns/__load__.bro - scripts/base/protocols/dns/consts.bro - scripts/base/protocols/dns/main.bro - scripts/base/protocols/ftp/__load__.bro - scripts/base/protocols/ftp/utils-commands.bro - scripts/base/protocols/ftp/info.bro - scripts/base/protocols/ftp/main.bro - scripts/base/protocols/ftp/utils.bro - scripts/base/protocols/ftp/files.bro - scripts/base/protocols/ftp/gridftp.bro - scripts/base/protocols/ssl/__load__.bro - scripts/base/protocols/ssl/consts.bro - scripts/base/protocols/ssl/main.bro - scripts/base/protocols/ssl/mozilla-ca-list.bro - scripts/base/protocols/ssl/ct-list.bro - scripts/base/protocols/ssl/files.bro - scripts/base/files/x509/__load__.bro - scripts/base/files/x509/main.bro - scripts/base/files/hash/__load__.bro - scripts/base/files/hash/main.bro - scripts/base/protocols/http/__load__.bro - scripts/base/protocols/http/main.bro - scripts/base/protocols/http/entities.bro - scripts/base/protocols/http/utils.bro - scripts/base/protocols/http/files.bro - scripts/base/protocols/imap/__load__.bro - scripts/base/protocols/imap/main.bro - scripts/base/protocols/irc/__load__.bro - scripts/base/protocols/irc/main.bro - scripts/base/protocols/irc/dcc-send.bro - scripts/base/protocols/irc/files.bro - scripts/base/protocols/krb/__load__.bro - scripts/base/protocols/krb/main.bro - scripts/base/protocols/krb/consts.bro - scripts/base/protocols/krb/files.bro - scripts/base/protocols/modbus/__load__.bro - scripts/base/protocols/modbus/consts.bro - scripts/base/protocols/modbus/main.bro - scripts/base/protocols/mysql/__load__.bro - scripts/base/protocols/mysql/main.bro - scripts/base/protocols/mysql/consts.bro - scripts/base/protocols/ntlm/__load__.bro - scripts/base/protocols/ntlm/main.bro - scripts/base/protocols/pop3/__load__.bro - scripts/base/protocols/radius/__load__.bro - scripts/base/protocols/radius/main.bro - scripts/base/protocols/radius/consts.bro - scripts/base/protocols/rdp/__load__.bro - scripts/base/protocols/rdp/consts.bro - scripts/base/protocols/rdp/main.bro - scripts/base/protocols/rfb/__load__.bro - scripts/base/protocols/rfb/main.bro - scripts/base/protocols/sip/__load__.bro - scripts/base/protocols/sip/main.bro - scripts/base/protocols/snmp/__load__.bro - scripts/base/protocols/snmp/main.bro - scripts/base/protocols/smb/__load__.bro - scripts/base/protocols/smb/consts.bro - scripts/base/protocols/smb/const-dos-error.bro - scripts/base/protocols/smb/const-nt-status.bro - scripts/base/protocols/smb/main.bro - scripts/base/protocols/smb/smb1-main.bro - scripts/base/protocols/smb/smb2-main.bro - scripts/base/protocols/smb/files.bro - scripts/base/protocols/smtp/__load__.bro - scripts/base/protocols/smtp/main.bro - scripts/base/protocols/smtp/entities.bro - scripts/base/protocols/smtp/files.bro - scripts/base/protocols/socks/__load__.bro - scripts/base/protocols/socks/consts.bro - scripts/base/protocols/socks/main.bro - scripts/base/protocols/ssh/__load__.bro - scripts/base/protocols/ssh/main.bro - scripts/base/protocols/syslog/__load__.bro - scripts/base/protocols/syslog/consts.bro - scripts/base/protocols/syslog/main.bro - scripts/base/protocols/tunnels/__load__.bro - scripts/base/protocols/xmpp/__load__.bro - scripts/base/protocols/xmpp/main.bro - scripts/base/files/pe/__load__.bro - scripts/base/files/pe/consts.bro - scripts/base/files/pe/main.bro - scripts/base/files/extract/__load__.bro - scripts/base/files/extract/main.bro - scripts/base/files/unified2/__load__.bro - scripts/base/files/unified2/main.bro - scripts/base/misc/find-checksum-offloading.bro - scripts/base/misc/find-filtered-trace.bro - scripts/base/misc/version.bro -scripts/policy/misc/loaded-scripts.bro +scripts/base/init-bare.zeek + build/scripts/base/bif/const.bif.zeek + build/scripts/base/bif/types.bif.zeek + build/scripts/base/bif/bro.bif.zeek + build/scripts/base/bif/stats.bif.zeek + build/scripts/base/bif/reporter.bif.zeek + build/scripts/base/bif/strings.bif.zeek + build/scripts/base/bif/option.bif.zeek + build/scripts/base/bif/plugins/Bro_SNMP.types.bif.zeek + build/scripts/base/bif/plugins/Bro_KRB.types.bif.zeek + build/scripts/base/bif/event.bif.zeek +scripts/base/init-frameworks-and-bifs.zeek + scripts/base/frameworks/logging/__load__.zeek + scripts/base/frameworks/logging/main.zeek + build/scripts/base/bif/logging.bif.zeek + scripts/base/frameworks/logging/postprocessors/__load__.zeek + scripts/base/frameworks/logging/postprocessors/scp.zeek + scripts/base/frameworks/logging/postprocessors/sftp.zeek + scripts/base/frameworks/logging/writers/ascii.zeek + scripts/base/frameworks/logging/writers/sqlite.zeek + scripts/base/frameworks/logging/writers/none.zeek + scripts/base/frameworks/broker/__load__.zeek + scripts/base/frameworks/broker/main.zeek + build/scripts/base/bif/comm.bif.zeek + build/scripts/base/bif/messaging.bif.zeek + scripts/base/frameworks/broker/store.zeek + build/scripts/base/bif/data.bif.zeek + build/scripts/base/bif/store.bif.zeek + scripts/base/frameworks/broker/log.zeek + scripts/base/frameworks/input/__load__.zeek + scripts/base/frameworks/input/main.zeek + build/scripts/base/bif/input.bif.zeek + scripts/base/frameworks/input/readers/ascii.zeek + scripts/base/frameworks/input/readers/raw.zeek + scripts/base/frameworks/input/readers/benchmark.zeek + scripts/base/frameworks/input/readers/binary.zeek + scripts/base/frameworks/input/readers/config.zeek + scripts/base/frameworks/input/readers/sqlite.zeek + scripts/base/frameworks/analyzer/__load__.zeek + scripts/base/frameworks/analyzer/main.zeek + scripts/base/frameworks/packet-filter/utils.zeek + build/scripts/base/bif/analyzer.bif.zeek + scripts/base/frameworks/files/__load__.zeek + scripts/base/frameworks/files/main.zeek + build/scripts/base/bif/file_analysis.bif.zeek + scripts/base/utils/site.zeek + scripts/base/utils/patterns.zeek + scripts/base/frameworks/files/magic/__load__.zeek + build/scripts/base/bif/__load__.zeek + build/scripts/base/bif/broxygen.bif.zeek + build/scripts/base/bif/pcap.bif.zeek + build/scripts/base/bif/bloom-filter.bif.zeek + build/scripts/base/bif/cardinality-counter.bif.zeek + build/scripts/base/bif/top-k.bif.zeek + build/scripts/base/bif/plugins/__load__.zeek + build/scripts/base/bif/plugins/Bro_ARP.events.bif.zeek + build/scripts/base/bif/plugins/Bro_BackDoor.events.bif.zeek + build/scripts/base/bif/plugins/Bro_BitTorrent.events.bif.zeek + build/scripts/base/bif/plugins/Bro_ConnSize.events.bif.zeek + build/scripts/base/bif/plugins/Bro_ConnSize.functions.bif.zeek + build/scripts/base/bif/plugins/Bro_DCE_RPC.consts.bif.zeek + build/scripts/base/bif/plugins/Bro_DCE_RPC.types.bif.zeek + build/scripts/base/bif/plugins/Bro_DCE_RPC.events.bif.zeek + build/scripts/base/bif/plugins/Bro_DHCP.events.bif.zeek + build/scripts/base/bif/plugins/Bro_DHCP.types.bif.zeek + build/scripts/base/bif/plugins/Bro_DNP3.events.bif.zeek + build/scripts/base/bif/plugins/Bro_DNS.events.bif.zeek + build/scripts/base/bif/plugins/Bro_File.events.bif.zeek + build/scripts/base/bif/plugins/Bro_Finger.events.bif.zeek + build/scripts/base/bif/plugins/Bro_FTP.events.bif.zeek + build/scripts/base/bif/plugins/Bro_FTP.functions.bif.zeek + build/scripts/base/bif/plugins/Bro_Gnutella.events.bif.zeek + build/scripts/base/bif/plugins/Bro_GSSAPI.events.bif.zeek + build/scripts/base/bif/plugins/Bro_GTPv1.events.bif.zeek + build/scripts/base/bif/plugins/Bro_HTTP.events.bif.zeek + build/scripts/base/bif/plugins/Bro_HTTP.functions.bif.zeek + build/scripts/base/bif/plugins/Bro_ICMP.events.bif.zeek + build/scripts/base/bif/plugins/Bro_Ident.events.bif.zeek + build/scripts/base/bif/plugins/Bro_IMAP.events.bif.zeek + build/scripts/base/bif/plugins/Bro_InterConn.events.bif.zeek + build/scripts/base/bif/plugins/Bro_IRC.events.bif.zeek + build/scripts/base/bif/plugins/Bro_KRB.events.bif.zeek + build/scripts/base/bif/plugins/Bro_Login.events.bif.zeek + build/scripts/base/bif/plugins/Bro_Login.functions.bif.zeek + build/scripts/base/bif/plugins/Bro_MIME.events.bif.zeek + build/scripts/base/bif/plugins/Bro_Modbus.events.bif.zeek + build/scripts/base/bif/plugins/Bro_MySQL.events.bif.zeek + build/scripts/base/bif/plugins/Bro_NCP.events.bif.zeek + build/scripts/base/bif/plugins/Bro_NCP.consts.bif.zeek + build/scripts/base/bif/plugins/Bro_NetBIOS.events.bif.zeek + build/scripts/base/bif/plugins/Bro_NetBIOS.functions.bif.zeek + build/scripts/base/bif/plugins/Bro_NTLM.types.bif.zeek + build/scripts/base/bif/plugins/Bro_NTLM.events.bif.zeek + build/scripts/base/bif/plugins/Bro_NTP.events.bif.zeek + build/scripts/base/bif/plugins/Bro_POP3.events.bif.zeek + build/scripts/base/bif/plugins/Bro_RADIUS.events.bif.zeek + build/scripts/base/bif/plugins/Bro_RDP.events.bif.zeek + build/scripts/base/bif/plugins/Bro_RDP.types.bif.zeek + build/scripts/base/bif/plugins/Bro_RFB.events.bif.zeek + build/scripts/base/bif/plugins/Bro_RPC.events.bif.zeek + build/scripts/base/bif/plugins/Bro_SIP.events.bif.zeek + build/scripts/base/bif/plugins/Bro_SNMP.events.bif.zeek + build/scripts/base/bif/plugins/Bro_SMB.smb1_com_check_directory.bif.zeek + build/scripts/base/bif/plugins/Bro_SMB.smb1_com_close.bif.zeek + build/scripts/base/bif/plugins/Bro_SMB.smb1_com_create_directory.bif.zeek + build/scripts/base/bif/plugins/Bro_SMB.smb1_com_echo.bif.zeek + build/scripts/base/bif/plugins/Bro_SMB.smb1_com_logoff_andx.bif.zeek + build/scripts/base/bif/plugins/Bro_SMB.smb1_com_negotiate.bif.zeek + build/scripts/base/bif/plugins/Bro_SMB.smb1_com_nt_create_andx.bif.zeek + build/scripts/base/bif/plugins/Bro_SMB.smb1_com_nt_cancel.bif.zeek + build/scripts/base/bif/plugins/Bro_SMB.smb1_com_query_information.bif.zeek + build/scripts/base/bif/plugins/Bro_SMB.smb1_com_read_andx.bif.zeek + build/scripts/base/bif/plugins/Bro_SMB.smb1_com_session_setup_andx.bif.zeek + build/scripts/base/bif/plugins/Bro_SMB.smb1_com_transaction.bif.zeek + build/scripts/base/bif/plugins/Bro_SMB.smb1_com_transaction_secondary.bif.zeek + build/scripts/base/bif/plugins/Bro_SMB.smb1_com_transaction2.bif.zeek + build/scripts/base/bif/plugins/Bro_SMB.smb1_com_transaction2_secondary.bif.zeek + build/scripts/base/bif/plugins/Bro_SMB.smb1_com_tree_connect_andx.bif.zeek + build/scripts/base/bif/plugins/Bro_SMB.smb1_com_tree_disconnect.bif.zeek + build/scripts/base/bif/plugins/Bro_SMB.smb1_com_write_andx.bif.zeek + build/scripts/base/bif/plugins/Bro_SMB.smb1_events.bif.zeek + build/scripts/base/bif/plugins/Bro_SMB.smb2_com_close.bif.zeek + build/scripts/base/bif/plugins/Bro_SMB.smb2_com_create.bif.zeek + build/scripts/base/bif/plugins/Bro_SMB.smb2_com_negotiate.bif.zeek + build/scripts/base/bif/plugins/Bro_SMB.smb2_com_read.bif.zeek + build/scripts/base/bif/plugins/Bro_SMB.smb2_com_session_setup.bif.zeek + build/scripts/base/bif/plugins/Bro_SMB.smb2_com_set_info.bif.zeek + build/scripts/base/bif/plugins/Bro_SMB.smb2_com_tree_connect.bif.zeek + build/scripts/base/bif/plugins/Bro_SMB.smb2_com_tree_disconnect.bif.zeek + build/scripts/base/bif/plugins/Bro_SMB.smb2_com_write.bif.zeek + build/scripts/base/bif/plugins/Bro_SMB.smb2_com_transform_header.bif.zeek + build/scripts/base/bif/plugins/Bro_SMB.smb2_events.bif.zeek + build/scripts/base/bif/plugins/Bro_SMB.events.bif.zeek + build/scripts/base/bif/plugins/Bro_SMB.consts.bif.zeek + build/scripts/base/bif/plugins/Bro_SMB.types.bif.zeek + build/scripts/base/bif/plugins/Bro_SMTP.events.bif.zeek + build/scripts/base/bif/plugins/Bro_SMTP.functions.bif.zeek + build/scripts/base/bif/plugins/Bro_SOCKS.events.bif.zeek + build/scripts/base/bif/plugins/Bro_SSH.types.bif.zeek + build/scripts/base/bif/plugins/Bro_SSH.events.bif.zeek + build/scripts/base/bif/plugins/Bro_SSL.types.bif.zeek + build/scripts/base/bif/plugins/Bro_SSL.events.bif.zeek + build/scripts/base/bif/plugins/Bro_SSL.functions.bif.zeek + build/scripts/base/bif/plugins/Bro_SteppingStone.events.bif.zeek + build/scripts/base/bif/plugins/Bro_Syslog.events.bif.zeek + build/scripts/base/bif/plugins/Bro_TCP.events.bif.zeek + build/scripts/base/bif/plugins/Bro_TCP.functions.bif.zeek + build/scripts/base/bif/plugins/Bro_Teredo.events.bif.zeek + build/scripts/base/bif/plugins/Bro_UDP.events.bif.zeek + build/scripts/base/bif/plugins/Bro_VXLAN.events.bif.zeek + build/scripts/base/bif/plugins/Bro_XMPP.events.bif.zeek + build/scripts/base/bif/plugins/Bro_FileEntropy.events.bif.zeek + build/scripts/base/bif/plugins/Bro_FileExtract.events.bif.zeek + build/scripts/base/bif/plugins/Bro_FileExtract.functions.bif.zeek + build/scripts/base/bif/plugins/Bro_FileHash.events.bif.zeek + build/scripts/base/bif/plugins/Bro_PE.events.bif.zeek + build/scripts/base/bif/plugins/Bro_Unified2.events.bif.zeek + build/scripts/base/bif/plugins/Bro_Unified2.types.bif.zeek + build/scripts/base/bif/plugins/Bro_X509.events.bif.zeek + build/scripts/base/bif/plugins/Bro_X509.types.bif.zeek + build/scripts/base/bif/plugins/Bro_X509.functions.bif.zeek + build/scripts/base/bif/plugins/Bro_X509.ocsp_events.bif.zeek + build/scripts/base/bif/plugins/Bro_AsciiReader.ascii.bif.zeek + build/scripts/base/bif/plugins/Bro_BenchmarkReader.benchmark.bif.zeek + build/scripts/base/bif/plugins/Bro_BinaryReader.binary.bif.zeek + build/scripts/base/bif/plugins/Bro_ConfigReader.config.bif.zeek + build/scripts/base/bif/plugins/Bro_RawReader.raw.bif.zeek + build/scripts/base/bif/plugins/Bro_SQLiteReader.sqlite.bif.zeek + build/scripts/base/bif/plugins/Bro_AsciiWriter.ascii.bif.zeek + build/scripts/base/bif/plugins/Bro_NoneWriter.none.bif.zeek + build/scripts/base/bif/plugins/Bro_SQLiteWriter.sqlite.bif.zeek +scripts/base/init-default.zeek + scripts/base/utils/active-http.zeek + scripts/base/utils/exec.zeek + scripts/base/utils/addrs.zeek + scripts/base/utils/conn-ids.zeek + scripts/base/utils/dir.zeek + scripts/base/frameworks/reporter/__load__.zeek + scripts/base/frameworks/reporter/main.zeek + scripts/base/utils/paths.zeek + scripts/base/utils/directions-and-hosts.zeek + scripts/base/utils/email.zeek + scripts/base/utils/files.zeek + scripts/base/utils/geoip-distance.zeek + scripts/base/utils/hash_hrw.zeek + scripts/base/utils/numbers.zeek + scripts/base/utils/queue.zeek + scripts/base/utils/strings.zeek + scripts/base/utils/thresholds.zeek + scripts/base/utils/time.zeek + scripts/base/utils/urls.zeek + scripts/base/frameworks/notice/__load__.zeek + scripts/base/frameworks/notice/main.zeek + scripts/base/frameworks/cluster/__load__.zeek + scripts/base/frameworks/cluster/main.zeek + scripts/base/frameworks/control/__load__.zeek + scripts/base/frameworks/control/main.zeek + scripts/base/frameworks/cluster/pools.zeek + scripts/base/frameworks/notice/weird.zeek + scripts/base/frameworks/notice/actions/drop.zeek + scripts/base/frameworks/netcontrol/__load__.zeek + scripts/base/frameworks/netcontrol/types.zeek + scripts/base/frameworks/netcontrol/main.zeek + scripts/base/frameworks/netcontrol/plugin.zeek + scripts/base/frameworks/netcontrol/plugins/__load__.zeek + scripts/base/frameworks/netcontrol/plugins/debug.zeek + scripts/base/frameworks/netcontrol/plugins/openflow.zeek + scripts/base/frameworks/openflow/__load__.zeek + scripts/base/frameworks/openflow/consts.zeek + scripts/base/frameworks/openflow/types.zeek + scripts/base/frameworks/openflow/main.zeek + scripts/base/frameworks/openflow/plugins/__load__.zeek + scripts/base/frameworks/openflow/plugins/ryu.zeek + scripts/base/utils/json.zeek + scripts/base/frameworks/openflow/plugins/log.zeek + scripts/base/frameworks/openflow/plugins/broker.zeek + scripts/base/frameworks/openflow/non-cluster.zeek + scripts/base/frameworks/netcontrol/plugins/packetfilter.zeek + scripts/base/frameworks/netcontrol/plugins/broker.zeek + scripts/base/frameworks/netcontrol/plugins/acld.zeek + scripts/base/frameworks/netcontrol/drop.zeek + scripts/base/frameworks/netcontrol/shunt.zeek + scripts/base/frameworks/netcontrol/catch-and-release.zeek + scripts/base/frameworks/netcontrol/non-cluster.zeek + scripts/base/frameworks/notice/actions/email_admin.zeek + scripts/base/frameworks/notice/actions/page.zeek + scripts/base/frameworks/notice/actions/add-geodata.zeek + scripts/base/frameworks/notice/actions/pp-alarms.zeek + scripts/base/frameworks/dpd/__load__.zeek + scripts/base/frameworks/dpd/main.zeek + scripts/base/frameworks/signatures/__load__.zeek + scripts/base/frameworks/signatures/main.zeek + scripts/base/frameworks/packet-filter/__load__.zeek + scripts/base/frameworks/packet-filter/main.zeek + scripts/base/frameworks/packet-filter/netstats.zeek + scripts/base/frameworks/software/__load__.zeek + scripts/base/frameworks/software/main.zeek + scripts/base/frameworks/intel/__load__.zeek + scripts/base/frameworks/intel/main.zeek + scripts/base/frameworks/intel/files.zeek + scripts/base/frameworks/intel/input.zeek + scripts/base/frameworks/config/__load__.zeek + scripts/base/frameworks/config/main.zeek + scripts/base/frameworks/config/input.zeek + scripts/base/frameworks/config/weird.zeek + scripts/base/frameworks/sumstats/__load__.zeek + scripts/base/frameworks/sumstats/main.zeek + scripts/base/frameworks/sumstats/plugins/__load__.zeek + scripts/base/frameworks/sumstats/plugins/average.zeek + scripts/base/frameworks/sumstats/plugins/hll_unique.zeek + scripts/base/frameworks/sumstats/plugins/last.zeek + scripts/base/frameworks/sumstats/plugins/max.zeek + scripts/base/frameworks/sumstats/plugins/min.zeek + scripts/base/frameworks/sumstats/plugins/sample.zeek + scripts/base/frameworks/sumstats/plugins/std-dev.zeek + scripts/base/frameworks/sumstats/plugins/variance.zeek + scripts/base/frameworks/sumstats/plugins/sum.zeek + scripts/base/frameworks/sumstats/plugins/topk.zeek + scripts/base/frameworks/sumstats/plugins/unique.zeek + scripts/base/frameworks/sumstats/non-cluster.zeek + scripts/base/frameworks/tunnels/__load__.zeek + scripts/base/frameworks/tunnels/main.zeek + scripts/base/protocols/conn/__load__.zeek + scripts/base/protocols/conn/main.zeek + scripts/base/protocols/conn/contents.zeek + scripts/base/protocols/conn/inactivity.zeek + scripts/base/protocols/conn/polling.zeek + scripts/base/protocols/conn/thresholds.zeek + scripts/base/protocols/dce-rpc/__load__.zeek + scripts/base/protocols/dce-rpc/consts.zeek + scripts/base/protocols/dce-rpc/main.zeek + scripts/base/protocols/dhcp/__load__.zeek + scripts/base/protocols/dhcp/consts.zeek + scripts/base/protocols/dhcp/main.zeek + scripts/base/protocols/dnp3/__load__.zeek + scripts/base/protocols/dnp3/main.zeek + scripts/base/protocols/dnp3/consts.zeek + scripts/base/protocols/dns/__load__.zeek + scripts/base/protocols/dns/consts.zeek + scripts/base/protocols/dns/main.zeek + scripts/base/protocols/ftp/__load__.zeek + scripts/base/protocols/ftp/utils-commands.zeek + scripts/base/protocols/ftp/info.zeek + scripts/base/protocols/ftp/main.zeek + scripts/base/protocols/ftp/utils.zeek + scripts/base/protocols/ftp/files.zeek + scripts/base/protocols/ftp/gridftp.zeek + scripts/base/protocols/ssl/__load__.zeek + scripts/base/protocols/ssl/consts.zeek + scripts/base/protocols/ssl/main.zeek + scripts/base/protocols/ssl/mozilla-ca-list.zeek + scripts/base/protocols/ssl/ct-list.zeek + scripts/base/protocols/ssl/files.zeek + scripts/base/files/x509/__load__.zeek + scripts/base/files/x509/main.zeek + scripts/base/files/hash/__load__.zeek + scripts/base/files/hash/main.zeek + scripts/base/protocols/http/__load__.zeek + scripts/base/protocols/http/main.zeek + scripts/base/protocols/http/entities.zeek + scripts/base/protocols/http/utils.zeek + scripts/base/protocols/http/files.zeek + scripts/base/protocols/imap/__load__.zeek + scripts/base/protocols/imap/main.zeek + scripts/base/protocols/irc/__load__.zeek + scripts/base/protocols/irc/main.zeek + scripts/base/protocols/irc/dcc-send.zeek + scripts/base/protocols/irc/files.zeek + scripts/base/protocols/krb/__load__.zeek + scripts/base/protocols/krb/main.zeek + scripts/base/protocols/krb/consts.zeek + scripts/base/protocols/krb/files.zeek + scripts/base/protocols/modbus/__load__.zeek + scripts/base/protocols/modbus/consts.zeek + scripts/base/protocols/modbus/main.zeek + scripts/base/protocols/mysql/__load__.zeek + scripts/base/protocols/mysql/main.zeek + scripts/base/protocols/mysql/consts.zeek + scripts/base/protocols/ntlm/__load__.zeek + scripts/base/protocols/ntlm/main.zeek + scripts/base/protocols/pop3/__load__.zeek + scripts/base/protocols/radius/__load__.zeek + scripts/base/protocols/radius/main.zeek + scripts/base/protocols/radius/consts.zeek + scripts/base/protocols/rdp/__load__.zeek + scripts/base/protocols/rdp/consts.zeek + scripts/base/protocols/rdp/main.zeek + scripts/base/protocols/rfb/__load__.zeek + scripts/base/protocols/rfb/main.zeek + scripts/base/protocols/sip/__load__.zeek + scripts/base/protocols/sip/main.zeek + scripts/base/protocols/snmp/__load__.zeek + scripts/base/protocols/snmp/main.zeek + scripts/base/protocols/smb/__load__.zeek + scripts/base/protocols/smb/consts.zeek + scripts/base/protocols/smb/const-dos-error.zeek + scripts/base/protocols/smb/const-nt-status.zeek + scripts/base/protocols/smb/main.zeek + scripts/base/protocols/smb/smb1-main.zeek + scripts/base/protocols/smb/smb2-main.zeek + scripts/base/protocols/smb/files.zeek + scripts/base/protocols/smtp/__load__.zeek + scripts/base/protocols/smtp/main.zeek + scripts/base/protocols/smtp/entities.zeek + scripts/base/protocols/smtp/files.zeek + scripts/base/protocols/socks/__load__.zeek + scripts/base/protocols/socks/consts.zeek + scripts/base/protocols/socks/main.zeek + scripts/base/protocols/ssh/__load__.zeek + scripts/base/protocols/ssh/main.zeek + scripts/base/protocols/syslog/__load__.zeek + scripts/base/protocols/syslog/consts.zeek + scripts/base/protocols/syslog/main.zeek + scripts/base/protocols/tunnels/__load__.zeek + scripts/base/protocols/xmpp/__load__.zeek + scripts/base/protocols/xmpp/main.zeek + scripts/base/files/pe/__load__.zeek + scripts/base/files/pe/consts.zeek + scripts/base/files/pe/main.zeek + scripts/base/files/extract/__load__.zeek + scripts/base/files/extract/main.zeek + scripts/base/files/unified2/__load__.zeek + scripts/base/files/unified2/main.zeek + scripts/base/misc/find-checksum-offloading.zeek + scripts/base/misc/find-filtered-trace.zeek + scripts/base/misc/version.zeek +scripts/policy/misc/loaded-scripts.zeek #close 2018-09-05-20-33-08 diff --git a/testing/btest/Baseline/coverage.init-default/missing_loads b/testing/btest/Baseline/coverage.init-default/missing_loads index 31966f11c1..893a603972 100644 --- a/testing/btest/Baseline/coverage.init-default/missing_loads +++ b/testing/btest/Baseline/coverage.init-default/missing_loads @@ -1,10 +1,10 @@ --./frameworks/cluster/nodes/logger.bro --./frameworks/cluster/nodes/manager.bro --./frameworks/cluster/nodes/proxy.bro --./frameworks/cluster/nodes/worker.bro --./frameworks/cluster/setup-connections.bro --./frameworks/intel/cluster.bro --./frameworks/netcontrol/cluster.bro --./frameworks/openflow/cluster.bro --./frameworks/packet-filter/cluster.bro --./frameworks/sumstats/cluster.bro +-./frameworks/cluster/nodes/logger.zeek +-./frameworks/cluster/nodes/manager.zeek +-./frameworks/cluster/nodes/proxy.zeek +-./frameworks/cluster/nodes/worker.zeek +-./frameworks/cluster/setup-connections.zeek +-./frameworks/intel/cluster.zeek +-./frameworks/netcontrol/cluster.zeek +-./frameworks/openflow/cluster.zeek +-./frameworks/packet-filter/cluster.zeek +-./frameworks/sumstats/cluster.zeek diff --git a/testing/btest/Baseline/doc.broxygen.all_scripts/.stderr b/testing/btest/Baseline/doc.broxygen.all_scripts/.stderr index da6c357abf..177214239c 100644 --- a/testing/btest/Baseline/doc.broxygen.all_scripts/.stderr +++ b/testing/btest/Baseline/doc.broxygen.all_scripts/.stderr @@ -1,11 +1,11 @@ -warning in /Users/jon/projects/bro/bro/scripts/policy/protocols/dhcp/deprecated_events.bro, line 245: deprecated (dhcp_discover) -warning in /Users/jon/projects/bro/bro/scripts/policy/protocols/dhcp/deprecated_events.bro, line 248: deprecated (dhcp_offer) -warning in /Users/jon/projects/bro/bro/scripts/policy/protocols/dhcp/deprecated_events.bro, line 251: deprecated (dhcp_request) -warning in /Users/jon/projects/bro/bro/scripts/policy/protocols/dhcp/deprecated_events.bro, line 254: deprecated (dhcp_decline) -warning in /Users/jon/projects/bro/bro/scripts/policy/protocols/dhcp/deprecated_events.bro, line 257: deprecated (dhcp_ack) -warning in /Users/jon/projects/bro/bro/scripts/policy/protocols/dhcp/deprecated_events.bro, line 260: deprecated (dhcp_nak) -warning in /Users/jon/projects/bro/bro/scripts/policy/protocols/dhcp/deprecated_events.bro, line 263: deprecated (dhcp_release) -warning in /Users/jon/projects/bro/bro/scripts/policy/protocols/dhcp/deprecated_events.bro, line 266: deprecated (dhcp_inform) -warning in /Users/jon/projects/bro/bro/scripts/policy/protocols/smb/__load__.bro, line 1: deprecated script loaded from /Users/jon/projects/bro/bro/scripts/broxygen/__load__.bro:10 "Use '@load base/protocols/smb' instead" -error in /Users/jon/projects/bro/bro/scripts/policy/frameworks/control/controller.bro, line 22: The '' control command is unknown. +warning in /Users/jon/projects/bro/bro/scripts/policy/protocols/dhcp/deprecated_events.zeek, line 245: deprecated (dhcp_discover) +warning in /Users/jon/projects/bro/bro/scripts/policy/protocols/dhcp/deprecated_events.zeek, line 248: deprecated (dhcp_offer) +warning in /Users/jon/projects/bro/bro/scripts/policy/protocols/dhcp/deprecated_events.zeek, line 251: deprecated (dhcp_request) +warning in /Users/jon/projects/bro/bro/scripts/policy/protocols/dhcp/deprecated_events.zeek, line 254: deprecated (dhcp_decline) +warning in /Users/jon/projects/bro/bro/scripts/policy/protocols/dhcp/deprecated_events.zeek, line 257: deprecated (dhcp_ack) +warning in /Users/jon/projects/bro/bro/scripts/policy/protocols/dhcp/deprecated_events.zeek, line 260: deprecated (dhcp_nak) +warning in /Users/jon/projects/bro/bro/scripts/policy/protocols/dhcp/deprecated_events.zeek, line 263: deprecated (dhcp_release) +warning in /Users/jon/projects/bro/bro/scripts/policy/protocols/dhcp/deprecated_events.zeek, line 266: deprecated (dhcp_inform) +warning in /Users/jon/projects/bro/bro/scripts/policy/protocols/smb/__load__.zeek, line 1: deprecated script loaded from /Users/jon/projects/bro/bro/scripts/broxygen/__load__.zeek:10 "Use '@load base/protocols/smb' instead" +error in /Users/jon/projects/bro/bro/scripts/policy/frameworks/control/controller.zeek, line 22: The '' control command is unknown. , line 1: received termination signal diff --git a/testing/btest/Baseline/doc.broxygen.example/example.rst b/testing/btest/Baseline/doc.broxygen.example/example.rst index d729ab85ee..e012c20051 100644 --- a/testing/btest/Baseline/doc.broxygen.example/example.rst +++ b/testing/btest/Baseline/doc.broxygen.example/example.rst @@ -1,7 +1,7 @@ :tocdepth: 3 -broxygen/example.bro -==================== +broxygen/example.zeek +===================== .. bro:namespace:: BroxygenExample This is an example script that demonstrates Broxygen-style @@ -27,7 +27,7 @@ And a custom directive does the equivalent references: .. bro:see:: BroxygenExample::a_var BroxygenExample::ONE SSH::Info :Namespace: BroxygenExample -:Imports: :doc:`base/frameworks/notice `, :doc:`base/protocols/http `, :doc:`policy/frameworks/software/vulnerable.bro ` +:Imports: :doc:`base/frameworks/notice `, :doc:`base/protocols/http `, :doc:`policy/frameworks/software/vulnerable.zeek ` Summary ~~~~~~~ diff --git a/testing/btest/Baseline/doc.broxygen.package/test.rst b/testing/btest/Baseline/doc.broxygen.package/test.rst index b96de2148b..7c1f32dd44 100644 --- a/testing/btest/Baseline/doc.broxygen.package/test.rst +++ b/testing/btest/Baseline/doc.broxygen.package/test.rst @@ -8,10 +8,10 @@ reference documentation for all Bro scripts (i.e. "Broxygen"). Its only purpose is to provide an easy way to load all known Bro scripts plus any extra scripts needed or used by the documentation process. -:doc:`/scripts/broxygen/__load__.bro` +:doc:`/scripts/broxygen/__load__.zeek` -:doc:`/scripts/broxygen/example.bro` +:doc:`/scripts/broxygen/example.zeek` This is an example script that demonstrates Broxygen-style documentation. It generally will make most sense when viewing diff --git a/testing/btest/Baseline/doc.broxygen.script_index/test.rst b/testing/btest/Baseline/doc.broxygen.script_index/test.rst index dda280facf..30d849c2e0 100644 --- a/testing/btest/Baseline/doc.broxygen.script_index/test.rst +++ b/testing/btest/Baseline/doc.broxygen.script_index/test.rst @@ -1,5 +1,5 @@ .. toctree:: :maxdepth: 1 - broxygen/__load__.bro - broxygen/example.bro + broxygen/__load__.zeek + broxygen/example.zeek diff --git a/testing/btest/Baseline/doc.broxygen.script_summary/test.rst b/testing/btest/Baseline/doc.broxygen.script_summary/test.rst index 125a579c81..509f2c9286 100644 --- a/testing/btest/Baseline/doc.broxygen.script_summary/test.rst +++ b/testing/btest/Baseline/doc.broxygen.script_summary/test.rst @@ -1,4 +1,4 @@ -:doc:`/scripts/broxygen/example.bro` +:doc:`/scripts/broxygen/example.zeek` This is an example script that demonstrates Broxygen-style documentation. It generally will make most sense when viewing the script's raw source code and comparing to the HTML-rendered diff --git a/testing/btest/Baseline/language.index-assignment-invalid/out b/testing/btest/Baseline/language.index-assignment-invalid/out index 3972a9f10e..44e82d16f6 100644 --- a/testing/btest/Baseline/language.index-assignment-invalid/out +++ b/testing/btest/Baseline/language.index-assignment-invalid/out @@ -1,4 +1,4 @@ -runtime error in /home/jon/pro/zeek/zeek/scripts/base/utils/queue.bro, line 152: vector index assignment failed for invalid type 'myrec', value: [a=T, b=hi, c=], expression: Queue::ret[Queue::j], call stack: +runtime error in /home/jon/pro/zeek/zeek/scripts/base/utils/queue.zeek, line 152: vector index assignment failed for invalid type 'myrec', value: [a=T, b=hi, c=], expression: Queue::ret[Queue::j], call stack: #0 Queue::get_vector([initialized=T, vals={[2] = test,[6] = jkl;,[4] = asdf,[1] = goodbye,[5] = 3,[0] = hello,[3] = [a=T, b=hi, c=]}, settings=[max_len=], top=7, bottom=0, size=0], [hello, goodbye, test]) at /home/jon/pro/zeek/zeek/testing/btest/.tmp/language.index-assignment-invalid/index-assignment-invalid.bro:19 #1 bar(55) at /home/jon/pro/zeek/zeek/testing/btest/.tmp/language.index-assignment-invalid/index-assignment-invalid.bro:27 #2 foo(hi, 13) at /home/jon/pro/zeek/zeek/testing/btest/.tmp/language.index-assignment-invalid/index-assignment-invalid.bro:39 diff --git a/testing/btest/Baseline/scripts.base.frameworks.intel.remove-non-existing/output b/testing/btest/Baseline/scripts.base.frameworks.intel.remove-non-existing/output index 90d390518f..c6dec0f9aa 100644 --- a/testing/btest/Baseline/scripts.base.frameworks.intel.remove-non-existing/output +++ b/testing/btest/Baseline/scripts.base.frameworks.intel.remove-non-existing/output @@ -6,6 +6,6 @@ #open 2019-03-24-20-20-10 #fields ts level message location #types time enum string string -0.000000 Reporter::INFO Tried to remove non-existing item '192.168.1.1' (Intel::ADDR). /home/jgras/devel/zeek/scripts/base/frameworks/intel/./main.bro, lines 563-564 +0.000000 Reporter::INFO Tried to remove non-existing item '192.168.1.1' (Intel::ADDR). /home/jgras/devel/zeek/scripts/base/frameworks/intel/./main.zeek, lines 563-564 0.000000 Reporter::INFO received termination signal (empty) #close 2019-03-24-20-20-10 diff --git a/testing/btest/Baseline/scripts.base.misc.find-filtered-trace/out1 b/testing/btest/Baseline/scripts.base.misc.find-filtered-trace/out1 index c2f791ba82..2f84ca097a 100644 --- a/testing/btest/Baseline/scripts.base.misc.find-filtered-trace/out1 +++ b/testing/btest/Baseline/scripts.base.misc.find-filtered-trace/out1 @@ -1 +1 @@ -1389719059.311687 warning in /Users/jsiwek/Projects/bro/bro/scripts/base/misc/find-filtered-trace.bro, line 48: The analyzed trace file was determined to contain only TCP control packets, which may indicate it's been pre-filtered. By default, Bro reports the missing segments for this type of trace, but the 'detect_filtered_trace' option may be toggled if that's not desired. +1389719059.311687 warning in /Users/jsiwek/Projects/bro/bro/scripts/base/misc/find-filtered-trace.zeek, line 48: The analyzed trace file was determined to contain only TCP control packets, which may indicate it's been pre-filtered. By default, Bro reports the missing segments for this type of trace, but the 'detect_filtered_trace' option may be toggled if that's not desired. diff --git a/testing/btest/Baseline/scripts.base.misc.version/.stderr b/testing/btest/Baseline/scripts.base.misc.version/.stderr index bfae6163df..28da0b203a 100644 --- a/testing/btest/Baseline/scripts.base.misc.version/.stderr +++ b/testing/btest/Baseline/scripts.base.misc.version/.stderr @@ -1,4 +1,4 @@ -error in /home/robin/bro/master/scripts/base/misc/version.bro, line 54: Version string 1 cannot be parsed -error in /home/robin/bro/master/scripts/base/misc/version.bro, line 54: Version string 12.5 cannot be parsed -error in /home/robin/bro/master/scripts/base/misc/version.bro, line 54: Version string 1.12-beta-drunk cannot be parsed -error in /home/robin/bro/master/scripts/base/misc/version.bro, line 54: Version string JustARandomString cannot be parsed +error in /home/robin/bro/master/scripts/base/misc/version.zeek, line 54: Version string 1 cannot be parsed +error in /home/robin/bro/master/scripts/base/misc/version.zeek, line 54: Version string 12.5 cannot be parsed +error in /home/robin/bro/master/scripts/base/misc/version.zeek, line 54: Version string 1.12-beta-drunk cannot be parsed +error in /home/robin/bro/master/scripts/base/misc/version.zeek, line 54: Version string JustARandomString cannot be parsed diff --git a/testing/btest/core/ip-broken-header.bro b/testing/btest/core/ip-broken-header.bro index 426e7a7bc0..a539628829 100644 --- a/testing/btest/core/ip-broken-header.bro +++ b/testing/btest/core/ip-broken-header.bro @@ -4,4 +4,4 @@ # @TEST-EXEC: gunzip -c $TRACES/trunc/mpls-6in6-broken.pcap.gz | bro -C -b -r - %INPUT # @TEST-EXEC: btest-diff weird.log -@load base/frameworks/notice/weird.bro +@load base/frameworks/notice/weird diff --git a/testing/btest/core/load-prefixes.bro b/testing/btest/core/load-prefixes.bro index 5d064c0d36..5147bd0250 100644 --- a/testing/btest/core/load-prefixes.bro +++ b/testing/btest/core/load-prefixes.bro @@ -8,14 +8,14 @@ @prefixes += lcl2 @TEST-END-FILE -# Since base/utils/site.bro is a script, only a script with the original file +# Since base/utils/site.zeek is a script, only a script with the original file # extension can be loaded here. -@TEST-START-FILE lcl.base.utils.site.bro -print "loaded lcl.base.utils.site.bro"; +@TEST-START-FILE lcl.base.utils.site.zeek +print "loaded lcl.base.utils.site.zeek"; @TEST-END-FILE -@TEST-START-FILE lcl2.base.utils.site.bro -print "loaded lcl2.base.utils.site.bro"; +@TEST-START-FILE lcl2.base.utils.site.zeek +print "loaded lcl2.base.utils.site.zeek"; @TEST-END-FILE # For a script package like base/protocols/http/, either of the recognized diff --git a/testing/btest/coverage/bare-load-baseline.test b/testing/btest/coverage/bare-load-baseline.test index e518e703fb..98ce72e4b8 100644 --- a/testing/btest/coverage/bare-load-baseline.test +++ b/testing/btest/coverage/bare-load-baseline.test @@ -1,6 +1,6 @@ # This test is meant to cover whether the set of scripts that get loaded by # default in bare mode matches a baseline of known defaults. The baseline -# should only need updating if something new is @load'd from init-bare.bro +# should only need updating if something new is @load'd from init-bare.zeek # (or from an @load'd descendent of it). # # As the output has absolute paths in it, we need to remove the common diff --git a/testing/btest/coverage/bare-mode-errors.test b/testing/btest/coverage/bare-mode-errors.test index 2310b66b4b..6f5e6983f6 100644 --- a/testing/btest/coverage/bare-mode-errors.test +++ b/testing/btest/coverage/bare-mode-errors.test @@ -5,5 +5,5 @@ # when writing a new bro scripts. # # @TEST-EXEC: test -d $DIST/scripts -# @TEST-EXEC: for script in `find $DIST/scripts/ -name \*\.bro`; do bro -b --parse-only $script >>errors 2>&1; done +# @TEST-EXEC: for script in `find $DIST/scripts/ -name \*\.zeek`; do bro -b --parse-only $script >>errors 2>&1; done # @TEST-EXEC: TEST_DIFF_CANONIFIER="$SCRIPTS/diff-remove-abspath | $SCRIPTS/diff-sort" btest-diff errors diff --git a/testing/btest/coverage/find-bro-logs.test b/testing/btest/coverage/find-bro-logs.test index e7bcf0578f..ee0e45262b 100644 --- a/testing/btest/coverage/find-bro-logs.test +++ b/testing/btest/coverage/find-bro-logs.test @@ -28,7 +28,7 @@ def find_scripts(): for r, d, f in os.walk(scriptdir): for fname in f: - if fname.endswith(".bro"): + if fname.endswith(".zeek") or fname.endswith(".bro"): scripts.append(os.path.join(r, fname)) return scripts diff --git a/testing/btest/coverage/init-default.test b/testing/btest/coverage/init-default.test index 537b5ca77d..edc0012ef1 100644 --- a/testing/btest/coverage/init-default.test +++ b/testing/btest/coverage/init-default.test @@ -1,19 +1,19 @@ -# Makes sure that all base/* scripts are loaded by default via init-default.bro; -# and that all scripts loaded there in there actually exist. +# Makes sure that all base/* scripts are loaded by default via +# init-default.zeek; and that all scripts loaded there actually exist. # # This test will fail if a new bro script is added under the scripts/base/ -# directory and it is not also added as an @load in base/init-default.bro. +# directory and it is not also added as an @load in base/init-default.zeek. # In some cases, a script in base is loaded based on the bro configuration # (e.g. cluster operation), and in such cases, the missing_loads baseline # can be adjusted to tolerate that. #@TEST-EXEC: test -d $DIST/scripts/base -#@TEST-EXEC: test -e $DIST/scripts/base/init-default.bro -#@TEST-EXEC: ( cd $DIST/scripts/base && find . -name '*.bro' ) | sort >"all scripts found" +#@TEST-EXEC: test -e $DIST/scripts/base/init-default.zeek +#@TEST-EXEC: ( cd $DIST/scripts/base && find . -name '*.zeek' ) | sort >"all scripts found" #@TEST-EXEC: bro misc/loaded-scripts #@TEST-EXEC: (test -L $BUILD && basename $(readlink $BUILD) || basename $BUILD) >buildprefix -#@TEST-EXEC: cat loaded_scripts.log | egrep -v "/build/scripts/|$(cat buildprefix)/scripts/|/loaded-scripts.bro|#" | sed 's#/./#/#g' >loaded_scripts.log.tmp +#@TEST-EXEC: cat loaded_scripts.log | egrep -v "/build/scripts/|$(cat buildprefix)/scripts/|/loaded-scripts.zeek|#" | sed 's#/./#/#g' >loaded_scripts.log.tmp #@TEST-EXEC: cat loaded_scripts.log.tmp | sed 's/ //g' | sed -e ':a' -e '$!N' -e 's/^\(.*\).*\n\1.*/\1/' -e 'ta' >prefix -#@TEST-EXEC: cat loaded_scripts.log.tmp | sed 's/ //g' | sed "s#`cat prefix`#./#g" | sort >init-default.bro -#@TEST-EXEC: diff -u "all scripts found" init-default.bro | egrep "^-[^-]" > missing_loads +#@TEST-EXEC: cat loaded_scripts.log.tmp | sed 's/ //g' | sed "s#`cat prefix`#./#g" | sort >init-default.zeek +#@TEST-EXEC: diff -u "all scripts found" init-default.zeek | egrep "^-[^-]" > missing_loads #@TEST-EXEC: btest-diff missing_loads diff --git a/testing/btest/coverage/test-all-policy.test b/testing/btest/coverage/test-all-policy.test index 3a545a02af..61e4297f83 100644 --- a/testing/btest/coverage/test-all-policy.test +++ b/testing/btest/coverage/test-all-policy.test @@ -1,12 +1,12 @@ # Makes sure that all policy/* scripts are loaded in -# scripts/test-all-policy.bro and that all scripts loaded there actually exist. +# scripts/test-all-policy.zeek and that all scripts loaded there actually exist. # # This test will fail if new bro scripts are added to the scripts/policy/ -# directory. Correcting that just involves updating scripts/test-all-policy.bro -# to @load the new bro scripts. +# directory. Correcting that just involves updating +# scripts/test-all-policy.zeek to @load the new bro scripts. -@TEST-EXEC: test -e $DIST/scripts/test-all-policy.bro +@TEST-EXEC: test -e $DIST/scripts/test-all-policy.zeek @TEST-EXEC: test -d $DIST/scripts -@TEST-EXEC: ( cd $DIST/scripts/policy && find . -name '*.bro' ) | sort >"all scripts found" -@TEST-EXEC: cat $DIST/scripts/test-all-policy.bro | grep '@load' | sed 'sm^\( *# *\)\{0,\}@load *m./mg' | sort >test-all-policy.bro -@TEST-EXEC: diff -u "all scripts found" test-all-policy.bro 1>&2 +@TEST-EXEC: ( cd $DIST/scripts/policy && find . -name '*.zeek' ) | sort >"all scripts found" +@TEST-EXEC: cat $DIST/scripts/test-all-policy.zeek | grep '@load' | sed 'sm^\( *# *\)\{0,\}@load *m./mg' | sort >test-all-policy.zeek +@TEST-EXEC: diff -u "all scripts found" test-all-policy.zeek 1>&2 diff --git a/testing/btest/doc/broxygen/example.bro b/testing/btest/doc/broxygen/example.bro index 22a6fc7418..7a7d30c92a 100644 --- a/testing/btest/doc/broxygen/example.bro +++ b/testing/btest/doc/broxygen/example.bro @@ -2,7 +2,7 @@ # @TEST-EXEC: btest-diff example.rst @TEST-START-FILE broxygen.config -script broxygen/example.bro example.rst +script broxygen/example.zeek example.rst @TEST-END-FILE -@load broxygen/example.bro +@load broxygen/example diff --git a/testing/btest/doc/broxygen/script_summary.bro b/testing/btest/doc/broxygen/script_summary.bro index a517a08072..6ea5e95576 100644 --- a/testing/btest/doc/broxygen/script_summary.bro +++ b/testing/btest/doc/broxygen/script_summary.bro @@ -3,7 +3,7 @@ # @TEST-EXEC: btest-diff test.rst @TEST-START-FILE broxygen.config -script_summary broxygen/example.bro test.rst +script_summary broxygen/example.zeek test.rst @TEST-END-FILE @load broxygen diff --git a/testing/btest/scripts/base/frameworks/logging/ascii-json-optional.bro b/testing/btest/scripts/base/frameworks/logging/ascii-json-optional.bro index c26683a338..e33f353d8b 100644 --- a/testing/btest/scripts/base/frameworks/logging/ascii-json-optional.bro +++ b/testing/btest/scripts/base/frameworks/logging/ascii-json-optional.bro @@ -2,7 +2,7 @@ # @TEST-EXEC: bro -b %INPUT # @TEST-EXEC: btest-diff testing.log -@load tuning/json-logs.bro +@load tuning/json-logs module testing; diff --git a/testing/btest/scripts/base/protocols/modbus/policy.bro b/testing/btest/scripts/base/protocols/modbus/policy.bro index b28ebd3b4b..8d5b356698 100644 --- a/testing/btest/scripts/base/protocols/modbus/policy.bro +++ b/testing/btest/scripts/base/protocols/modbus/policy.bro @@ -5,5 +5,5 @@ # @TEST-EXEC: btest-diff known_modbus.log # -@load protocols/modbus/known-masters-slaves.bro -@load protocols/modbus/track-memmap.bro +@load protocols/modbus/known-masters-slaves +@load protocols/modbus/track-memmap diff --git a/testing/btest/scripts/base/protocols/ssl/cve-2015-3194.test b/testing/btest/scripts/base/protocols/ssl/cve-2015-3194.test index d2aa7b536f..878d2a3064 100644 --- a/testing/btest/scripts/base/protocols/ssl/cve-2015-3194.test +++ b/testing/btest/scripts/base/protocols/ssl/cve-2015-3194.test @@ -3,4 +3,4 @@ # @TEST-EXEC: bro -r $TRACES/tls/CVE-2015-3194.pcap %INPUT # @TEST-EXEC: btest-diff ssl.log -@load protocols/ssl/validate-certs.bro +@load protocols/ssl/validate-certs diff --git a/testing/btest/scripts/base/protocols/ssl/keyexchange.test b/testing/btest/scripts/base/protocols/ssl/keyexchange.test index 6e1106ece7..9c65ea5dda 100644 --- a/testing/btest/scripts/base/protocols/ssl/keyexchange.test +++ b/testing/btest/scripts/base/protocols/ssl/keyexchange.test @@ -16,7 +16,7 @@ @load base/protocols/ssl @load base/files/x509 -@load protocols/ssl/extract-certs-pem.bro +@load protocols/ssl/extract-certs-pem module SSL; diff --git a/testing/btest/scripts/policy/misc/dump-events.bro b/testing/btest/scripts/policy/misc/dump-events.bro index 33c9c97534..d318266787 100644 --- a/testing/btest/scripts/policy/misc/dump-events.bro +++ b/testing/btest/scripts/policy/misc/dump-events.bro @@ -1,6 +1,6 @@ -# @TEST-EXEC: bro -r $TRACES/smtp.trace policy/misc/dump-events.bro %INPUT >all-events.log -# @TEST-EXEC: bro -r $TRACES/smtp.trace policy/misc/dump-events.bro %INPUT DumpEvents::include_args=F >all-events-no-args.log -# @TEST-EXEC: bro -r $TRACES/smtp.trace policy/misc/dump-events.bro %INPUT DumpEvents::include=/smtp_/ >smtp-events.log +# @TEST-EXEC: bro -r $TRACES/smtp.trace policy/misc/dump-events %INPUT >all-events.log +# @TEST-EXEC: bro -r $TRACES/smtp.trace policy/misc/dump-events %INPUT DumpEvents::include_args=F >all-events-no-args.log +# @TEST-EXEC: bro -r $TRACES/smtp.trace policy/misc/dump-events %INPUT DumpEvents::include=/smtp_/ >smtp-events.log # # @TEST-EXEC: btest-diff all-events.log # @TEST-EXEC: btest-diff all-events-no-args.log diff --git a/testing/btest/scripts/policy/misc/weird-stats.bro b/testing/btest/scripts/policy/misc/weird-stats.bro index b26fce8e47..d5b83e3c05 100644 --- a/testing/btest/scripts/policy/misc/weird-stats.bro +++ b/testing/btest/scripts/policy/misc/weird-stats.bro @@ -2,7 +2,7 @@ # @TEST-EXEC: btest-bg-wait 20 # @TEST-EXEC: btest-diff bro/weird_stats.log -@load misc/weird-stats.bro +@load misc/weird-stats redef exit_only_after_terminate = T; redef WeirdStats::weird_stat_interval = 5sec; diff --git a/testing/btest/scripts/policy/protocols/ssl/validate-certs-no-cache.bro b/testing/btest/scripts/policy/protocols/ssl/validate-certs-no-cache.bro index 4a3ec44468..712e333037 100644 --- a/testing/btest/scripts/policy/protocols/ssl/validate-certs-no-cache.bro +++ b/testing/btest/scripts/policy/protocols/ssl/validate-certs-no-cache.bro @@ -1,6 +1,6 @@ # @TEST-EXEC: bro -C -r $TRACES/tls/missing-intermediate.pcap $SCRIPTS/external-ca-list.bro %INPUT # @TEST-EXEC: TEST_DIFF_CANONIFIER="$SCRIPTS/diff-remove-x509-names | $SCRIPTS/diff-remove-timestamps" btest-diff ssl.log -@load protocols/ssl/validate-certs.bro +@load protocols/ssl/validate-certs redef SSL::ssl_cache_intermediate_ca = F; diff --git a/testing/btest/scripts/policy/protocols/ssl/validate-certs.bro b/testing/btest/scripts/policy/protocols/ssl/validate-certs.bro index 9a00919643..03803fe2fa 100644 --- a/testing/btest/scripts/policy/protocols/ssl/validate-certs.bro +++ b/testing/btest/scripts/policy/protocols/ssl/validate-certs.bro @@ -4,4 +4,4 @@ # @TEST-EXEC: cat ssl.log >> ssl-all.log # @TEST-EXEC: TEST_DIFF_CANONIFIER="$SCRIPTS/diff-remove-x509-names | $SCRIPTS/diff-remove-timestamps" btest-diff ssl-all.log -@load protocols/ssl/validate-certs.bro +@load protocols/ssl/validate-certs diff --git a/testing/btest/scripts/policy/protocols/ssl/validate-sct.bro b/testing/btest/scripts/policy/protocols/ssl/validate-sct.bro index 0e6065f937..8dbd358e17 100644 --- a/testing/btest/scripts/policy/protocols/ssl/validate-sct.bro +++ b/testing/btest/scripts/policy/protocols/ssl/validate-sct.bro @@ -5,7 +5,7 @@ # @TEST-EXEC: btest-diff .stdout # @TEST-EXEC: TEST_DIFF_CANONIFIER="$SCRIPTS/diff-remove-x509-names | $SCRIPTS/diff-remove-timestamps" btest-diff ssl-all.log -@load protocols/ssl/validate-sct.bro +@load protocols/ssl/validate-sct module SSL; From 1c7e41e5067f2cbb51ea1612064993dfa28a06db Mon Sep 17 00:00:00 2001 From: Jon Siwek Date: Fri, 12 Apr 2019 13:21:10 -0700 Subject: [PATCH 66/88] Updating submodule(s). [nomail] --- aux/broker | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/aux/broker b/aux/broker index 7dab576984..de0c8e0ece 160000 --- a/aux/broker +++ b/aux/broker @@ -1 +1 @@ -Subproject commit 7dab576984dee1f58fe5ceb81f36b63128d58860 +Subproject commit de0c8e0ecea39dd556a16f4ecc0d482e936c38ac From f96bc81f8599b2733f378b3a7edf5b062a88e648 Mon Sep 17 00:00:00 2001 From: Jon Siwek Date: Fri, 12 Apr 2019 16:44:14 -0700 Subject: [PATCH 67/88] Updating submodule(s). [nomail] --- aux/broctl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/aux/broctl b/aux/broctl index afc0260abf..a49144d3dd 160000 --- a/aux/broctl +++ b/aux/broctl @@ -1 +1 @@ -Subproject commit afc0260abf663f4b44d535d66d378fde7b0d5206 +Subproject commit a49144d3dd26d906ad906ace97db3d093c510142 From 8cefb9be422343034d5bda1fb95f5105a7e337d9 Mon Sep 17 00:00:00 2001 From: Seth Hall Date: Fri, 12 Apr 2019 22:29:40 +0200 Subject: [PATCH 68/88] Implement the zeek_init handler. Implements the change and a test. --- scripts/base/files/extract/main.bro | 2 +- scripts/base/files/pe/main.bro | 2 +- scripts/base/files/unified2/main.bro | 2 +- scripts/base/files/x509/main.bro | 2 +- scripts/base/frameworks/analyzer/main.bro | 2 +- scripts/base/frameworks/broker/log.bro | 2 +- scripts/base/frameworks/broker/main.bro | 4 +- scripts/base/frameworks/cluster/main.bro | 2 +- scripts/base/frameworks/cluster/pools.bro | 6 +-- .../frameworks/cluster/setup-connections.bro | 2 +- scripts/base/frameworks/config/input.bro | 2 +- scripts/base/frameworks/config/main.bro | 2 +- scripts/base/frameworks/config/weird.bro | 2 +- scripts/base/frameworks/dpd/main.bro | 2 +- scripts/base/frameworks/files/main.bro | 2 +- scripts/base/frameworks/intel/cluster.bro | 4 +- scripts/base/frameworks/intel/input.bro | 2 +- scripts/base/frameworks/intel/main.bro | 2 +- .../frameworks/logging/postprocessors/scp.bro | 2 +- .../logging/postprocessors/sftp.bro | 2 +- .../netcontrol/catch-and-release.bro | 6 +-- .../base/frameworks/netcontrol/cluster.bro | 4 +- scripts/base/frameworks/netcontrol/drop.bro | 2 +- scripts/base/frameworks/netcontrol/main.bro | 16 +++---- scripts/base/frameworks/netcontrol/shunt.bro | 2 +- .../frameworks/notice/actions/pp-alarms.bro | 2 +- scripts/base/frameworks/notice/main.bro | 4 +- scripts/base/frameworks/notice/weird.bro | 2 +- scripts/base/frameworks/openflow/cluster.bro | 2 +- .../base/frameworks/openflow/plugins/log.bro | 2 +- .../base/frameworks/packet-filter/main.bro | 4 +- .../frameworks/packet-filter/netstats.bro | 2 +- scripts/base/frameworks/reporter/main.bro | 2 +- scripts/base/frameworks/signatures/main.bro | 2 +- scripts/base/frameworks/software/main.bro | 2 +- scripts/base/frameworks/sumstats/cluster.bro | 4 +- scripts/base/frameworks/sumstats/main.bro | 2 +- scripts/base/frameworks/tunnels/main.bro | 2 +- .../base/misc/find-checksum-offloading.bro | 4 +- scripts/base/misc/find-filtered-trace.bro | 2 +- scripts/base/protocols/conn/main.bro | 2 +- scripts/base/protocols/dce-rpc/main.bro | 2 +- scripts/base/protocols/dhcp/main.bro | 6 +-- scripts/base/protocols/dnp3/main.bro | 2 +- scripts/base/protocols/dns/main.bro | 2 +- scripts/base/protocols/ftp/files.bro | 2 +- scripts/base/protocols/ftp/main.bro | 2 +- scripts/base/protocols/http/files.bro | 2 +- scripts/base/protocols/http/main.bro | 2 +- scripts/base/protocols/imap/main.bro | 2 +- scripts/base/protocols/irc/files.bro | 2 +- scripts/base/protocols/irc/main.bro | 2 +- scripts/base/protocols/krb/files.bro | 2 +- scripts/base/protocols/krb/main.bro | 2 +- scripts/base/protocols/modbus/main.bro | 2 +- scripts/base/protocols/mysql/main.bro | 2 +- scripts/base/protocols/ntlm/main.bro | 2 +- scripts/base/protocols/radius/main.bro | 2 +- scripts/base/protocols/rdp/main.bro | 2 +- scripts/base/protocols/rfb/main.bro | 2 +- scripts/base/protocols/sip/main.bro | 2 +- scripts/base/protocols/smb/files.bro | 2 +- scripts/base/protocols/smb/main.bro | 2 +- scripts/base/protocols/smtp/files.bro | 2 +- scripts/base/protocols/smtp/main.bro | 2 +- scripts/base/protocols/snmp/main.bro | 2 +- scripts/base/protocols/socks/main.bro | 2 +- scripts/base/protocols/ssh/main.bro | 2 +- scripts/base/protocols/ssl/files.bro | 2 +- scripts/base/protocols/ssl/main.bro | 2 +- scripts/base/protocols/syslog/main.bro | 2 +- scripts/base/protocols/xmpp/main.bro | 2 +- scripts/base/utils/exec.bro | 2 +- scripts/base/utils/site.bro | 2 +- scripts/broxygen/__load__.bro | 2 +- scripts/broxygen/example.bro | 2 +- scripts/policy/files/x509/log-ocsp.bro | 2 +- .../policy/frameworks/control/controllee.bro | 2 +- .../policy/frameworks/control/controller.bro | 2 +- .../policy/frameworks/packet-filter/shunt.bro | 2 +- .../policy/frameworks/software/vulnerable.bro | 2 +- scripts/policy/integration/barnyard2/main.bro | 2 +- scripts/policy/misc/capture-loss.bro | 2 +- .../policy/misc/detect-traceroute/main.bro | 2 +- scripts/policy/misc/load-balancing.bro | 2 +- scripts/policy/misc/loaded-scripts.bro | 2 +- scripts/policy/misc/profiling.bro | 2 +- scripts/policy/misc/scan.bro | 2 +- scripts/policy/misc/stats.bro | 4 +- scripts/policy/misc/trim-trace-file.bro | 2 +- scripts/policy/misc/weird-stats.bro | 2 +- scripts/policy/protocols/conn/known-hosts.bro | 4 +- .../policy/protocols/conn/known-services.bro | 4 +- .../protocols/ftp/detect-bruteforcing.bro | 2 +- scripts/policy/protocols/http/detect-sqli.bro | 2 +- .../protocols/modbus/known-masters-slaves.bro | 2 +- .../policy/protocols/modbus/track-memmap.bro | 2 +- scripts/policy/protocols/smb/log-cmds.bro | 2 +- .../protocols/ssh/detect-bruteforcing.bro | 2 +- scripts/policy/protocols/ssl/heartbleed.bro | 2 +- scripts/policy/protocols/ssl/known-certs.bro | 4 +- .../protocols/ssl/log-hostcerts-only.bro | 2 +- .../policy/protocols/ssl/validate-certs.bro | 2 +- scripts/policy/protocols/ssl/validate-sct.bro | 2 +- scripts/policy/tuning/defaults/warnings.bro | 2 +- src/Net.cc | 2 +- src/Val.cc | 2 +- src/analyzer/Manager.cc | 2 +- src/analyzer/Manager.h | 4 +- src/analyzer/protocol/tcp/events.bif | 2 +- src/bro.bif | 10 ++--- src/broker/Manager.cc | 6 +-- src/broker/Manager.h | 6 +-- src/event.bif | 34 +++++++++----- src/main.cc | 14 +++--- src/parse.y | 6 +++ testing/btest/Baseline/language.zeek_init/out | 4 ++ testing/btest/language/zeek_init.bro | 44 +++++++++++++++++++ 118 files changed, 229 insertions(+), 165 deletions(-) create mode 100644 testing/btest/Baseline/language.zeek_init/out create mode 100644 testing/btest/language/zeek_init.bro diff --git a/scripts/base/files/extract/main.bro b/scripts/base/files/extract/main.bro index b2d1907e01..eaae44a089 100644 --- a/scripts/base/files/extract/main.bro +++ b/scripts/base/files/extract/main.bro @@ -75,7 +75,7 @@ event file_extraction_limit(f: fa_file, args: Files::AnalyzerArgs, limit: count, f$info$extracted_size = limit; } -event bro_init() &priority=10 +event zeek_init() &priority=10 { Files::register_analyzer_add_callback(Files::ANALYZER_EXTRACT, on_add); } diff --git a/scripts/base/files/pe/main.bro b/scripts/base/files/pe/main.bro index 972e8a31c8..2016d53901 100644 --- a/scripts/base/files/pe/main.bro +++ b/scripts/base/files/pe/main.bro @@ -55,7 +55,7 @@ redef record fa_file += { const pe_mime_types = { "application/x-dosexec" }; -event bro_init() &priority=5 +event zeek_init() &priority=5 { Files::register_for_mime_types(Files::ANALYZER_PE, pe_mime_types); Log::create_stream(LOG, [$columns=Info, $ev=log_pe, $path="pe"]); diff --git a/scripts/base/files/unified2/main.bro b/scripts/base/files/unified2/main.bro index 4670ff35c1..1a9841d5b1 100644 --- a/scripts/base/files/unified2/main.bro +++ b/scripts/base/files/unified2/main.bro @@ -193,7 +193,7 @@ event Input::end_of_data(name: string, source: string) start_watching(); } -event bro_init() &priority=5 +event zeek_init() &priority=5 { Log::create_stream(Unified2::LOG, [$columns=Info, $ev=log_unified2, $path="unified2"]); diff --git a/scripts/base/files/x509/main.bro b/scripts/base/files/x509/main.bro index b6fdde5494..e674ae8888 100644 --- a/scripts/base/files/x509/main.bro +++ b/scripts/base/files/x509/main.bro @@ -29,7 +29,7 @@ export { global log_x509: event(rec: Info); } -event bro_init() &priority=5 +event zeek_init() &priority=5 { Log::create_stream(X509::LOG, [$columns=Info, $ev=log_x509, $path="x509"]); diff --git a/scripts/base/frameworks/analyzer/main.bro b/scripts/base/frameworks/analyzer/main.bro index 39b0d573fd..57a602f308 100644 --- a/scripts/base/frameworks/analyzer/main.bro +++ b/scripts/base/frameworks/analyzer/main.bro @@ -135,7 +135,7 @@ export { global ports: table[Analyzer::Tag] of set[port]; -event bro_init() &priority=5 +event zeek_init() &priority=5 { if ( disable_all ) __disable_all_analyzers(); diff --git a/scripts/base/frameworks/broker/log.bro b/scripts/base/frameworks/broker/log.bro index 2461cb8d54..bd76684b74 100644 --- a/scripts/base/frameworks/broker/log.bro +++ b/scripts/base/frameworks/broker/log.bro @@ -30,7 +30,7 @@ export { }; } -event bro_init() &priority=5 +event zeek_init() &priority=5 { Log::create_stream(Broker::LOG, [$columns=Info, $path="broker"]); } diff --git a/scripts/base/frameworks/broker/main.bro b/scripts/base/frameworks/broker/main.bro index 9be261eaf1..93ed69c3c5 100644 --- a/scripts/base/frameworks/broker/main.bro +++ b/scripts/base/frameworks/broker/main.bro @@ -298,7 +298,7 @@ export { ## Register interest in all peer event messages that use a certain topic ## prefix. Note that subscriptions may not be altered immediately after - ## calling (except during :bro:see:`bro_init`). + ## calling (except during :bro:see:`zeek_init`). ## ## topic_prefix: a prefix to match against remote message topics. ## e.g. an empty prefix matches everything and "a" matches @@ -309,7 +309,7 @@ export { ## Unregister interest in all peer event messages that use a topic prefix. ## Note that subscriptions may not be altered immediately after calling - ## (except during :bro:see:`bro_init`). + ## (except during :bro:see:`zeek_init`). ## ## topic_prefix: a prefix previously supplied to a successful call to ## :bro:see:`Broker::subscribe` or :bro:see:`Broker::forward`. diff --git a/scripts/base/frameworks/cluster/main.bro b/scripts/base/frameworks/cluster/main.bro index 2d492454d4..4a66315d1b 100644 --- a/scripts/base/frameworks/cluster/main.bro +++ b/scripts/base/frameworks/cluster/main.bro @@ -359,7 +359,7 @@ event Broker::peer_lost(endpoint: Broker::EndpointInfo, msg: string) &priority=1 } } -event bro_init() &priority=5 +event zeek_init() &priority=5 { # If a node is given, but it's an unknown name we need to fail. if ( node != "" && node !in nodes ) diff --git a/scripts/base/frameworks/cluster/pools.bro b/scripts/base/frameworks/cluster/pools.bro index 8f4e92b922..40f9a9cbf1 100644 --- a/scripts/base/frameworks/cluster/pools.bro +++ b/scripts/base/frameworks/cluster/pools.bro @@ -324,7 +324,7 @@ function mark_pool_node_dead(pool: Pool, name: string): bool return T; } -event bro_init() +event zeek_init() { worker_pool = register_pool(worker_pool_spec); proxy_pool = register_pool(proxy_pool_spec); @@ -344,8 +344,8 @@ function pool_sorter(a: Pool, b: Pool): int return strcmp(a$spec$topic, b$spec$topic); } -# Needs to execute before the bro_init in setup-connections -event bro_init() &priority=-5 +# Needs to execute before the zeek_init in setup-connections +event zeek_init() &priority=-5 { if ( ! Cluster::is_enabled() ) return; diff --git a/scripts/base/frameworks/cluster/setup-connections.bro b/scripts/base/frameworks/cluster/setup-connections.bro index a90081c639..004dd22f2a 100644 --- a/scripts/base/frameworks/cluster/setup-connections.bro +++ b/scripts/base/frameworks/cluster/setup-connections.bro @@ -42,7 +42,7 @@ function connect_peers_with_type(node_type: NodeType) } } -event bro_init() &priority=-10 +event zeek_init() &priority=-10 { if ( getenv("BROCTL_CHECK_CONFIG") != "" ) return; diff --git a/scripts/base/frameworks/config/input.bro b/scripts/base/frameworks/config/input.bro index 7c1f37567b..9796d69f57 100644 --- a/scripts/base/frameworks/config/input.bro +++ b/scripts/base/frameworks/config/input.bro @@ -34,7 +34,7 @@ event config_line(description: Input::EventDescription, tpe: Input::Event, p: Ev { } -event bro_init() &priority=5 +event zeek_init() &priority=5 { if ( Cluster::is_enabled() && Cluster::local_node_type() != Cluster::MANAGER ) return; diff --git a/scripts/base/frameworks/config/main.bro b/scripts/base/frameworks/config/main.bro index 2f9dbfc720..aacebbc530 100644 --- a/scripts/base/frameworks/config/main.bro +++ b/scripts/base/frameworks/config/main.bro @@ -150,7 +150,7 @@ function config_option_changed(ID: string, new_value: any, location: string): an return new_value; } -event bro_init() &priority=10 +event zeek_init() &priority=10 { Log::create_stream(LOG, [$columns=Info, $ev=log_config, $path="config"]); diff --git a/scripts/base/frameworks/config/weird.bro b/scripts/base/frameworks/config/weird.bro index bc311e3029..5e55b0b188 100644 --- a/scripts/base/frameworks/config/weird.bro +++ b/scripts/base/frameworks/config/weird.bro @@ -35,7 +35,7 @@ function weird_option_change_interval(ID: string, new_value: interval, location: return new_value; } -event bro_init() &priority=5 +event zeek_init() &priority=5 { Option::set_change_handler("Weird::sampling_whitelist", weird_option_change_sampling_whitelist, 5); Option::set_change_handler("Weird::sampling_threshold", weird_option_change_count, 5); diff --git a/scripts/base/frameworks/dpd/main.bro b/scripts/base/frameworks/dpd/main.bro index cce8b362d5..c6a3515bc3 100644 --- a/scripts/base/frameworks/dpd/main.bro +++ b/scripts/base/frameworks/dpd/main.bro @@ -39,7 +39,7 @@ redef record connection += { dpd: Info &optional; }; -event bro_init() &priority=5 +event zeek_init() &priority=5 { Log::create_stream(DPD::LOG, [$columns=Info, $path="dpd"]); } diff --git a/scripts/base/frameworks/files/main.bro b/scripts/base/frameworks/files/main.bro index d3d37b30ab..fc75d68e8e 100644 --- a/scripts/base/frameworks/files/main.bro +++ b/scripts/base/frameworks/files/main.bro @@ -324,7 +324,7 @@ global mime_type_to_analyzers: table[string] of set[Files::Tag]; global analyzer_add_callbacks: table[Files::Tag] of function(f: fa_file, args: AnalyzerArgs) = table(); -event bro_init() &priority=5 +event zeek_init() &priority=5 { Log::create_stream(Files::LOG, [$columns=Info, $ev=log_files, $path="files"]); } diff --git a/scripts/base/frameworks/intel/cluster.bro b/scripts/base/frameworks/intel/cluster.bro index b71e8c47ea..2d51ffb200 100644 --- a/scripts/base/frameworks/intel/cluster.bro +++ b/scripts/base/frameworks/intel/cluster.bro @@ -16,7 +16,7 @@ redef have_full_data = F; @endif @if ( Cluster::local_node_type() == Cluster::MANAGER ) -event bro_init() +event zeek_init() { Broker::auto_publish(Cluster::worker_topic, remove_indicator); } @@ -67,7 +67,7 @@ event Intel::match_remote(s: Seen) &priority=5 @endif @if ( Cluster::local_node_type() == Cluster::WORKER ) -event bro_init() +event zeek_init() { Broker::auto_publish(Cluster::manager_topic, match_remote); Broker::auto_publish(Cluster::manager_topic, remove_item); diff --git a/scripts/base/frameworks/intel/input.bro b/scripts/base/frameworks/intel/input.bro index aea3ac9a35..4dfa011fad 100644 --- a/scripts/base/frameworks/intel/input.bro +++ b/scripts/base/frameworks/intel/input.bro @@ -27,7 +27,7 @@ event Intel::read_entry(desc: Input::EventDescription, tpe: Input::Event, item: Intel::insert(item); } -event bro_init() &priority=5 +event zeek_init() &priority=5 { if ( ! Cluster::is_enabled() || Cluster::local_node_type() == Cluster::MANAGER ) diff --git a/scripts/base/frameworks/intel/main.bro b/scripts/base/frameworks/intel/main.bro index 4bc3b296dd..f59323369d 100644 --- a/scripts/base/frameworks/intel/main.bro +++ b/scripts/base/frameworks/intel/main.bro @@ -223,7 +223,7 @@ type MinDataStore: record { global min_data_store: MinDataStore &redef; -event bro_init() &priority=5 +event zeek_init() &priority=5 { Log::create_stream(LOG, [$columns=Info, $ev=log_intel, $path="intel"]); } diff --git a/scripts/base/frameworks/logging/postprocessors/scp.bro b/scripts/base/frameworks/logging/postprocessors/scp.bro index d63520abe6..462cb86b20 100644 --- a/scripts/base/frameworks/logging/postprocessors/scp.bro +++ b/scripts/base/frameworks/logging/postprocessors/scp.bro @@ -2,7 +2,7 @@ ##! to a logging filter in order to automatically SCP (secure copy) ##! a log stream (or a subset of it) to a remote host at configurable ##! rotation time intervals. Generally, to use this functionality -##! you must handle the :bro:id:`bro_init` event and do the following +##! you must handle the :bro:id:`zeek_init` event and do the following ##! in your handler: ##! ##! 1) Create a new :bro:type:`Log::Filter` record that defines a name/path, diff --git a/scripts/base/frameworks/logging/postprocessors/sftp.bro b/scripts/base/frameworks/logging/postprocessors/sftp.bro index 8c77899864..803851261f 100644 --- a/scripts/base/frameworks/logging/postprocessors/sftp.bro +++ b/scripts/base/frameworks/logging/postprocessors/sftp.bro @@ -2,7 +2,7 @@ ##! to a logging filter in order to automatically SFTP ##! a log stream (or a subset of it) to a remote host at configurable ##! rotation time intervals. Generally, to use this functionality -##! you must handle the :bro:id:`bro_init` event and do the following +##! you must handle the :bro:id:`zeek_init` event and do the following ##! in your handler: ##! ##! 1) Create a new :bro:type:`Log::Filter` record that defines a name/path, diff --git a/scripts/base/frameworks/netcontrol/catch-and-release.bro b/scripts/base/frameworks/netcontrol/catch-and-release.bro index 79de7d9662..83d9e1d7af 100644 --- a/scripts/base/frameworks/netcontrol/catch-and-release.bro +++ b/scripts/base/frameworks/netcontrol/catch-and-release.bro @@ -163,7 +163,7 @@ export { # Set that is used to only send seen notifications to the master every ~30 seconds. global catch_release_recently_notified: set[addr] &create_expire=30secs; -event bro_init() &priority=5 +event zeek_init() &priority=5 { Log::create_stream(NetControl::CATCH_RELEASE, [$columns=CatchReleaseInfo, $ev=log_netcontrol_catch_release, $path="netcontrol_catch_release"]); } @@ -227,13 +227,13 @@ global blocks: table[addr] of BlockInfo = {} @if ( Cluster::is_enabled() ) @if ( Cluster::local_node_type() == Cluster::MANAGER ) -event bro_init() +event zeek_init() { Broker::auto_publish(Cluster::worker_topic, NetControl::catch_release_block_new); Broker::auto_publish(Cluster::worker_topic, NetControl::catch_release_block_delete); } @else -event bro_init() +event zeek_init() { Broker::auto_publish(Cluster::manager_topic, NetControl::catch_release_add); Broker::auto_publish(Cluster::manager_topic, NetControl::catch_release_delete); diff --git a/scripts/base/frameworks/netcontrol/cluster.bro b/scripts/base/frameworks/netcontrol/cluster.bro index d70ab6d1c1..3fbd4cd6a1 100644 --- a/scripts/base/frameworks/netcontrol/cluster.bro +++ b/scripts/base/frameworks/netcontrol/cluster.bro @@ -17,7 +17,7 @@ export { } @if ( Cluster::local_node_type() == Cluster::MANAGER ) -event bro_init() +event zeek_init() { Broker::auto_publish(Cluster::worker_topic, NetControl::rule_added); Broker::auto_publish(Cluster::worker_topic, NetControl::rule_removed); @@ -28,7 +28,7 @@ event bro_init() Broker::auto_publish(Cluster::worker_topic, NetControl::rule_destroyed); } @else -event bro_init() +event zeek_init() { Broker::auto_publish(Cluster::manager_topic, NetControl::cluster_netcontrol_add_rule); Broker::auto_publish(Cluster::manager_topic, NetControl::cluster_netcontrol_remove_rule); diff --git a/scripts/base/frameworks/netcontrol/drop.bro b/scripts/base/frameworks/netcontrol/drop.bro index 8b31996057..40304e1187 100644 --- a/scripts/base/frameworks/netcontrol/drop.bro +++ b/scripts/base/frameworks/netcontrol/drop.bro @@ -55,7 +55,7 @@ export { global log_netcontrol_drop: event(rec: DropInfo); } -event bro_init() &priority=5 +event zeek_init() &priority=5 { Log::create_stream(NetControl::DROP, [$columns=DropInfo, $ev=log_netcontrol_drop, $path="netcontrol_drop"]); } diff --git a/scripts/base/frameworks/netcontrol/main.bro b/scripts/base/frameworks/netcontrol/main.bro index a9418508af..b85d42046a 100644 --- a/scripts/base/frameworks/netcontrol/main.bro +++ b/scripts/base/frameworks/netcontrol/main.bro @@ -262,7 +262,7 @@ export { ##### Plugin functions ## Function called by plugins once they finished their activation. After all - ## plugins defined in bro_init finished to activate, rules will start to be sent + ## plugins defined in zeek_init finished to activate, rules will start to be sent ## to the plugins. Rules that scripts try to set before the backends are ready ## will be discarded. global plugin_activated: function(p: PluginState); @@ -338,13 +338,13 @@ redef record Rule += { }; # Variable tracking the state of plugin activation. Once all plugins that -# have been added in bro_init are activated, this will switch to T and +# have been added in zeek_init are activated, this will switch to T and # the event NetControl::init_done will be raised. global plugins_active: bool = F; -# Set to true at the end of bro_init (with very low priority). +# Set to true at the end of zeek_init (with very low priority). # Used to track when plugin activation could potentially be finished -global bro_init_done: bool = F; +global zeek_init_done: bool = F; # The counters that are used to generate the rule and plugin IDs global rule_counter: count = 1; @@ -364,7 +364,7 @@ global rules_by_subnets: table[subnet] of set[string]; # There always only can be one rule of each type for one entity. global rule_entities: table[Entity, RuleType] of Rule; -event bro_init() &priority=5 +event zeek_init() &priority=5 { Log::create_stream(NetControl::LOG, [$columns=Info, $ev=log_netcontrol, $path="netcontrol"]); } @@ -613,18 +613,18 @@ function plugin_activated(p: PluginState) plugin_ids[id]$_activated = T; log_msg("activation finished", p); - if ( bro_init_done ) + if ( zeek_init_done ) check_plugins(); } -event bro_init() &priority=-5 +event zeek_init() &priority=-5 { event NetControl::init(); } event NetControl::init() &priority=-20 { - bro_init_done = T; + zeek_init_done = T; check_plugins(); diff --git a/scripts/base/frameworks/netcontrol/shunt.bro b/scripts/base/frameworks/netcontrol/shunt.bro index 1275be1560..58923a0cb3 100644 --- a/scripts/base/frameworks/netcontrol/shunt.bro +++ b/scripts/base/frameworks/netcontrol/shunt.bro @@ -36,7 +36,7 @@ export { global log_netcontrol_shunt: event(rec: ShuntInfo); } -event bro_init() &priority=5 +event zeek_init() &priority=5 { Log::create_stream(NetControl::SHUNT, [$columns=ShuntInfo, $ev=log_netcontrol_shunt, $path="netcontrol_shunt"]); } diff --git a/scripts/base/frameworks/notice/actions/pp-alarms.bro b/scripts/base/frameworks/notice/actions/pp-alarms.bro index a385d8c626..02fe65e163 100644 --- a/scripts/base/frameworks/notice/actions/pp-alarms.bro +++ b/scripts/base/frameworks/notice/actions/pp-alarms.bro @@ -95,7 +95,7 @@ function pp_postprocessor(info: Log::RotationInfo): bool return T; } -event bro_init() +event zeek_init() { if ( ! want_pp() ) return; diff --git a/scripts/base/frameworks/notice/main.bro b/scripts/base/frameworks/notice/main.bro index 881e5d7467..5b2625e0db 100644 --- a/scripts/base/frameworks/notice/main.bro +++ b/scripts/base/frameworks/notice/main.bro @@ -385,7 +385,7 @@ function log_mailing_postprocessor(info: Log::RotationInfo): bool return T; } -event bro_init() &priority=5 +event zeek_init() &priority=5 { Log::create_stream(Notice::LOG, [$columns=Info, $ev=log_notice, $path="notice"]); @@ -531,7 +531,7 @@ event Notice::begin_suppression(ts: time, suppress_for: interval, note: Type, suppressing[note, identifier] = suppress_until; } -event bro_init() +event zeek_init() { if ( ! Cluster::is_enabled() ) return; diff --git a/scripts/base/frameworks/notice/weird.bro b/scripts/base/frameworks/notice/weird.bro index c7a1f3aefb..d91a93ce27 100644 --- a/scripts/base/frameworks/notice/weird.bro +++ b/scripts/base/frameworks/notice/weird.bro @@ -296,7 +296,7 @@ const notice_actions = { ACTION_NOTICE_ONCE, }; -event bro_init() &priority=5 +event zeek_init() &priority=5 { Log::create_stream(Weird::LOG, [$columns=Info, $ev=log_weird, $path="weird"]); } diff --git a/scripts/base/frameworks/openflow/cluster.bro b/scripts/base/frameworks/openflow/cluster.bro index 9ae4274bb7..6ff005b877 100644 --- a/scripts/base/frameworks/openflow/cluster.bro +++ b/scripts/base/frameworks/openflow/cluster.bro @@ -15,7 +15,7 @@ export { @if ( Cluster::local_node_type() != Cluster::MANAGER ) # Workers need ability to forward commands to manager. -event bro_init() +event zeek_init() { Broker::auto_publish(Cluster::manager_topic, OpenFlow::cluster_flow_mod); Broker::auto_publish(Cluster::manager_topic, OpenFlow::cluster_flow_clear); diff --git a/scripts/base/frameworks/openflow/plugins/log.bro b/scripts/base/frameworks/openflow/plugins/log.bro index 2fd961cd4f..7f1ecf86ea 100644 --- a/scripts/base/frameworks/openflow/plugins/log.bro +++ b/scripts/base/frameworks/openflow/plugins/log.bro @@ -46,7 +46,7 @@ export { global log_openflow: event(rec: Info); } -event bro_init() &priority=5 +event zeek_init() &priority=5 { Log::create_stream(OpenFlow::LOG, [$columns=Info, $ev=log_openflow, $path="openflow"]); } diff --git a/scripts/base/frameworks/packet-filter/main.bro b/scripts/base/frameworks/packet-filter/main.bro index 9657f14c44..c06e801710 100644 --- a/scripts/base/frameworks/packet-filter/main.bro +++ b/scripts/base/frameworks/packet-filter/main.bro @@ -157,7 +157,7 @@ event filter_change_tracking() schedule 5min { filter_change_tracking() }; } -event bro_init() &priority=5 +event zeek_init() &priority=5 { Log::create_stream(PacketFilter::LOG, [$columns=Info, $path="packet_filter"]); @@ -175,7 +175,7 @@ event bro_init() &priority=5 } } -event bro_init() &priority=-5 +event zeek_init() &priority=-5 { install(); diff --git a/scripts/base/frameworks/packet-filter/netstats.bro b/scripts/base/frameworks/packet-filter/netstats.bro index 14545243d2..48b157b3eb 100644 --- a/scripts/base/frameworks/packet-filter/netstats.bro +++ b/scripts/base/frameworks/packet-filter/netstats.bro @@ -33,7 +33,7 @@ event net_stats_update(last_stat: NetStats) schedule stats_collection_interval { net_stats_update(ns) }; } -event bro_init() +event zeek_init() { # Since this currently only calculates packet drops, let's skip the stats # collection if reading traces. diff --git a/scripts/base/frameworks/reporter/main.bro b/scripts/base/frameworks/reporter/main.bro index 8cba29bdc2..3d4107a80e 100644 --- a/scripts/base/frameworks/reporter/main.bro +++ b/scripts/base/frameworks/reporter/main.bro @@ -35,7 +35,7 @@ export { }; } -event bro_init() &priority=5 +event zeek_init() &priority=5 { Log::create_stream(Reporter::LOG, [$columns=Info, $path="reporter"]); } diff --git a/scripts/base/frameworks/signatures/main.bro b/scripts/base/frameworks/signatures/main.bro index 70c446d046..da19416871 100644 --- a/scripts/base/frameworks/signatures/main.bro +++ b/scripts/base/frameworks/signatures/main.bro @@ -140,7 +140,7 @@ global count_per_orig: table[addr, string] of count global did_sig_log: set[string] &read_expire = 1 hr; -event bro_init() +event zeek_init() { Log::create_stream(Signatures::LOG, [$columns=Info, $ev=log_signature, $path="signatures"]); } diff --git a/scripts/base/frameworks/software/main.bro b/scripts/base/frameworks/software/main.bro index 068f34d1cf..291ca539a1 100644 --- a/scripts/base/frameworks/software/main.bro +++ b/scripts/base/frameworks/software/main.bro @@ -121,7 +121,7 @@ export { global register: event(info: Info); } -event bro_init() &priority=5 +event zeek_init() &priority=5 { Log::create_stream(Software::LOG, [$columns=Info, $ev=log_software, $path="software"]); } diff --git a/scripts/base/frameworks/sumstats/cluster.bro b/scripts/base/frameworks/sumstats/cluster.bro index f92b4112ff..670ad86fe1 100644 --- a/scripts/base/frameworks/sumstats/cluster.bro +++ b/scripts/base/frameworks/sumstats/cluster.bro @@ -61,7 +61,7 @@ global recent_global_view_keys: set[string, Key] &create_expire=1min; @if ( Cluster::local_node_type() != Cluster::MANAGER ) -event bro_init() &priority=100 +event zeek_init() &priority=100 { Broker::auto_publish(Cluster::manager_topic, SumStats::cluster_send_result); Broker::auto_publish(Cluster::manager_topic, SumStats::cluster_key_intermediate_response); @@ -209,7 +209,7 @@ function request_key(ss_name: string, key: Key): Result @if ( Cluster::local_node_type() == Cluster::MANAGER ) -event bro_init() &priority=100 +event zeek_init() &priority=100 { Broker::auto_publish(Cluster::worker_topic, SumStats::cluster_ss_request); Broker::auto_publish(Cluster::worker_topic, SumStats::cluster_get_result); diff --git a/scripts/base/frameworks/sumstats/main.bro b/scripts/base/frameworks/sumstats/main.bro index a37877f7e8..a312377111 100644 --- a/scripts/base/frameworks/sumstats/main.bro +++ b/scripts/base/frameworks/sumstats/main.bro @@ -270,7 +270,7 @@ function add_observe_plugin_dependency(calc: Calculation, depends_on: Calculatio calc_deps[calc] += depends_on; } -event bro_init() &priority=100000 +event zeek_init() &priority=100000 { # Call all of the plugin registration hooks hook register_observe_plugins(); diff --git a/scripts/base/frameworks/tunnels/main.bro b/scripts/base/frameworks/tunnels/main.bro index f90616e38e..f72a7d3445 100644 --- a/scripts/base/frameworks/tunnels/main.bro +++ b/scripts/base/frameworks/tunnels/main.bro @@ -87,7 +87,7 @@ const teredo_ports = { 3544/udp }; const gtpv1_ports = { 2152/udp, 2123/udp }; redef likely_server_ports += { ayiya_ports, teredo_ports, gtpv1_ports, vxlan_ports }; -event bro_init() &priority=5 +event zeek_init() &priority=5 { Log::create_stream(Tunnel::LOG, [$columns=Info, $path="tunnel"]); diff --git a/scripts/base/misc/find-checksum-offloading.bro b/scripts/base/misc/find-checksum-offloading.bro index 334cf4a2db..1edd4f9799 100644 --- a/scripts/base/misc/find-checksum-offloading.bro +++ b/scripts/base/misc/find-checksum-offloading.bro @@ -62,7 +62,7 @@ event ChecksumOffloading::check() } } -event bro_init() +event zeek_init() { schedule check_interval { ChecksumOffloading::check() }; } @@ -81,7 +81,7 @@ event conn_weird(name: string, c: connection, addl: string) ++bad_udp_checksums; } -event bro_done() +event zeek_done() { event ChecksumOffloading::check(); } diff --git a/scripts/base/misc/find-filtered-trace.bro b/scripts/base/misc/find-filtered-trace.bro index a723b656a7..a756f78551 100644 --- a/scripts/base/misc/find-filtered-trace.bro +++ b/scripts/base/misc/find-filtered-trace.bro @@ -36,7 +36,7 @@ event connection_state_remove(c: connection) saw_tcp_conn_with_data = T; } -event bro_done() +event zeek_done() { if ( ! enable ) return; diff --git a/scripts/base/protocols/conn/main.bro b/scripts/base/protocols/conn/main.bro index e2209b6e22..77a9c63aac 100644 --- a/scripts/base/protocols/conn/main.bro +++ b/scripts/base/protocols/conn/main.bro @@ -155,7 +155,7 @@ redef record connection += { conn: Info &optional; }; -event bro_init() &priority=5 +event zeek_init() &priority=5 { Log::create_stream(Conn::LOG, [$columns=Info, $ev=log_conn, $path="conn"]); } diff --git a/scripts/base/protocols/dce-rpc/main.bro b/scripts/base/protocols/dce-rpc/main.bro index 7013ae15e9..1b318265e8 100644 --- a/scripts/base/protocols/dce-rpc/main.bro +++ b/scripts/base/protocols/dce-rpc/main.bro @@ -59,7 +59,7 @@ redef record connection += { const ports = { 135/tcp }; redef likely_server_ports += { ports }; -event bro_init() &priority=5 +event zeek_init() &priority=5 { Log::create_stream(DCE_RPC::LOG, [$columns=Info, $path="dce_rpc"]); Analyzer::register_for_ports(Analyzer::ANALYZER_DCE_RPC, ports); diff --git a/scripts/base/protocols/dhcp/main.bro b/scripts/base/protocols/dhcp/main.bro index b31c623afa..20998c082c 100644 --- a/scripts/base/protocols/dhcp/main.bro +++ b/scripts/base/protocols/dhcp/main.bro @@ -117,14 +117,14 @@ redef record Info += { const ports = { 67/udp, 68/udp, 4011/udp }; redef likely_server_ports += { 67/udp }; -event bro_init() &priority=5 +event zeek_init() &priority=5 { Log::create_stream(DHCP::LOG, [$columns=Info, $ev=log_dhcp, $path="dhcp"]); Analyzer::register_for_ports(Analyzer::ANALYZER_DHCP, ports); } @if ( Cluster::is_enabled() ) -event bro_init() +event zeek_init() { Broker::auto_publish(Cluster::manager_topic, DHCP::aggregate_msgs); } @@ -264,7 +264,7 @@ event dhcp_message(c: connection, is_orig: bool, msg: DHCP::Msg, options: DHCP:: event DHCP::aggregate_msgs(network_time(), c$id, c$uid, is_orig, msg, options); } -event bro_done() &priority=-5 +event zeek_done() &priority=-5 { # Log any remaining data that hasn't already been logged! for ( i in DHCP::join_data ) diff --git a/scripts/base/protocols/dnp3/main.bro b/scripts/base/protocols/dnp3/main.bro index 35dd012d75..184816c59f 100644 --- a/scripts/base/protocols/dnp3/main.bro +++ b/scripts/base/protocols/dnp3/main.bro @@ -34,7 +34,7 @@ redef record connection += { const ports = { 20000/tcp , 20000/udp }; redef likely_server_ports += { ports }; -event bro_init() &priority=5 +event zeek_init() &priority=5 { Log::create_stream(DNP3::LOG, [$columns=Info, $ev=log_dnp3, $path="dnp3"]); Analyzer::register_for_ports(Analyzer::ANALYZER_DNP3_TCP, ports); diff --git a/scripts/base/protocols/dns/main.bro b/scripts/base/protocols/dns/main.bro index f8e655d826..8504d614f6 100644 --- a/scripts/base/protocols/dns/main.bro +++ b/scripts/base/protocols/dns/main.bro @@ -154,7 +154,7 @@ redef record connection += { const ports = { 53/udp, 53/tcp, 137/udp, 5353/udp, 5355/udp }; redef likely_server_ports += { ports }; -event bro_init() &priority=5 +event zeek_init() &priority=5 { Log::create_stream(DNS::LOG, [$columns=Info, $ev=log_dns, $path="dns"]); Analyzer::register_for_ports(Analyzer::ANALYZER_DNS, ports); diff --git a/scripts/base/protocols/ftp/files.bro b/scripts/base/protocols/ftp/files.bro index e84eda7a5a..f2c2625bdb 100644 --- a/scripts/base/protocols/ftp/files.bro +++ b/scripts/base/protocols/ftp/files.bro @@ -45,7 +45,7 @@ function describe_file(f: fa_file): string return ""; } -event bro_init() &priority=5 +event zeek_init() &priority=5 { Files::register_protocol(Analyzer::ANALYZER_FTP_DATA, [$get_file_handle = FTP::get_file_handle, diff --git a/scripts/base/protocols/ftp/main.bro b/scripts/base/protocols/ftp/main.bro index 9b64345a12..78a4dbabff 100644 --- a/scripts/base/protocols/ftp/main.bro +++ b/scripts/base/protocols/ftp/main.bro @@ -50,7 +50,7 @@ redef record connection += { const ports = { 21/tcp, 2811/tcp }; redef likely_server_ports += { ports }; -event bro_init() &priority=5 +event zeek_init() &priority=5 { Log::create_stream(FTP::LOG, [$columns=Info, $ev=log_ftp, $path="ftp"]); Analyzer::register_for_ports(Analyzer::ANALYZER_FTP, ports); diff --git a/scripts/base/protocols/http/files.bro b/scripts/base/protocols/http/files.bro index 078c6d2e66..a8a67762d4 100644 --- a/scripts/base/protocols/http/files.bro +++ b/scripts/base/protocols/http/files.bro @@ -48,7 +48,7 @@ function describe_file(f: fa_file): string return ""; } -event bro_init() &priority=5 +event zeek_init() &priority=5 { Files::register_protocol(Analyzer::ANALYZER_HTTP, [$get_file_handle = HTTP::get_file_handle, diff --git a/scripts/base/protocols/http/main.bro b/scripts/base/protocols/http/main.bro index ea86367bb1..ef0561efb4 100644 --- a/scripts/base/protocols/http/main.bro +++ b/scripts/base/protocols/http/main.bro @@ -139,7 +139,7 @@ const ports = { redef likely_server_ports += { ports }; # Initialize the HTTP logging stream and ports. -event bro_init() &priority=5 +event zeek_init() &priority=5 { Log::create_stream(HTTP::LOG, [$columns=Info, $ev=log_http, $path="http"]); Analyzer::register_for_ports(Analyzer::ANALYZER_HTTP, ports); diff --git a/scripts/base/protocols/imap/main.bro b/scripts/base/protocols/imap/main.bro index 9f0305c80c..30bfeab229 100644 --- a/scripts/base/protocols/imap/main.bro +++ b/scripts/base/protocols/imap/main.bro @@ -4,7 +4,7 @@ module IMAP; const ports = { 143/tcp }; redef likely_server_ports += { ports }; -event bro_init() &priority=5 +event zeek_init() &priority=5 { Analyzer::register_for_ports(Analyzer::ANALYZER_IMAP, ports); } diff --git a/scripts/base/protocols/irc/files.bro b/scripts/base/protocols/irc/files.bro index 759acdca81..59b178f4df 100644 --- a/scripts/base/protocols/irc/files.bro +++ b/scripts/base/protocols/irc/files.bro @@ -23,7 +23,7 @@ function get_file_handle(c: connection, is_orig: bool): string return cat(Analyzer::ANALYZER_IRC_DATA, c$start_time, c$id, is_orig); } -event bro_init() &priority=5 +event zeek_init() &priority=5 { Files::register_protocol(Analyzer::ANALYZER_IRC_DATA, [$get_file_handle = IRC::get_file_handle]); diff --git a/scripts/base/protocols/irc/main.bro b/scripts/base/protocols/irc/main.bro index c2de29da6a..85a8795e88 100644 --- a/scripts/base/protocols/irc/main.bro +++ b/scripts/base/protocols/irc/main.bro @@ -41,7 +41,7 @@ redef record connection += { const ports = { 6666/tcp, 6667/tcp, 6668/tcp, 6669/tcp }; redef likely_server_ports += { ports }; -event bro_init() &priority=5 +event zeek_init() &priority=5 { Log::create_stream(IRC::LOG, [$columns=Info, $ev=irc_log, $path="irc"]); Analyzer::register_for_ports(Analyzer::ANALYZER_IRC, ports); diff --git a/scripts/base/protocols/krb/files.bro b/scripts/base/protocols/krb/files.bro index 18ee4da83f..c7dde949f2 100644 --- a/scripts/base/protocols/krb/files.bro +++ b/scripts/base/protocols/krb/files.bro @@ -61,7 +61,7 @@ function describe_file(f: fa_file): string f$info$x509$certificate$issuer); } -event bro_init() &priority=5 +event zeek_init() &priority=5 { Files::register_protocol(Analyzer::ANALYZER_KRB_TCP, [$get_file_handle = KRB::get_file_handle, diff --git a/scripts/base/protocols/krb/main.bro b/scripts/base/protocols/krb/main.bro index 076ea0e171..72103104d5 100644 --- a/scripts/base/protocols/krb/main.bro +++ b/scripts/base/protocols/krb/main.bro @@ -73,7 +73,7 @@ const tcp_ports = { 88/tcp }; const udp_ports = { 88/udp }; redef likely_server_ports += { tcp_ports, udp_ports }; -event bro_init() &priority=5 +event zeek_init() &priority=5 { Analyzer::register_for_ports(Analyzer::ANALYZER_KRB, udp_ports); Analyzer::register_for_ports(Analyzer::ANALYZER_KRB_TCP, tcp_ports); diff --git a/scripts/base/protocols/modbus/main.bro b/scripts/base/protocols/modbus/main.bro index 5a30d170e5..d8866cefa1 100644 --- a/scripts/base/protocols/modbus/main.bro +++ b/scripts/base/protocols/modbus/main.bro @@ -32,7 +32,7 @@ redef record connection += { const ports = { 502/tcp }; redef likely_server_ports += { ports }; -event bro_init() &priority=5 +event zeek_init() &priority=5 { Log::create_stream(Modbus::LOG, [$columns=Info, $ev=log_modbus, $path="modbus"]); Analyzer::register_for_ports(Analyzer::ANALYZER_MODBUS, ports); diff --git a/scripts/base/protocols/mysql/main.bro b/scripts/base/protocols/mysql/main.bro index e4ba07cbca..e4c76dd5bc 100644 --- a/scripts/base/protocols/mysql/main.bro +++ b/scripts/base/protocols/mysql/main.bro @@ -37,7 +37,7 @@ redef record connection += { const ports = { 1434/tcp, 3306/tcp }; -event bro_init() &priority=5 +event zeek_init() &priority=5 { Log::create_stream(mysql::LOG, [$columns=Info, $ev=log_mysql, $path="mysql"]); Analyzer::register_for_ports(Analyzer::ANALYZER_MYSQL, ports); diff --git a/scripts/base/protocols/ntlm/main.bro b/scripts/base/protocols/ntlm/main.bro index 88a484e090..231f90473d 100644 --- a/scripts/base/protocols/ntlm/main.bro +++ b/scripts/base/protocols/ntlm/main.bro @@ -42,7 +42,7 @@ redef record connection += { ntlm: Info &optional; }; -event bro_init() &priority=5 +event zeek_init() &priority=5 { Log::create_stream(NTLM::LOG, [$columns=Info, $path="ntlm"]); } diff --git a/scripts/base/protocols/radius/main.bro b/scripts/base/protocols/radius/main.bro index ea30b27911..69a05cc8b3 100644 --- a/scripts/base/protocols/radius/main.bro +++ b/scripts/base/protocols/radius/main.bro @@ -56,7 +56,7 @@ redef record connection += { const ports = { 1812/udp }; redef likely_server_ports += { ports }; -event bro_init() &priority=5 +event zeek_init() &priority=5 { Log::create_stream(RADIUS::LOG, [$columns=Info, $ev=log_radius, $path="radius"]); Analyzer::register_for_ports(Analyzer::ANALYZER_RADIUS, ports); diff --git a/scripts/base/protocols/rdp/main.bro b/scripts/base/protocols/rdp/main.bro index 30d5764ce3..39c3ef8fd8 100644 --- a/scripts/base/protocols/rdp/main.bro +++ b/scripts/base/protocols/rdp/main.bro @@ -86,7 +86,7 @@ redef record connection += { const ports = { 3389/tcp }; redef likely_server_ports += { ports }; -event bro_init() &priority=5 +event zeek_init() &priority=5 { Log::create_stream(RDP::LOG, [$columns=RDP::Info, $ev=log_rdp, $path="rdp"]); Analyzer::register_for_ports(Analyzer::ANALYZER_RDP, ports); diff --git a/scripts/base/protocols/rfb/main.bro b/scripts/base/protocols/rfb/main.bro index ff05063538..ae9d3ca508 100644 --- a/scripts/base/protocols/rfb/main.bro +++ b/scripts/base/protocols/rfb/main.bro @@ -76,7 +76,7 @@ redef record connection += { rfb: Info &optional; }; -event bro_init() &priority=5 +event zeek_init() &priority=5 { Log::create_stream(RFB::LOG, [$columns=Info, $ev=log_rfb, $path="rfb"]); } diff --git a/scripts/base/protocols/sip/main.bro b/scripts/base/protocols/sip/main.bro index 68ebb9b222..e0647e6494 100644 --- a/scripts/base/protocols/sip/main.bro +++ b/scripts/base/protocols/sip/main.bro @@ -98,7 +98,7 @@ redef record connection += { const ports = { 5060/udp }; redef likely_server_ports += { ports }; -event bro_init() &priority=5 +event zeek_init() &priority=5 { Log::create_stream(SIP::LOG, [$columns=Info, $ev=log_sip, $path="sip"]); Analyzer::register_for_ports(Analyzer::ANALYZER_SIP, ports); diff --git a/scripts/base/protocols/smb/files.bro b/scripts/base/protocols/smb/files.bro index 5916624941..ac719d728f 100644 --- a/scripts/base/protocols/smb/files.bro +++ b/scripts/base/protocols/smb/files.bro @@ -46,7 +46,7 @@ function describe_file(f: fa_file): string return ""; } -event bro_init() &priority=5 +event zeek_init() &priority=5 { Files::register_protocol(Analyzer::ANALYZER_SMB, [$get_file_handle = SMB::get_file_handle, diff --git a/scripts/base/protocols/smb/main.bro b/scripts/base/protocols/smb/main.bro index 07225548be..5524bde4f0 100644 --- a/scripts/base/protocols/smb/main.bro +++ b/scripts/base/protocols/smb/main.bro @@ -177,7 +177,7 @@ redef record FileInfo += { const ports = { 139/tcp, 445/tcp }; redef likely_server_ports += { ports }; -event bro_init() &priority=5 +event zeek_init() &priority=5 { Log::create_stream(SMB::FILES_LOG, [$columns=SMB::FileInfo, $path="smb_files"]); Log::create_stream(SMB::MAPPING_LOG, [$columns=SMB::TreeInfo, $path="smb_mapping"]); diff --git a/scripts/base/protocols/smtp/files.bro b/scripts/base/protocols/smtp/files.bro index bf410fa201..cb38c27c97 100644 --- a/scripts/base/protocols/smtp/files.bro +++ b/scripts/base/protocols/smtp/files.bro @@ -38,7 +38,7 @@ function describe_file(f: fa_file): string return ""; } -event bro_init() &priority=5 +event zeek_init() &priority=5 { Files::register_protocol(Analyzer::ANALYZER_SMTP, [$get_file_handle = SMTP::get_file_handle, diff --git a/scripts/base/protocols/smtp/main.bro b/scripts/base/protocols/smtp/main.bro index faa73d2412..b13bbadb8d 100644 --- a/scripts/base/protocols/smtp/main.bro +++ b/scripts/base/protocols/smtp/main.bro @@ -92,7 +92,7 @@ redef record connection += { const ports = { 25/tcp, 587/tcp }; redef likely_server_ports += { ports }; -event bro_init() &priority=5 +event zeek_init() &priority=5 { Log::create_stream(SMTP::LOG, [$columns=SMTP::Info, $ev=log_smtp, $path="smtp"]); Analyzer::register_for_ports(Analyzer::ANALYZER_SMTP, ports); diff --git a/scripts/base/protocols/snmp/main.bro b/scripts/base/protocols/snmp/main.bro index ec45d59440..606d3e9c76 100644 --- a/scripts/base/protocols/snmp/main.bro +++ b/scripts/base/protocols/snmp/main.bro @@ -63,7 +63,7 @@ redef record connection += { const ports = { 161/udp, 162/udp }; redef likely_server_ports += { ports }; -event bro_init() &priority=5 +event zeek_init() &priority=5 { Analyzer::register_for_ports(Analyzer::ANALYZER_SNMP, ports); Log::create_stream(SNMP::LOG, [$columns=SNMP::Info, $ev=log_snmp, $path="snmp"]); diff --git a/scripts/base/protocols/socks/main.bro b/scripts/base/protocols/socks/main.bro index 341b6bbc84..2ca9dfc175 100644 --- a/scripts/base/protocols/socks/main.bro +++ b/scripts/base/protocols/socks/main.bro @@ -47,7 +47,7 @@ export { const ports = { 1080/tcp }; redef likely_server_ports += { ports }; -event bro_init() &priority=5 +event zeek_init() &priority=5 { Log::create_stream(SOCKS::LOG, [$columns=Info, $ev=log_socks, $path="socks"]); Analyzer::register_for_ports(Analyzer::ANALYZER_SOCKS, ports); diff --git a/scripts/base/protocols/ssh/main.bro b/scripts/base/protocols/ssh/main.bro index 4452424512..2e70bc1aba 100644 --- a/scripts/base/protocols/ssh/main.bro +++ b/scripts/base/protocols/ssh/main.bro @@ -136,7 +136,7 @@ redef record connection += { const ports = { 22/tcp }; redef likely_server_ports += { ports }; -event bro_init() &priority=5 +event zeek_init() &priority=5 { Analyzer::register_for_ports(Analyzer::ANALYZER_SSH, ports); Log::create_stream(SSH::LOG, [$columns=Info, $ev=log_ssh, $path="ssh"]); diff --git a/scripts/base/protocols/ssl/files.bro b/scripts/base/protocols/ssl/files.bro index ae13147d8e..fd3080b47d 100644 --- a/scripts/base/protocols/ssl/files.bro +++ b/scripts/base/protocols/ssl/files.bro @@ -79,7 +79,7 @@ function describe_file(f: fa_file): string f$info$x509$certificate$issuer); } -event bro_init() &priority=5 +event zeek_init() &priority=5 { Files::register_protocol(Analyzer::ANALYZER_SSL, [$get_file_handle = SSL::get_file_handle, diff --git a/scripts/base/protocols/ssl/main.bro b/scripts/base/protocols/ssl/main.bro index 8abb6e1d3f..42d3e2ed62 100644 --- a/scripts/base/protocols/ssl/main.bro +++ b/scripts/base/protocols/ssl/main.bro @@ -137,7 +137,7 @@ const dtls_ports = { 443/udp }; redef likely_server_ports += { ssl_ports, dtls_ports }; -event bro_init() &priority=5 +event zeek_init() &priority=5 { Log::create_stream(SSL::LOG, [$columns=Info, $ev=log_ssl, $path="ssl"]); Analyzer::register_for_ports(Analyzer::ANALYZER_SSL, ssl_ports); diff --git a/scripts/base/protocols/syslog/main.bro b/scripts/base/protocols/syslog/main.bro index 6e74760225..6b8cc7fb77 100644 --- a/scripts/base/protocols/syslog/main.bro +++ b/scripts/base/protocols/syslog/main.bro @@ -34,7 +34,7 @@ redef record connection += { const ports = { 514/udp }; redef likely_server_ports += { ports }; -event bro_init() &priority=5 +event zeek_init() &priority=5 { Log::create_stream(Syslog::LOG, [$columns=Info, $path="syslog"]); Analyzer::register_for_ports(Analyzer::ANALYZER_SYSLOG, ports); diff --git a/scripts/base/protocols/xmpp/main.bro b/scripts/base/protocols/xmpp/main.bro index 3d7a4cbc37..587432561f 100644 --- a/scripts/base/protocols/xmpp/main.bro +++ b/scripts/base/protocols/xmpp/main.bro @@ -4,7 +4,7 @@ module XMPP; const ports = { 5222/tcp, 5269/tcp }; redef likely_server_ports += { ports }; -event bro_init() &priority=5 +event zeek_init() &priority=5 { Analyzer::register_for_ports(Analyzer::ANALYZER_XMPP, ports); } diff --git a/scripts/base/utils/exec.bro b/scripts/base/utils/exec.bro index 91053a1223..fe44853541 100644 --- a/scripts/base/utils/exec.bro +++ b/scripts/base/utils/exec.bro @@ -186,7 +186,7 @@ function run(cmd: Command): Result } } -event bro_done() +event zeek_done() { # We are punting here and just deleting any unprocessed files. for ( uid in pending_files ) diff --git a/scripts/base/utils/site.bro b/scripts/base/utils/site.bro index aa40e1b92b..541dcb3f9a 100644 --- a/scripts/base/utils/site.bro +++ b/scripts/base/utils/site.bro @@ -148,7 +148,7 @@ function get_emails(a: addr): string return fmt_email_string(find_all_emails(a)); } -event bro_init() &priority=10 +event zeek_init() &priority=10 { # Double backslashes are needed due to string parsing. local_dns_suffix_regex = set_to_regex(local_zones, "(^\\.?|\\.)(~~)$"); diff --git a/scripts/broxygen/__load__.bro b/scripts/broxygen/__load__.bro index 5d4ac5ea03..01f920407e 100644 --- a/scripts/broxygen/__load__.bro +++ b/scripts/broxygen/__load__.bro @@ -11,7 +11,7 @@ @load ./example.bro -event bro_init() +event zeek_init() { terminate(); } diff --git a/scripts/broxygen/example.bro b/scripts/broxygen/example.bro index 65cc5ff1c7..d241051b7d 100644 --- a/scripts/broxygen/example.bro +++ b/scripts/broxygen/example.bro @@ -189,6 +189,6 @@ type PrivateRecord: record { # Event handlers are also an implementation detail of a script, so they # don't show up anywhere in the generated documentation. -event bro_init() +event zeek_init() { } diff --git a/scripts/policy/files/x509/log-ocsp.bro b/scripts/policy/files/x509/log-ocsp.bro index e416535dd4..8cc9d5aef3 100644 --- a/scripts/policy/files/x509/log-ocsp.bro +++ b/scripts/policy/files/x509/log-ocsp.bro @@ -39,7 +39,7 @@ export { global log_ocsp: event(rec: Info); } -event bro_init() +event zeek_init() { Log::create_stream(LOG, [$columns=Info, $ev=log_ocsp, $path="ocsp"]); Files::register_for_mime_type(Files::ANALYZER_OCSP_REPLY, "application/ocsp-response"); diff --git a/scripts/policy/frameworks/control/controllee.bro b/scripts/policy/frameworks/control/controllee.bro index c3f08cda2b..89768ef997 100644 --- a/scripts/policy/frameworks/control/controllee.bro +++ b/scripts/policy/frameworks/control/controllee.bro @@ -12,7 +12,7 @@ module Control; -event bro_init() &priority=-10 +event zeek_init() &priority=-10 { Broker::subscribe(Control::topic_prefix + "/" + Broker::node_id()); Broker::auto_publish(Control::topic_prefix + "/id_value_response", diff --git a/scripts/policy/frameworks/control/controller.bro b/scripts/policy/frameworks/control/controller.bro index b81ce4b2d6..6befe70fe8 100644 --- a/scripts/policy/frameworks/control/controller.bro +++ b/scripts/policy/frameworks/control/controller.bro @@ -12,7 +12,7 @@ module Control; # Do some sanity checking and rework the communication nodes. -event bro_init() &priority=5 +event zeek_init() &priority=5 { # We know that some command was given because this script wouldn't be # loaded if there wasn't so we can feel free to throw an error here and diff --git a/scripts/policy/frameworks/packet-filter/shunt.bro b/scripts/policy/frameworks/packet-filter/shunt.bro index 97ae0c792d..13ff27252c 100644 --- a/scripts/policy/frameworks/packet-filter/shunt.bro +++ b/scripts/policy/frameworks/packet-filter/shunt.bro @@ -76,7 +76,7 @@ function shunt_filters() PacketFilter::exclude("shunt_filters", filter); } -event bro_init() &priority=5 +event zeek_init() &priority=5 { register_filter_plugin([ $func()={ return shunt_filters(); } diff --git a/scripts/policy/frameworks/software/vulnerable.bro b/scripts/policy/frameworks/software/vulnerable.bro index 92a6698af3..b8d8c43a12 100644 --- a/scripts/policy/frameworks/software/vulnerable.bro +++ b/scripts/policy/frameworks/software/vulnerable.bro @@ -117,7 +117,7 @@ function update_vulnerable_sw() event grab_vulnerable_versions(1); } -event bro_init() &priority=3 +event zeek_init() &priority=3 { update_vulnerable_sw(); } diff --git a/scripts/policy/integration/barnyard2/main.bro b/scripts/policy/integration/barnyard2/main.bro index 96c74043f7..7d0bb59d5a 100644 --- a/scripts/policy/integration/barnyard2/main.bro +++ b/scripts/policy/integration/barnyard2/main.bro @@ -24,7 +24,7 @@ export { global pid2cid: function(p: PacketID): conn_id; } -event bro_init() &priority=5 +event zeek_init() &priority=5 { Log::create_stream(Barnyard2::LOG, [$columns=Info, $path="barnyard2"]); } diff --git a/scripts/policy/misc/capture-loss.bro b/scripts/policy/misc/capture-loss.bro index 541f6577cc..302919597f 100644 --- a/scripts/policy/misc/capture-loss.bro +++ b/scripts/policy/misc/capture-loss.bro @@ -74,7 +74,7 @@ event CaptureLoss::take_measurement(last_ts: time, last_acks: count, last_gaps: schedule watch_interval { CaptureLoss::take_measurement(now, g$ack_events, g$gap_events) }; } -event bro_init() &priority=5 +event zeek_init() &priority=5 { Log::create_stream(LOG, [$columns=Info, $path="capture_loss"]); diff --git a/scripts/policy/misc/detect-traceroute/main.bro b/scripts/policy/misc/detect-traceroute/main.bro index 5cbb34e27e..8271277af6 100644 --- a/scripts/policy/misc/detect-traceroute/main.bro +++ b/scripts/policy/misc/detect-traceroute/main.bro @@ -53,7 +53,7 @@ export { global log_traceroute: event(rec: Traceroute::Info); } -event bro_init() &priority=5 +event zeek_init() &priority=5 { Log::create_stream(Traceroute::LOG, [$columns=Info, $ev=log_traceroute, $path="traceroute"]); diff --git a/scripts/policy/misc/load-balancing.bro b/scripts/policy/misc/load-balancing.bro index 40bbe238ca..62f352f12e 100644 --- a/scripts/policy/misc/load-balancing.bro +++ b/scripts/policy/misc/load-balancing.bro @@ -28,7 +28,7 @@ export { @if ( Cluster::is_enabled() ) -event bro_init() &priority=5 +event zeek_init() &priority=5 { if ( method != AUTO_BPF ) return; diff --git a/scripts/policy/misc/loaded-scripts.bro b/scripts/policy/misc/loaded-scripts.bro index bfc0aad114..fd616bba19 100644 --- a/scripts/policy/misc/loaded-scripts.bro +++ b/scripts/policy/misc/loaded-scripts.bro @@ -27,7 +27,7 @@ function get_indent(level: count): string return out; } -event bro_init() &priority=5 +event zeek_init() &priority=5 { Log::create_stream(LoadedScripts::LOG, [$columns=Info, $path="loaded_scripts"]); } diff --git a/scripts/policy/misc/profiling.bro b/scripts/policy/misc/profiling.bro index 613e78f860..5a0dfe5fcf 100644 --- a/scripts/policy/misc/profiling.bro +++ b/scripts/policy/misc/profiling.bro @@ -12,7 +12,7 @@ redef profiling_interval = 15 secs; ## :bro:id:`profiling_interval`). redef expensive_profiling_multiple = 20; -event bro_init() +event zeek_init() { set_buf(profiling_file, F); } diff --git a/scripts/policy/misc/scan.bro b/scripts/policy/misc/scan.bro index d70f8f9e79..6468767674 100644 --- a/scripts/policy/misc/scan.bro +++ b/scripts/policy/misc/scan.bro @@ -51,7 +51,7 @@ export { global Scan::port_scan_policy: hook(scanner: addr, victim: addr, scanned_port: port); } -event bro_init() &priority=5 +event zeek_init() &priority=5 { local r1: SumStats::Reducer = [$stream="scan.addr.fail", $apply=set(SumStats::UNIQUE), $unique_max=double_to_count(addr_scan_threshold+2)]; SumStats::create([$name="addr-scan", diff --git a/scripts/policy/misc/stats.bro b/scripts/policy/misc/stats.bro index 0bbf5c8aac..9c4ae4e792 100644 --- a/scripts/policy/misc/stats.bro +++ b/scripts/policy/misc/stats.bro @@ -82,7 +82,7 @@ export { global log_stats: event(rec: Info); } -event bro_init() &priority=5 +event zeek_init() &priority=5 { Log::create_stream(Stats::LOG, [$columns=Info, $ev=log_stats, $path="stats"]); } @@ -149,7 +149,7 @@ event check_stats(then: time, last_ns: NetStats, last_cs: ConnStats, last_ps: Pr schedule report_interval { check_stats(nettime, ns, cs, ps, es, rs, ts, fs, ds) }; } -event bro_init() +event zeek_init() { schedule report_interval { check_stats(network_time(), get_net_stats(), get_conn_stats(), get_proc_stats(), get_event_stats(), get_reassembler_stats(), get_timer_stats(), get_file_analysis_stats(), get_dns_stats()) }; } diff --git a/scripts/policy/misc/trim-trace-file.bro b/scripts/policy/misc/trim-trace-file.bro index 8f534ec005..2d78977d8c 100644 --- a/scripts/policy/misc/trim-trace-file.bro +++ b/scripts/policy/misc/trim-trace-file.bro @@ -30,7 +30,7 @@ event TrimTraceFile::go(first_trim: bool) schedule trim_interval { TrimTraceFile::go(F) }; } -event bro_init() +event zeek_init() { if ( trim_interval > 0 secs ) schedule trim_interval { TrimTraceFile::go(T) }; diff --git a/scripts/policy/misc/weird-stats.bro b/scripts/policy/misc/weird-stats.bro index ac0914d531..bc75e2057a 100644 --- a/scripts/policy/misc/weird-stats.bro +++ b/scripts/policy/misc/weird-stats.bro @@ -51,7 +51,7 @@ function weird_epoch_finished(ts: time) this_epoch_weirds = table(); } -event bro_init() &priority=5 +event zeek_init() &priority=5 { Log::create_stream(WeirdStats::LOG, [$columns = Info, $ev = log_weird_stats, diff --git a/scripts/policy/protocols/conn/known-hosts.bro b/scripts/policy/protocols/conn/known-hosts.bro index ef78630c6a..493784a859 100644 --- a/scripts/policy/protocols/conn/known-hosts.bro +++ b/scripts/policy/protocols/conn/known-hosts.bro @@ -61,7 +61,7 @@ export { global log_known_hosts: event(rec: HostsInfo); } -event bro_init() +event zeek_init() { if ( ! Known::use_host_store ) return; @@ -145,7 +145,7 @@ event Known::host_found(info: HostsInfo) event known_host_add(info); } -event bro_init() +event zeek_init() { Log::create_stream(Known::HOSTS_LOG, [$columns=HostsInfo, $ev=log_known_hosts, $path="known_hosts"]); } diff --git a/scripts/policy/protocols/conn/known-services.bro b/scripts/policy/protocols/conn/known-services.bro index f9e129839d..63d9f7fa71 100644 --- a/scripts/policy/protocols/conn/known-services.bro +++ b/scripts/policy/protocols/conn/known-services.bro @@ -80,7 +80,7 @@ redef record connection += { }; -event bro_init() +event zeek_init() { if ( ! Known::use_service_store ) return; @@ -216,7 +216,7 @@ event connection_state_remove(c: connection) &priority=-5 known_services_done(c); } -event bro_init() &priority=5 +event zeek_init() &priority=5 { Log::create_stream(Known::SERVICES_LOG, [$columns=ServicesInfo, $ev=log_known_services, diff --git a/scripts/policy/protocols/ftp/detect-bruteforcing.bro b/scripts/policy/protocols/ftp/detect-bruteforcing.bro index eb70688d47..4ac7b61efc 100644 --- a/scripts/policy/protocols/ftp/detect-bruteforcing.bro +++ b/scripts/policy/protocols/ftp/detect-bruteforcing.bro @@ -25,7 +25,7 @@ export { } -event bro_init() +event zeek_init() { local r1: SumStats::Reducer = [$stream="ftp.failed_auth", $apply=set(SumStats::UNIQUE), $unique_max=double_to_count(bruteforce_threshold+2)]; SumStats::create([$name="ftp-detect-bruteforcing", diff --git a/scripts/policy/protocols/http/detect-sqli.bro b/scripts/policy/protocols/http/detect-sqli.bro index 01c98ba0d7..3ad9efbfe2 100644 --- a/scripts/policy/protocols/http/detect-sqli.bro +++ b/scripts/policy/protocols/http/detect-sqli.bro @@ -67,7 +67,7 @@ function format_sqli_samples(samples: vector of SumStats::Observation): string return ret; } -event bro_init() &priority=3 +event zeek_init() &priority=3 { # Add filters to the metrics so that the metrics framework knows how to # determine when it looks like an actual attack and how to respond when diff --git a/scripts/policy/protocols/modbus/known-masters-slaves.bro b/scripts/policy/protocols/modbus/known-masters-slaves.bro index a49e1f81e4..4ce56570d8 100644 --- a/scripts/policy/protocols/modbus/known-masters-slaves.bro +++ b/scripts/policy/protocols/modbus/known-masters-slaves.bro @@ -33,7 +33,7 @@ export { global log_known_modbus: event(rec: ModbusInfo); } -event bro_init() &priority=5 +event zeek_init() &priority=5 { Log::create_stream(Known::MODBUS_LOG, [$columns=ModbusInfo, $ev=log_known_modbus, $path="known_modbus"]); } diff --git a/scripts/policy/protocols/modbus/track-memmap.bro b/scripts/policy/protocols/modbus/track-memmap.bro index 9a6e49e214..da2be29745 100644 --- a/scripts/policy/protocols/modbus/track-memmap.bro +++ b/scripts/policy/protocols/modbus/track-memmap.bro @@ -52,7 +52,7 @@ redef record Modbus::Info += { track_address: count &default=0; }; -event bro_init() &priority=5 +event zeek_init() &priority=5 { Log::create_stream(Modbus::REGISTER_CHANGE_LOG, [$columns=MemmapInfo, $path="modbus_register_change"]); } diff --git a/scripts/policy/protocols/smb/log-cmds.bro b/scripts/policy/protocols/smb/log-cmds.bro index 53e309c5ea..88108276dc 100644 --- a/scripts/policy/protocols/smb/log-cmds.bro +++ b/scripts/policy/protocols/smb/log-cmds.bro @@ -25,7 +25,7 @@ const deferred_logging_cmds: set[string] = { "TREE_CONNECT_ANDX", }; -event bro_init() &priority=5 +event zeek_init() &priority=5 { Log::create_stream(SMB::CMD_LOG, [$columns=SMB::CmdInfo, $path="smb_cmd"]); } diff --git a/scripts/policy/protocols/ssh/detect-bruteforcing.bro b/scripts/policy/protocols/ssh/detect-bruteforcing.bro index 55687e2afd..208f3db04c 100644 --- a/scripts/policy/protocols/ssh/detect-bruteforcing.bro +++ b/scripts/policy/protocols/ssh/detect-bruteforcing.bro @@ -39,7 +39,7 @@ export { const ignore_guessers: table[subnet] of subnet &redef; } -event bro_init() +event zeek_init() { local r1: SumStats::Reducer = [$stream="ssh.login.failure", $apply=set(SumStats::SUM, SumStats::SAMPLE), $num_samples=5]; SumStats::create([$name="detect-ssh-bruteforcing", diff --git a/scripts/policy/protocols/ssl/heartbleed.bro b/scripts/policy/protocols/ssl/heartbleed.bro index ae4395289d..483c1f4ce1 100644 --- a/scripts/policy/protocols/ssl/heartbleed.bro +++ b/scripts/policy/protocols/ssl/heartbleed.bro @@ -45,7 +45,7 @@ type min_length: record { global min_lengths: vector of min_length = vector(); global min_lengths_tls11: vector of min_length = vector(); -event bro_init() +event zeek_init() { # Minimum length a heartbeat packet must have for different cipher suites. # Note - tls 1.1f and 1.0 have different lengths :( diff --git a/scripts/policy/protocols/ssl/known-certs.bro b/scripts/policy/protocols/ssl/known-certs.bro index 63a371b3e1..3841b77d87 100644 --- a/scripts/policy/protocols/ssl/known-certs.bro +++ b/scripts/policy/protocols/ssl/known-certs.bro @@ -72,7 +72,7 @@ export { global log_known_certs: event(rec: CertsInfo); } -event bro_init() +event zeek_init() { if ( ! Known::use_cert_store ) return; @@ -193,7 +193,7 @@ event ssl_established(c: connection) &priority=3 event Known::cert_found(info, hash); } -event bro_init() &priority=5 +event zeek_init() &priority=5 { Log::create_stream(Known::CERTS_LOG, [$columns=CertsInfo, $ev=log_known_certs, $path="known_certs"]); } diff --git a/scripts/policy/protocols/ssl/log-hostcerts-only.bro b/scripts/policy/protocols/ssl/log-hostcerts-only.bro index 258820664f..3aefac088a 100644 --- a/scripts/policy/protocols/ssl/log-hostcerts-only.bro +++ b/scripts/policy/protocols/ssl/log-hostcerts-only.bro @@ -31,7 +31,7 @@ function host_certs_only(rec: X509::Info): bool return rec$logcert; } -event bro_init() &priority=2 +event zeek_init() &priority=2 { local f = Log::get_filter(X509::LOG, "default"); Log::remove_filter(X509::LOG, "default"); # disable default logging diff --git a/scripts/policy/protocols/ssl/validate-certs.bro b/scripts/policy/protocols/ssl/validate-certs.bro index bd76daeceb..6a85627b3c 100644 --- a/scripts/policy/protocols/ssl/validate-certs.bro +++ b/scripts/policy/protocols/ssl/validate-certs.bro @@ -62,7 +62,7 @@ export { global intermediate_cache: table[string] of vector of opaque of x509; @if ( Cluster::is_enabled() ) -event bro_init() +event zeek_init() { Broker::auto_publish(Cluster::worker_topic, SSL::intermediate_add); Broker::auto_publish(Cluster::manager_topic, SSL::new_intermediate); diff --git a/scripts/policy/protocols/ssl/validate-sct.bro b/scripts/policy/protocols/ssl/validate-sct.bro index 4d79bfd7ad..b4db3666eb 100644 --- a/scripts/policy/protocols/ssl/validate-sct.bro +++ b/scripts/policy/protocols/ssl/validate-sct.bro @@ -69,7 +69,7 @@ export { global recently_validated_scts: table[string] of bool = table() &read_expire=5mins &redef; -event bro_init() +event zeek_init() { Files::register_for_mime_type(Files::ANALYZER_OCSP_REPLY, "application/ocsp-response"); } diff --git a/scripts/policy/tuning/defaults/warnings.bro b/scripts/policy/tuning/defaults/warnings.bro index cedc3d62ad..6c31e82d4e 100644 --- a/scripts/policy/tuning/defaults/warnings.bro +++ b/scripts/policy/tuning/defaults/warnings.bro @@ -4,7 +4,7 @@ @load base/utils/site -event bro_init() &priority=-10 +event zeek_init() &priority=-10 { if ( |Site::local_nets| == 0 ) print "WARNING: No Site::local_nets have been defined. It's usually a good idea to define your local networks."; diff --git a/src/Net.cc b/src/Net.cc index d6cb6632b2..b61d365a2a 100644 --- a/src/Net.cc +++ b/src/Net.cc @@ -188,7 +188,7 @@ void net_init(name_list& interfaces, name_list& readfiles, else // have_pending_timers = 1, possibly. We don't set // that here, though, because at this point we don't know - // whether the user's bro_init() event will indeed set + // whether the user's zeek_init() event will indeed set // a timer. reading_traces = reading_live = 0; diff --git a/src/Val.cc b/src/Val.cc index b55a9090d3..340cef6bb5 100644 --- a/src/Val.cc +++ b/src/Val.cc @@ -2319,7 +2319,7 @@ void TableVal::DoExpire(double t) if ( v->ExpireAccessTime() == 0 ) { // This happens when we insert val while network_time - // hasn't been initialized yet (e.g. in bro_init()), and + // hasn't been initialized yet (e.g. in zeek_init()), and // also when bro_start_network_time hasn't been initialized // (e.g. before first packet). The expire_access_time is // correct, so we just need to wait. diff --git a/src/analyzer/Manager.cc b/src/analyzer/Manager.cc index 1546f846e5..c7e156b41e 100644 --- a/src/analyzer/Manager.cc +++ b/src/analyzer/Manager.cc @@ -113,7 +113,7 @@ void Manager::InitPostScript() void Manager::DumpDebug() { #ifdef DEBUG - DBG_LOG(DBG_ANALYZER, "Available analyzers after bro_init():"); + DBG_LOG(DBG_ANALYZER, "Available analyzers after zeek_init():"); list all_analyzers = GetComponents(); for ( list::const_iterator i = all_analyzers.begin(); i != all_analyzers.end(); ++i ) DBG_LOG(DBG_ANALYZER, " %s (%s)", (*i)->Name().c_str(), diff --git a/src/analyzer/Manager.h b/src/analyzer/Manager.h index 7f58a45cbf..8f6d982394 100644 --- a/src/analyzer/Manager.h +++ b/src/analyzer/Manager.h @@ -78,10 +78,10 @@ public: /** * Dumps out the state of all registered analyzers to the \c analyzer - * debug stream. Should be called only after any \c bro_init events + * debug stream. Should be called only after any \c zeek_init events * have executed to ensure that any of their changes are applied. */ - void DumpDebug(); // Called after bro_init() events. + void DumpDebug(); // Called after zeek_init() events. /** * Enables an analyzer type. Only enabled analyzers will be diff --git a/src/analyzer/protocol/tcp/events.bif b/src/analyzer/protocol/tcp/events.bif index d93ebe4819..3e053458ea 100644 --- a/src/analyzer/protocol/tcp/events.bif +++ b/src/analyzer/protocol/tcp/events.bif @@ -151,7 +151,7 @@ event connection_reset%(c: connection%); ## connection_first_ACK connection_half_finished connection_partial_close ## connection_rejected connection_reset connection_reused connection_state_remove ## connection_status_update connection_timeout scheduled_analyzer_applied -## new_connection new_connection_contents partial_connection bro_done +## new_connection new_connection_contents partial_connection zeek_done event connection_pending%(c: connection%); ## Generated for a SYN packet. Bro raises this event for every SYN packet seen diff --git a/src/bro.bif b/src/bro.bif index 96419ab83d..4440f823c7 100644 --- a/src/bro.bif +++ b/src/bro.bif @@ -2994,8 +2994,8 @@ function uuid_to_string%(uuid: string%): string ## ## .. note:: ## -## This function must be called at Bro startup time, e.g., in the event -## :bro:id:`bro_init`. +## This function must be called at Zeek startup time, e.g., in the event +## :bro:id:`zeek_init`. function merge_pattern%(p1: pattern, p2: pattern%): pattern &deprecated %{ RE_Matcher* re = new RE_Matcher(); @@ -3061,8 +3061,8 @@ function convert_for_pattern%(s: string%): string ## ## .. note:: ## -## This function must be called at Bro startup time, e.g., in the event -## :bro:id:`bro_init`. +## This function must be called at Zeek startup time, e.g., in the event +## :bro:id:`zeek_init`. function string_to_pattern%(s: string, convert: bool%): pattern %{ const char* ss = (const char*) (s->Bytes()); @@ -4953,7 +4953,7 @@ function enable_communication%(%): any &deprecated %{ if ( bro_start_network_time != 0.0 ) { - builtin_error("communication must be enabled in bro_init"); + builtin_error("communication must be enabled in zeek_init"); return 0; } diff --git a/src/broker/Manager.cc b/src/broker/Manager.cc index d31198ced7..ec69308790 100644 --- a/src/broker/Manager.cc +++ b/src/broker/Manager.cc @@ -138,7 +138,7 @@ Manager::Manager(bool arg_reading_pcaps) { bound_port = 0; reading_pcaps = arg_reading_pcaps; - after_bro_init = false; + after_zeek_init = false; peer_count = 0; log_topic_func = nullptr; vector_of_data_type = nullptr; @@ -772,7 +772,7 @@ RecordVal* Manager::MakeEvent(val_list* args, Frame* frame) bool Manager::Subscribe(const string& topic_prefix) { DBG_LOG(DBG_BROKER, "Subscribing to topic prefix %s", topic_prefix.c_str()); - bstate->subscriber.add_topic(topic_prefix, ! after_bro_init); + bstate->subscriber.add_topic(topic_prefix, ! after_zeek_init); return true; } @@ -799,7 +799,7 @@ bool Manager::Unsubscribe(const string& topic_prefix) } DBG_LOG(DBG_BROKER, "Unsubscribing from topic prefix %s", topic_prefix.c_str()); - bstate->subscriber.remove_topic(topic_prefix, ! after_bro_init); + bstate->subscriber.remove_topic(topic_prefix, ! after_zeek_init); return true; } diff --git a/src/broker/Manager.h b/src/broker/Manager.h index 87aba80058..a0520698da 100644 --- a/src/broker/Manager.h +++ b/src/broker/Manager.h @@ -66,8 +66,8 @@ public: */ void InitPostScript(); - void BroInitDone() - { after_bro_init = true; } + void ZeekInitDone() + { after_zeek_init = true; } /** * Shuts Broker down at termination. @@ -380,7 +380,7 @@ private: uint16_t bound_port; bool reading_pcaps; - bool after_bro_init; + bool after_zeek_init; int peer_count; Func* log_topic_func; diff --git a/src/event.bif b/src/event.bif index ae00c9b653..4585003090 100644 --- a/src/event.bif +++ b/src/event.bif @@ -30,36 +30,46 @@ # # - .. todo:: -## Generated at Bro initialization time. The event engine generates this +## Generated at Zeek initialization time. The event engine generates this ## event just before normal input processing begins. It can be used to execute -## one-time initialization code at startup. At the time a handler runs, Bro will +## one-time initialization code at startup. At the time a handler runs, Zeek will ## have executed any global initializations and statements. ## -## .. bro:see:: bro_done +## .. bro:see:: zeek_done ## ## .. note:: ## -## When a ``bro_init`` handler executes, Bro has not yet seen any input +## When a ``zeek_init`` handler executes, Zeek has not yet seen any input ## packets and therefore :bro:id:`network_time` is not initialized yet. An -## artifact of that is that any timer installed in a ``bro_init`` handler +## artifact of that is that any timer installed in a ``zeek_init`` handler ## will fire immediately with the first packet. The standard way to work ## around that is to ignore the first time the timer fires and immediately ## reschedule. ## -event bro_init%(%); +event zeek_init%(%); -## Generated at Bro termination time. The event engine generates this event when -## Bro is about to terminate, either due to having exhausted reading its input -## trace file(s), receiving a termination signal, or because Bro was run without +## Deprecated synonym for ``zeek_init``. +## +## .. bro:see: zeek_init +event bro_init%(%) &deprecated; + +## Generated at Zeek termination time. The event engine generates this event when +## Zeek is about to terminate, either due to having exhausted reading its input +## trace file(s), receiving a termination signal, or because Zeek was run without ## a network input source and has finished executing any global statements. ## -## .. bro:see:: bro_init +## .. bro:see:: zeek_init ## ## .. note:: ## -## If Bro terminates due to an invocation of :bro:id:`exit`, then this event +## If Zeek terminates due to an invocation of :bro:id:`exit`, then this event ## is not generated. -event bro_done%(%); +event zeek_done%(%); + +## Deprecated synonym for ``zeek_done``. +## +## .. bro:see: zeek_done +event bro_done%(%) &deprecated; ## Generated for every new connection. This event is raised with the first ## packet of a previously unknown connection. Bro uses a flow-based definition diff --git a/src/main.cc b/src/main.cc index 1116b8c331..e7ff3c0655 100644 --- a/src/main.cc +++ b/src/main.cc @@ -339,9 +339,9 @@ void terminate_bro() brofiler.WriteStats(); - EventHandlerPtr bro_done = internal_handler("bro_done"); - if ( bro_done ) - mgr.QueueEvent(bro_done, new val_list); + EventHandlerPtr zeek_done = internal_handler("zeek_done"); + if ( zeek_done ) + mgr.QueueEvent(zeek_done, new val_list); timer_mgr->Expire(); mgr.Drain(); @@ -1136,9 +1136,9 @@ int main(int argc, char** argv) // we don't have any other source for it. net_update_time(current_time()); - EventHandlerPtr bro_init = internal_handler("bro_init"); - if ( bro_init ) //### this should be a function - mgr.QueueEvent(bro_init, new val_list); + EventHandlerPtr zeek_init = internal_handler("zeek_init"); + if ( zeek_init ) //### this should be a function + mgr.QueueEvent(zeek_init, new val_list); EventRegistry::string_list* dead_handlers = event_registry->UnusedHandlers(); @@ -1204,7 +1204,7 @@ int main(int argc, char** argv) if ( reporter->Errors() > 0 && ! getenv("ZEEK_ALLOW_INIT_ERRORS") ) reporter->FatalError("errors occurred while initializing"); - broker_mgr->BroInitDone(); + broker_mgr->ZeekInitDone(); analyzer_mgr->DumpDebug(); have_pending_timers = ! reading_traces && timer_mgr->Size() > 0; diff --git a/src/parse.y b/src/parse.y index c0980ce8de..22f33003cb 100644 --- a/src/parse.y +++ b/src/parse.y @@ -1171,6 +1171,12 @@ func_hdr: } | TOK_EVENT event_id func_params opt_attr { + // Gracefully handle the deprecation of bro_init and bro_done + if ( strncmp("bro_init", $2->Name(), 8) == 0 ) + $2 = lookup_ID("zeek_init", "GLOBAL"); + if ( strncmp("bro_done", $2->Name(), 8) == 0 ) + $2 = lookup_ID("zeek_done", "GLOBAL"); + begin_func($2, current_module.c_str(), FUNC_FLAVOR_EVENT, 0, $3, $4); $$ = $3; diff --git a/testing/btest/Baseline/language.zeek_init/out b/testing/btest/Baseline/language.zeek_init/out new file mode 100644 index 0000000000..31b2428745 --- /dev/null +++ b/testing/btest/Baseline/language.zeek_init/out @@ -0,0 +1,4 @@ +zeek init at priority 10! +bro init at priority 5! +zeek init at priority 0! +bro init at priority -10! diff --git a/testing/btest/language/zeek_init.bro b/testing/btest/language/zeek_init.bro new file mode 100644 index 0000000000..27f82d626c --- /dev/null +++ b/testing/btest/language/zeek_init.bro @@ -0,0 +1,44 @@ +# @TEST-EXEC: bro -b %INPUT >out +# @TEST-EXEC: btest-diff out + + +event zeek_init() &priority=10 + { + print "zeek_init at priority 10!"; + } + +event bro_init() &priority=5 + { + print "bro_init at priority 5!"; + } + +event zeek_init() &priority=0 + { + print "zeek_init at priority 0!"; + } + +event bro_init() &priority=-10 + { + print "bro_init at priority -10!"; + } + + +event zeek_done() &priority=10 + { + print "zeek_done at priority 10!"; + } + +event bro_done() &priority=5 + { + print "bro_done at priority 5!"; + } + +event zeek_done() &priority=0 + { + print "zeek_done at priority 0!"; + } + +event bro_done() &priority=-10 + { + print "bro_done at priority -10!"; + } From 5db766bd883982f2c53c95b48eb07826e9da04c0 Mon Sep 17 00:00:00 2001 From: Seth Hall Date: Sun, 14 Apr 2019 08:19:08 -0400 Subject: [PATCH 69/88] Update docs and tests for bro_(init|done) -> zeek_(init|done) --- doc | 1 - .../Baseline/doc.broxygen.all_scripts/.stderr | 11 - .../Baseline/doc.broxygen.all_scripts/.stdout | 1 - .../Baseline/doc.broxygen.command_line/output | 1 - .../doc.broxygen.comment_retrieval_bifs/out | 70 ----- .../doc.broxygen.enums/autogen-reST-enums.rst | 60 ----- .../Baseline/doc.broxygen.example/example.rst | 248 ------------------ .../autogen-reST-func-params.rst | 30 --- .../Baseline/doc.broxygen.identifier/test.rst | 230 ---------------- .../Baseline/doc.broxygen.package/test.rst | 37 --- .../doc.broxygen.package_index/test.rst | 7 - .../autogen-reST-records.rst | 28 -- .../doc.broxygen.script_index/test.rst | 5 - .../doc.broxygen.script_summary/test.rst | 23 -- .../autogen-reST-type-aliases.rst | 44 ---- .../autogen-reST-vectors.rst | 33 --- .../doc.manual.connection_record_01/.stdout | 5 - .../doc.manual.connection_record_02/.stdout | 9 - .../doc.manual.data_struct_record_01/.stdout | 6 - .../doc.manual.data_struct_record_02/.stdout | 7 - .../.stdout | 8 - .../.stdout | 4 - .../.stdout | 4 - .../doc.manual.data_struct_vector/.stdout | 2 - .../.stdout | 4 - .../.stdout | 3 - .../doc.manual.data_type_const/.stdout | 4 - .../doc.manual.data_type_const_simple/.stdout | 0 .../doc.manual.data_type_declaration/.stdout | 1 - .../doc.manual.data_type_interval/.stdout | 15 -- .../doc.manual.data_type_local/.stdout | 1 - .../doc.manual.data_type_pattern_01/.stdout | 3 - .../doc.manual.data_type_pattern_02/.stdout | 2 - .../doc.manual.data_type_subnets/.stdout | 4 - .../doc.manual.data_type_time/.stdout | 8 - .../.stdout | 10 - .../factor.log | 19 -- .../factor-mod5.log | 15 -- .../factor-non5.log | 13 - .../factor-mod5.log | 15 -- .../factor-non5.log | 13 - .../.stdout | 0 .../.stdout | 0 .../.stdout | 0 .../.stdout | 0 .../doc.manual.using_bro_sandbox_01/.stdout | 0 .../doc.manual.using_bro_sandbox_01/conn.log | 43 --- .../doc.manual.using_bro_sandbox_01/http.log | 23 -- .../doc.manual.using_bro_sandbox_02/conn.log | 15 -- .../doc.manual.using_bro_sandbox_02/http.log | 26 -- testing/btest/Baseline/language.zeek_init/out | 12 +- testing/btest/Baseline/plugins.hooks/output | 14 +- .../all-events-no-args.log | 4 +- .../all-events.log | 4 +- testing/btest/bifs/all_set.bro | 2 +- testing/btest/bifs/analyzer_name.bro | 2 +- testing/btest/bifs/any_set.bro | 2 +- testing/btest/bifs/bloomfilter-seed.bro | 2 +- testing/btest/bifs/bloomfilter.bro | 2 +- testing/btest/bifs/bro_version.bro | 2 +- testing/btest/bifs/bytestring_to_count.bro | 2 +- testing/btest/bifs/bytestring_to_double.bro | 2 +- testing/btest/bifs/bytestring_to_hexstr.bro | 2 +- testing/btest/bifs/capture_state_updates.bro | 2 +- testing/btest/bifs/cat.bro | 2 +- testing/btest/bifs/cat_string_array.bro | 2 +- testing/btest/bifs/check_subnet.bro | 2 +- testing/btest/bifs/checkpoint_state.bro | 2 +- testing/btest/bifs/clear_table.bro | 2 +- testing/btest/bifs/convert_for_pattern.bro | 2 +- testing/btest/bifs/count_to_addr.bro | 2 +- testing/btest/bifs/create_file.bro | 2 +- testing/btest/bifs/current_analyzer.bro | 2 +- testing/btest/bifs/current_time.bro | 2 +- testing/btest/bifs/directory_operations.bro | 2 +- testing/btest/bifs/edit.bro | 2 +- testing/btest/bifs/enable_raw_output.test | 2 +- testing/btest/bifs/entropy_test.bro | 2 +- testing/btest/bifs/enum_to_int.bro | 2 +- testing/btest/bifs/escape_string.bro | 2 +- testing/btest/bifs/exit.bro | 2 +- testing/btest/bifs/file_mode.bro | 2 +- testing/btest/bifs/filter_subnet_table.bro | 2 +- testing/btest/bifs/find_all.bro | 2 +- testing/btest/bifs/find_entropy.bro | 2 +- testing/btest/bifs/find_last.bro | 2 +- testing/btest/bifs/fmt.bro | 2 +- testing/btest/bifs/fmt_ftp_port.bro | 2 +- testing/btest/bifs/get_matcher_stats.bro | 2 +- .../btest/bifs/get_port_transport_proto.bro | 2 +- testing/btest/bifs/gethostname.bro | 2 +- testing/btest/bifs/getpid.bro | 2 +- testing/btest/bifs/getsetenv.bro | 2 +- testing/btest/bifs/global_ids.bro | 2 +- testing/btest/bifs/global_sizes.bro | 2 +- testing/btest/bifs/haversine_distance.bro | 2 +- testing/btest/bifs/hexdump.bro | 2 +- testing/btest/bifs/hexstr_to_bytestring.bro | 2 +- testing/btest/bifs/hll_cardinality.bro | 2 +- testing/btest/bifs/hll_large_estimate.bro | 2 +- testing/btest/bifs/identify_data.bro | 2 +- .../btest/bifs/install_src_addr_filter.test | 2 +- testing/btest/bifs/is_ascii.bro | 2 +- testing/btest/bifs/is_local_interface.bro | 2 +- testing/btest/bifs/is_port.bro | 2 +- testing/btest/bifs/join_string.bro | 2 +- testing/btest/bifs/levenshtein_distance.bro | 2 +- testing/btest/bifs/lookup_ID.bro | 2 +- testing/btest/bifs/lowerupper.bro | 2 +- testing/btest/bifs/matching_subnets.bro | 2 +- testing/btest/bifs/math.bro | 2 +- testing/btest/bifs/merge_pattern.bro | 2 +- testing/btest/bifs/net_stats_trace.test | 2 +- testing/btest/bifs/netbios-functions.bro | 2 +- testing/btest/bifs/order.bro | 2 +- testing/btest/bifs/parse_ftp.bro | 2 +- testing/btest/bifs/rand.bro | 2 +- testing/btest/bifs/raw_bytes_to_v4_addr.bro | 2 +- testing/btest/bifs/reading_traces.bro | 2 +- testing/btest/bifs/record_type_to_vector.bro | 2 +- testing/btest/bifs/records_fields.bro | 2 +- testing/btest/bifs/resize.bro | 2 +- testing/btest/bifs/reverse.bro | 2 +- testing/btest/bifs/rotate_file.bro | 2 +- testing/btest/bifs/rotate_file_by_name.bro | 2 +- testing/btest/bifs/same_object.bro | 2 +- testing/btest/bifs/sort.bro | 2 +- testing/btest/bifs/sort_string_array.bro | 2 +- testing/btest/bifs/split.bro | 2 +- testing/btest/bifs/split_string.bro | 2 +- testing/btest/bifs/str_shell_escape.bro | 2 +- testing/btest/bifs/strcmp.bro | 2 +- testing/btest/bifs/strftime.bro | 2 +- testing/btest/bifs/string_fill.bro | 2 +- testing/btest/bifs/string_to_pattern.bro | 2 +- testing/btest/bifs/strip.bro | 2 +- testing/btest/bifs/strptime.bro | 2 +- testing/btest/bifs/strstr.bro | 2 +- testing/btest/bifs/sub.bro | 2 +- testing/btest/bifs/subst_string.bro | 2 +- testing/btest/bifs/system.bro | 2 +- testing/btest/bifs/system_env.bro | 2 +- testing/btest/bifs/to_count.bro | 2 +- testing/btest/bifs/to_double.bro | 2 +- testing/btest/bifs/to_int.bro | 2 +- testing/btest/bifs/to_interval.bro | 2 +- testing/btest/bifs/to_port.bro | 2 +- testing/btest/bifs/to_time.bro | 2 +- testing/btest/bifs/topk.bro | 2 +- testing/btest/bifs/type_name.bro | 2 +- testing/btest/bifs/uuid_to_string.bro | 2 +- testing/btest/bifs/val_size.bro | 2 +- testing/btest/broker/connect-on-retry.bro | 4 +- testing/btest/broker/disconnect.bro | 4 +- testing/btest/broker/error.bro | 2 +- testing/btest/broker/remote_event.bro | 4 +- testing/btest/broker/remote_event_any.bro | 4 +- testing/btest/broker/remote_event_auto.bro | 4 +- .../btest/broker/remote_event_ssl_auth.bro | 4 +- .../btest/broker/remote_event_vector_any.bro | 4 +- testing/btest/broker/remote_id.bro | 4 +- testing/btest/broker/remote_log.bro | 6 +- testing/btest/broker/remote_log_late_join.bro | 6 +- testing/btest/broker/remote_log_types.bro | 6 +- testing/btest/broker/ssl_auth_failure.bro | 4 +- testing/btest/broker/store/clone.bro | 4 +- testing/btest/broker/store/local.bro | 2 +- testing/btest/broker/store/ops.bro | 2 +- testing/btest/broker/store/record.bro | 2 +- testing/btest/broker/store/set.bro | 2 +- testing/btest/broker/store/sqlite.bro | 2 +- testing/btest/broker/store/table.bro | 2 +- .../btest/broker/store/type-conversion.bro | 2 +- testing/btest/broker/store/vector.bro | 2 +- testing/btest/broker/unpeer.bro | 4 +- testing/btest/core/discarder.bro | 8 +- testing/btest/core/div-by-zero.bro | 2 +- testing/btest/core/embedded-null.bro | 2 +- testing/btest/core/event-arg-reuse.bro | 2 +- testing/btest/core/fake_dns.bro | 2 +- .../core/file-caching-serialization.test | 2 +- testing/btest/core/global_opaque_val.bro | 2 +- testing/btest/core/leaks/basic-cluster.bro | 4 +- .../btest/core/leaks/broker/clone_store.bro | 4 +- .../btest/core/leaks/broker/master_store.bro | 2 +- .../btest/core/leaks/broker/remote_event.test | 4 +- .../btest/core/leaks/broker/remote_log.test | 6 +- testing/btest/core/leaks/exec.test | 2 +- testing/btest/core/leaks/hll_cluster.bro | 4 +- testing/btest/core/leaks/input-basic.bro | 2 +- testing/btest/core/leaks/input-errors.bro | 2 +- .../btest/core/leaks/input-missing-enum.bro | 2 +- .../btest/core/leaks/input-optional-event.bro | 2 +- .../btest/core/leaks/input-optional-table.bro | 2 +- testing/btest/core/leaks/input-raw.bro | 2 +- testing/btest/core/leaks/input-reread.bro | 2 +- testing/btest/core/leaks/input-sqlite.bro | 2 +- .../btest/core/leaks/input-with-remove.bro | 2 +- testing/btest/core/leaks/returnwhen.bro | 2 +- testing/btest/core/old_comm_usage.bro | 2 +- testing/btest/core/option-priorities.bro | 2 +- testing/btest/core/option-redef.bro | 2 +- testing/btest/core/pcap/dynamic-filter.bro | 2 +- testing/btest/core/pcap/filter-error.bro | 2 +- testing/btest/core/pcap/input-error.bro | 2 +- testing/btest/core/pcap/pseudo-realtime.bro | 2 +- testing/btest/core/reassembly.bro | 2 +- testing/btest/core/recursive-event.bro | 2 +- .../btest/core/reporter-error-in-handler.bro | 2 +- testing/btest/core/reporter-fmt-strings.bro | 2 +- testing/btest/core/reporter-parse-error.bro | 2 +- testing/btest/core/reporter-runtime-error.bro | 2 +- testing/btest/core/reporter-type-mismatch.bro | 2 +- testing/btest/core/reporter.bro | 4 +- testing/btest/core/vector-assignment.bro | 2 +- .../core/when-interpreter-exceptions.bro | 2 +- testing/btest/doc/broxygen/all_scripts.test | 14 - testing/btest/doc/broxygen/command_line.bro | 7 - .../doc/broxygen/comment_retrieval_bifs.bro | 111 -------- testing/btest/doc/broxygen/enums.bro | 43 --- testing/btest/doc/broxygen/example.bro | 8 - testing/btest/doc/broxygen/func-params.bro | 24 -- testing/btest/doc/broxygen/identifier.bro | 9 - testing/btest/doc/broxygen/package.bro | 9 - testing/btest/doc/broxygen/package_index.bro | 9 - testing/btest/doc/broxygen/records.bro | 26 -- testing/btest/doc/broxygen/script_index.bro | 9 - testing/btest/doc/broxygen/script_summary.bro | 9 - testing/btest/doc/broxygen/type-aliases.bro | 34 --- testing/btest/doc/broxygen/vectors.bro | 20 -- testing/btest/doc/record-add.bro | 36 --- testing/btest/doc/record-attr-check.bro | 9 - testing/btest/language/addr.bro | 2 +- testing/btest/language/any.bro | 2 +- testing/btest/language/at-if-event.bro | 8 +- testing/btest/language/at-if-invalid.bro | 2 +- testing/btest/language/at-if.bro | 2 +- testing/btest/language/at-ifdef.bro | 2 +- testing/btest/language/at-ifndef.bro | 2 +- testing/btest/language/at-load.bro | 2 +- .../btest/language/attr-default-coercion.bro | 2 +- testing/btest/language/bool.bro | 2 +- .../btest/language/conditional-expression.bro | 2 +- testing/btest/language/const.bro | 4 +- testing/btest/language/copy.bro | 2 +- testing/btest/language/count.bro | 2 +- testing/btest/language/deprecated.bro | 2 +- testing/btest/language/double.bro | 2 +- testing/btest/language/enum.bro | 2 +- testing/btest/language/event-local-var.bro | 2 +- testing/btest/language/event.bro | 2 +- testing/btest/language/expire-expr-error.bro | 2 +- testing/btest/language/expire-func-undef.bro | 2 +- testing/btest/language/expire-redef.bro | 2 +- testing/btest/language/expire_func.test | 2 +- testing/btest/language/expire_func_mod.bro | 2 +- testing/btest/language/expire_subnet.test | 2 +- testing/btest/language/file.bro | 2 +- testing/btest/language/for.bro | 2 +- testing/btest/language/func-assignment.bro | 2 +- testing/btest/language/function.bro | 2 +- testing/btest/language/hook.bro | 2 +- testing/btest/language/hook_calls.bro | 4 +- testing/btest/language/if.bro | 2 +- .../language/index-assignment-invalid.bro | 2 +- .../btest/language/init-in-anon-function.bro | 2 +- testing/btest/language/int.bro | 2 +- testing/btest/language/interval.bro | 2 +- testing/btest/language/module.bro | 2 +- testing/btest/language/named-table-ctors.bro | 2 +- testing/btest/language/next-test.bro | 2 +- testing/btest/language/no-module.bro | 2 +- testing/btest/language/null-statement.bro | 2 +- .../btest/language/outer_param_binding.bro | 2 +- testing/btest/language/pattern.bro | 2 +- testing/btest/language/port.bro | 2 +- testing/btest/language/precedence.bro | 2 +- testing/btest/language/raw_output_attr.test | 2 +- .../btest/language/record-ceorce-orphan.bro | 2 +- .../btest/language/record-coerce-clash.bro | 2 +- .../language/record-function-recursion.bro | 2 +- .../language/record-recursive-coercion.bro | 2 +- .../btest/language/record-type-checking.bro | 10 +- .../language/redef-same-prefixtable-idx.bro | 2 +- testing/btest/language/returnwhen.bro | 2 +- .../btest/language/set-opt-record-index.bro | 2 +- testing/btest/language/set-type-checking.bro | 12 +- testing/btest/language/set.bro | 2 +- testing/btest/language/short-circuit.bro | 2 +- testing/btest/language/string.bro | 2 +- testing/btest/language/strings.bro | 2 +- testing/btest/language/subnet.bro | 2 +- testing/btest/language/switch-incomplete.bro | 2 +- testing/btest/language/switch-statement.bro | 2 +- testing/btest/language/switch-types-vars.bro | 2 +- testing/btest/language/switch-types.bro | 2 +- testing/btest/language/table-init-attrs.bro | 2 +- testing/btest/language/table-init.bro | 2 +- .../btest/language/table-type-checking.bro | 10 +- testing/btest/language/table.bro | 2 +- testing/btest/language/time.bro | 2 +- testing/btest/language/timeout.bro | 2 +- testing/btest/language/type-cast-any.bro | 2 +- .../language/type-cast-error-dynamic.bro | 2 +- .../btest/language/type-cast-error-static.bro | 2 +- testing/btest/language/type-cast-same.bro | 2 +- testing/btest/language/type-check-any.bro | 2 +- testing/btest/language/type-check-vector.bro | 2 +- testing/btest/language/type-type-error.bro | 2 +- .../btest/language/undefined-delete-field.bro | 2 +- .../btest/language/uninitialized-local.bro | 2 +- .../btest/language/uninitialized-local2.bro | 2 +- testing/btest/language/vector-any-append.bro | 2 +- .../btest/language/vector-type-checking.bro | 10 +- testing/btest/language/vector.bro | 2 +- .../btest/language/when-unitialized-rhs.bro | 2 +- testing/btest/language/when.bro | 2 +- testing/btest/language/while.bro | 2 +- .../btest/plugins/bifs-and-scripts-install.sh | 4 +- testing/btest/plugins/bifs-and-scripts.sh | 4 +- testing/btest/plugins/logging-hooks.bro | 2 +- .../scripts/Demo/Foo/base/main.bro | 2 +- testing/btest/plugins/reader.bro | 2 +- testing/btest/plugins/reporter-hook.bro | 2 +- .../scripts/base/files/extract/limit.bro | 2 +- .../signed_certificate_timestamp_ocsp.test | 2 +- .../frameworks/analyzer/disable-analyzer.bro | 2 +- .../frameworks/analyzer/enable-analyzer.bro | 2 +- .../frameworks/analyzer/register-for-port.bro | 2 +- .../cluster/custom_pool_exclusivity.bro | 2 +- .../frameworks/cluster/custom_pool_limits.bro | 2 +- .../base/frameworks/cluster/forwarding.bro | 2 +- .../frameworks/cluster/log_distribution.bro | 2 +- .../frameworks/cluster/start-it-up-logger.bro | 2 +- .../base/frameworks/cluster/start-it-up.bro | 2 +- .../base/frameworks/config/basic_cluster.bro | 4 +- .../base/frameworks/config/cluster_resend.bro | 4 +- .../base/frameworks/config/read_config.bro | 2 +- .../frameworks/config/read_config_cluster.bro | 4 +- .../scripts/base/frameworks/config/weird.bro | 4 +- .../control/configuration_update.bro | 8 +- .../bifs/file_exists_lookup_file.bro | 2 +- .../file-analysis/bifs/register_mime_type.bro | 2 +- .../frameworks/file-analysis/input/basic.bro | 2 +- .../scripts/base/frameworks/input/basic.bro | 2 +- .../base/frameworks/input/bignumber.bro | 2 +- .../scripts/base/frameworks/input/binary.bro | 2 +- .../base/frameworks/input/config/basic.bro | 2 +- .../base/frameworks/input/config/errors.bro | 2 +- .../scripts/base/frameworks/input/default.bro | 2 +- .../frameworks/input/empty-values-hashing.bro | 2 +- .../base/frameworks/input/emptyvals.bro | 2 +- .../scripts/base/frameworks/input/errors.bro | 2 +- .../scripts/base/frameworks/input/event.bro | 2 +- .../base/frameworks/input/invalid-lines.bro | 2 +- .../base/frameworks/input/invalidnumbers.bro | 2 +- .../base/frameworks/input/invalidset.bro | 2 +- .../base/frameworks/input/invalidtext.bro | 2 +- .../base/frameworks/input/missing-enum.bro | 2 +- .../input/missing-file-initially.bro | 2 +- .../base/frameworks/input/missing-file.bro | 2 +- .../frameworks/input/onecolumn-norecord.bro | 2 +- .../frameworks/input/onecolumn-record.bro | 2 +- .../base/frameworks/input/optional.bro | 2 +- .../base/frameworks/input/port-embedded.bro | 2 +- .../scripts/base/frameworks/input/port.bro | 2 +- .../frameworks/input/predicate-stream.bro | 2 +- .../base/frameworks/input/predicate.bro | 2 +- .../base/frameworks/input/predicatemodify.bro | 2 +- .../input/predicatemodifyandreread.bro | 2 +- .../input/predicaterefusesecondsamerecord.bro | 2 +- .../base/frameworks/input/raw/basic.bro | 2 +- .../base/frameworks/input/raw/execute.bro | 2 +- .../frameworks/input/raw/executestdin.bro | 2 +- .../frameworks/input/raw/executestream.bro | 2 +- .../base/frameworks/input/raw/long.bro | 2 +- .../base/frameworks/input/raw/offset.bro | 2 +- .../base/frameworks/input/raw/rereadraw.bro | 2 +- .../base/frameworks/input/raw/stderr.bro | 2 +- .../base/frameworks/input/raw/streamraw.bro | 2 +- .../scripts/base/frameworks/input/repeat.bro | 2 +- .../scripts/base/frameworks/input/reread.bro | 2 +- .../scripts/base/frameworks/input/set.bro | 2 +- .../base/frameworks/input/setseparator.bro | 2 +- .../base/frameworks/input/setspecialcases.bro | 2 +- .../base/frameworks/input/sqlite/basic.bro | 2 +- .../base/frameworks/input/sqlite/error.bro | 2 +- .../base/frameworks/input/sqlite/port.bro | 2 +- .../base/frameworks/input/sqlite/types.bro | 2 +- .../scripts/base/frameworks/input/stream.bro | 2 +- .../base/frameworks/input/subrecord-event.bro | 2 +- .../base/frameworks/input/subrecord.bro | 2 +- .../base/frameworks/input/tableevent.bro | 2 +- .../base/frameworks/input/twotables.bro | 2 +- .../frameworks/input/unsupported_types.bro | 2 +- .../scripts/base/frameworks/input/windows.bro | 12 +- .../base/frameworks/intel/expire-item.bro | 2 +- .../base/frameworks/intel/input-and-match.bro | 2 +- .../base/frameworks/intel/match-subnet.bro | 2 +- .../intel/read-file-dist-cluster.bro | 2 +- .../frameworks/intel/remove-non-existing.bro | 2 +- .../base/frameworks/logging/adapt-filter.bro | 2 +- .../base/frameworks/logging/ascii-binary.bro | 2 +- .../base/frameworks/logging/ascii-double.bro | 2 +- .../base/frameworks/logging/ascii-empty.bro | 2 +- .../logging/ascii-escape-binary.bro | 2 +- .../logging/ascii-escape-empty-str.bro | 2 +- .../logging/ascii-escape-notset-str.bro | 2 +- .../logging/ascii-escape-set-separator.bro | 2 +- .../base/frameworks/logging/ascii-escape.bro | 2 +- .../frameworks/logging/ascii-gz-rotate.bro | 2 +- .../base/frameworks/logging/ascii-gz.bro | 2 +- .../logging/ascii-json-iso-timestamps.bro | 2 +- .../logging/ascii-json-optional.bro | 2 +- .../base/frameworks/logging/ascii-json.bro | 2 +- .../logging/ascii-line-like-comment.bro | 2 +- .../base/frameworks/logging/ascii-options.bro | 2 +- .../frameworks/logging/ascii-timestamps.bro | 2 +- .../base/frameworks/logging/ascii-tsv.bro | 2 +- .../base/frameworks/logging/attr-extend.bro | 2 +- .../scripts/base/frameworks/logging/attr.bro | 2 +- .../frameworks/logging/disable-stream.bro | 2 +- .../base/frameworks/logging/empty-event.bro | 2 +- .../base/frameworks/logging/enable-stream.bro | 2 +- .../base/frameworks/logging/events.bro | 2 +- .../base/frameworks/logging/exclude.bro | 2 +- .../logging/field-extension-cluster-error.bro | 2 +- .../logging/field-extension-cluster.bro | 2 +- .../scripts/base/frameworks/logging/file.bro | 2 +- .../base/frameworks/logging/include.bro | 2 +- .../base/frameworks/logging/no-local.bro | 2 +- .../base/frameworks/logging/none-debug.bro | 2 +- .../logging/path-func-column-demote.bro | 2 +- .../base/frameworks/logging/path-func.bro | 2 +- .../scripts/base/frameworks/logging/pred.bro | 2 +- .../base/frameworks/logging/remove.bro | 2 +- .../base/frameworks/logging/rotate-custom.bro | 2 +- .../base/frameworks/logging/rotate.bro | 2 +- .../base/frameworks/logging/sqlite/error.bro | 2 +- .../base/frameworks/logging/sqlite/set.bro | 2 +- .../logging/sqlite/simultaneous-writes.bro | 2 +- .../base/frameworks/logging/sqlite/types.bro | 2 +- .../base/frameworks/logging/stdout.bro | 2 +- .../base/frameworks/logging/test-logging.bro | 2 +- .../scripts/base/frameworks/logging/types.bro | 2 +- .../base/frameworks/logging/unset-record.bro | 2 +- .../scripts/base/frameworks/logging/vec.bro | 2 +- .../logging/writer-path-conflict.bro | 2 +- .../base/frameworks/netcontrol/acld-hook.bro | 4 +- .../base/frameworks/netcontrol/acld.bro | 4 +- .../frameworks/netcontrol/basic-cluster.bro | 2 +- .../base/frameworks/netcontrol/broker.bro | 4 +- .../frameworks/notice/suppression-disable.bro | 2 +- .../base/frameworks/notice/suppression.bro | 2 +- .../base/frameworks/openflow/broker-basic.bro | 4 +- .../base/frameworks/openflow/log-basic.bro | 2 +- .../base/frameworks/openflow/log-cluster.bro | 4 +- .../base/frameworks/openflow/ryu-basic.bro | 2 +- .../frameworks/reporter/disable-stderr.bro | 2 +- .../base/frameworks/reporter/stderr.bro | 2 +- .../frameworks/software/version-parsing.bro | 2 +- .../frameworks/sumstats/basic-cluster.bro | 4 +- .../base/frameworks/sumstats/basic.bro | 2 +- .../sumstats/cluster-intermediate-update.bro | 2 +- .../base/frameworks/sumstats/last-cluster.bro | 2 +- .../frameworks/sumstats/on-demand-cluster.bro | 4 +- .../base/frameworks/sumstats/on-demand.bro | 2 +- .../frameworks/sumstats/sample-cluster.bro | 4 +- .../base/frameworks/sumstats/sample.bro | 2 +- .../base/frameworks/sumstats/thresholding.bro | 2 +- .../base/frameworks/sumstats/topk-cluster.bro | 4 +- .../scripts/base/frameworks/sumstats/topk.bro | 2 +- .../protocols/http/content-range-gap-skip.bro | 2 +- .../base/protocols/http/http-pipelining.bro | 2 +- .../scripts/base/protocols/irc/basic.test | 2 +- .../scripts/base/protocols/krb/smb2_krb.test | 2 +- .../base/protocols/krb/smb2_krb_nokeytab.test | 2 +- .../scripts/base/protocols/mount/basic.test | 2 +- .../scripts/base/protocols/ncp/event.bro | 2 +- .../base/protocols/ncp/frame_size_tuning.bro | 2 +- .../scripts/base/protocols/nfs/basic.test | 2 +- .../scripts/base/protocols/pop3/starttls.bro | 2 +- .../base/protocols/smb/disabled-dce-rpc.test | 2 +- .../btest/scripts/base/protocols/ssl/dpd.test | 2 +- .../base/protocols/ssl/ocsp-http-get.test | 2 +- .../base/protocols/ssl/ocsp-request-only.test | 2 +- .../protocols/ssl/ocsp-request-response.test | 2 +- .../protocols/ssl/ocsp-response-only.test | 2 +- .../base/protocols/ssl/ocsp-revoked.test | 2 +- .../btest/scripts/base/utils/active-http.test | 2 +- testing/btest/scripts/base/utils/addrs.test | 2 +- .../scripts/base/utils/decompose_uri.bro | 2 +- testing/btest/scripts/base/utils/dir.test | 2 +- .../base/utils/directions-and-hosts.test | 2 +- testing/btest/scripts/base/utils/exec.test | 2 +- testing/btest/scripts/base/utils/files.test | 4 +- testing/btest/scripts/base/utils/json.test | 2 +- testing/btest/scripts/base/utils/queue.test | 4 +- testing/btest/scripts/base/utils/site.test | 2 +- .../policy/frameworks/intel/seen/certs.bro | 2 +- .../policy/frameworks/intel/seen/smtp.bro | 2 +- .../policy/frameworks/intel/whitelisting.bro | 2 +- .../frameworks/software/version-changes.bro | 2 +- .../policy/frameworks/software/vulnerable.bro | 2 +- .../btest/scripts/policy/misc/weird-stats.bro | 2 +- .../http/test-sql-injection-regex.bro | 4 +- testing/btest/signatures/dpd.bro | 2 +- testing/scripts/file-analysis-test.bro | 2 +- 508 files changed, 532 insertions(+), 2016 deletions(-) delete mode 160000 doc delete mode 100644 testing/btest/Baseline/doc.broxygen.all_scripts/.stderr delete mode 100644 testing/btest/Baseline/doc.broxygen.all_scripts/.stdout delete mode 100644 testing/btest/Baseline/doc.broxygen.command_line/output delete mode 100644 testing/btest/Baseline/doc.broxygen.comment_retrieval_bifs/out delete mode 100644 testing/btest/Baseline/doc.broxygen.enums/autogen-reST-enums.rst delete mode 100644 testing/btest/Baseline/doc.broxygen.example/example.rst delete mode 100644 testing/btest/Baseline/doc.broxygen.func-params/autogen-reST-func-params.rst delete mode 100644 testing/btest/Baseline/doc.broxygen.identifier/test.rst delete mode 100644 testing/btest/Baseline/doc.broxygen.package/test.rst delete mode 100644 testing/btest/Baseline/doc.broxygen.package_index/test.rst delete mode 100644 testing/btest/Baseline/doc.broxygen.records/autogen-reST-records.rst delete mode 100644 testing/btest/Baseline/doc.broxygen.script_index/test.rst delete mode 100644 testing/btest/Baseline/doc.broxygen.script_summary/test.rst delete mode 100644 testing/btest/Baseline/doc.broxygen.type-aliases/autogen-reST-type-aliases.rst delete mode 100644 testing/btest/Baseline/doc.broxygen.vectors/autogen-reST-vectors.rst delete mode 100644 testing/btest/Baseline/doc.manual.connection_record_01/.stdout delete mode 100644 testing/btest/Baseline/doc.manual.connection_record_02/.stdout delete mode 100644 testing/btest/Baseline/doc.manual.data_struct_record_01/.stdout delete mode 100644 testing/btest/Baseline/doc.manual.data_struct_record_02/.stdout delete mode 100644 testing/btest/Baseline/doc.manual.data_struct_set_declaration/.stdout delete mode 100644 testing/btest/Baseline/doc.manual.data_struct_table_complex/.stdout delete mode 100644 testing/btest/Baseline/doc.manual.data_struct_table_declaration/.stdout delete mode 100644 testing/btest/Baseline/doc.manual.data_struct_vector/.stdout delete mode 100644 testing/btest/Baseline/doc.manual.data_struct_vector_declaration/.stdout delete mode 100644 testing/btest/Baseline/doc.manual.data_struct_vector_iter/.stdout delete mode 100644 testing/btest/Baseline/doc.manual.data_type_const/.stdout delete mode 100644 testing/btest/Baseline/doc.manual.data_type_const_simple/.stdout delete mode 100644 testing/btest/Baseline/doc.manual.data_type_declaration/.stdout delete mode 100644 testing/btest/Baseline/doc.manual.data_type_interval/.stdout delete mode 100644 testing/btest/Baseline/doc.manual.data_type_local/.stdout delete mode 100644 testing/btest/Baseline/doc.manual.data_type_pattern_01/.stdout delete mode 100644 testing/btest/Baseline/doc.manual.data_type_pattern_02/.stdout delete mode 100644 testing/btest/Baseline/doc.manual.data_type_subnets/.stdout delete mode 100644 testing/btest/Baseline/doc.manual.data_type_time/.stdout delete mode 100644 testing/btest/Baseline/doc.manual.framework_logging_factorial_01/.stdout delete mode 100644 testing/btest/Baseline/doc.manual.framework_logging_factorial_02/factor.log delete mode 100644 testing/btest/Baseline/doc.manual.framework_logging_factorial_03/factor-mod5.log delete mode 100644 testing/btest/Baseline/doc.manual.framework_logging_factorial_03/factor-non5.log delete mode 100644 testing/btest/Baseline/doc.manual.framework_logging_factorial_04/factor-mod5.log delete mode 100644 testing/btest/Baseline/doc.manual.framework_logging_factorial_04/factor-non5.log delete mode 100644 testing/btest/Baseline/doc.manual.framework_notice_hook_01/.stdout delete mode 100644 testing/btest/Baseline/doc.manual.framework_notice_hook_suppression_01/.stdout delete mode 100644 testing/btest/Baseline/doc.manual.framework_notice_shortcuts_01/.stdout delete mode 100644 testing/btest/Baseline/doc.manual.framework_notice_shortcuts_02/.stdout delete mode 100644 testing/btest/Baseline/doc.manual.using_bro_sandbox_01/.stdout delete mode 100644 testing/btest/Baseline/doc.manual.using_bro_sandbox_01/conn.log delete mode 100644 testing/btest/Baseline/doc.manual.using_bro_sandbox_01/http.log delete mode 100644 testing/btest/Baseline/doc.manual.using_bro_sandbox_02/conn.log delete mode 100644 testing/btest/Baseline/doc.manual.using_bro_sandbox_02/http.log delete mode 100644 testing/btest/doc/broxygen/all_scripts.test delete mode 100644 testing/btest/doc/broxygen/command_line.bro delete mode 100644 testing/btest/doc/broxygen/comment_retrieval_bifs.bro delete mode 100644 testing/btest/doc/broxygen/enums.bro delete mode 100644 testing/btest/doc/broxygen/example.bro delete mode 100644 testing/btest/doc/broxygen/func-params.bro delete mode 100644 testing/btest/doc/broxygen/identifier.bro delete mode 100644 testing/btest/doc/broxygen/package.bro delete mode 100644 testing/btest/doc/broxygen/package_index.bro delete mode 100644 testing/btest/doc/broxygen/records.bro delete mode 100644 testing/btest/doc/broxygen/script_index.bro delete mode 100644 testing/btest/doc/broxygen/script_summary.bro delete mode 100644 testing/btest/doc/broxygen/type-aliases.bro delete mode 100644 testing/btest/doc/broxygen/vectors.bro delete mode 100644 testing/btest/doc/record-add.bro delete mode 100644 testing/btest/doc/record-attr-check.bro diff --git a/doc b/doc deleted file mode 160000 index e9f6728f13..0000000000 --- a/doc +++ /dev/null @@ -1 +0,0 @@ -Subproject commit e9f6728f13165148ca8ffe0b373148ff78b10c6a diff --git a/testing/btest/Baseline/doc.broxygen.all_scripts/.stderr b/testing/btest/Baseline/doc.broxygen.all_scripts/.stderr deleted file mode 100644 index da6c357abf..0000000000 --- a/testing/btest/Baseline/doc.broxygen.all_scripts/.stderr +++ /dev/null @@ -1,11 +0,0 @@ -warning in /Users/jon/projects/bro/bro/scripts/policy/protocols/dhcp/deprecated_events.bro, line 245: deprecated (dhcp_discover) -warning in /Users/jon/projects/bro/bro/scripts/policy/protocols/dhcp/deprecated_events.bro, line 248: deprecated (dhcp_offer) -warning in /Users/jon/projects/bro/bro/scripts/policy/protocols/dhcp/deprecated_events.bro, line 251: deprecated (dhcp_request) -warning in /Users/jon/projects/bro/bro/scripts/policy/protocols/dhcp/deprecated_events.bro, line 254: deprecated (dhcp_decline) -warning in /Users/jon/projects/bro/bro/scripts/policy/protocols/dhcp/deprecated_events.bro, line 257: deprecated (dhcp_ack) -warning in /Users/jon/projects/bro/bro/scripts/policy/protocols/dhcp/deprecated_events.bro, line 260: deprecated (dhcp_nak) -warning in /Users/jon/projects/bro/bro/scripts/policy/protocols/dhcp/deprecated_events.bro, line 263: deprecated (dhcp_release) -warning in /Users/jon/projects/bro/bro/scripts/policy/protocols/dhcp/deprecated_events.bro, line 266: deprecated (dhcp_inform) -warning in /Users/jon/projects/bro/bro/scripts/policy/protocols/smb/__load__.bro, line 1: deprecated script loaded from /Users/jon/projects/bro/bro/scripts/broxygen/__load__.bro:10 "Use '@load base/protocols/smb' instead" -error in /Users/jon/projects/bro/bro/scripts/policy/frameworks/control/controller.bro, line 22: The '' control command is unknown. -, line 1: received termination signal diff --git a/testing/btest/Baseline/doc.broxygen.all_scripts/.stdout b/testing/btest/Baseline/doc.broxygen.all_scripts/.stdout deleted file mode 100644 index bfc3c033df..0000000000 --- a/testing/btest/Baseline/doc.broxygen.all_scripts/.stdout +++ /dev/null @@ -1 +0,0 @@ -WARNING: No Site::local_nets have been defined. It's usually a good idea to define your local networks. diff --git a/testing/btest/Baseline/doc.broxygen.command_line/output b/testing/btest/Baseline/doc.broxygen.command_line/output deleted file mode 100644 index f599e28b8a..0000000000 --- a/testing/btest/Baseline/doc.broxygen.command_line/output +++ /dev/null @@ -1 +0,0 @@ -10 diff --git a/testing/btest/Baseline/doc.broxygen.comment_retrieval_bifs/out b/testing/btest/Baseline/doc.broxygen.comment_retrieval_bifs/out deleted file mode 100644 index 2a01fa0a94..0000000000 --- a/testing/btest/Baseline/doc.broxygen.comment_retrieval_bifs/out +++ /dev/null @@ -1,70 +0,0 @@ -This is a test script. -With some summary comments. -myvar: - Hello world. This is an option. - With some more description here. - And here. - Maybe just one more. -print_lines: - This function prints a string line by line. - - lines: A string to print line by line, w/ lines delimited by newline chars. - And some more comments on the function implementation. -mytype: - This is an alias for count. -myrecord: - My record type. -myrecord$aaa: - The first field. - Does something... - Done w/ aaa. -myrecord$bbb: - The second field. - Done w/ bbb. - No really, done w/ bbb. -myrecord$ccc: - Third field. - Done w/ ccc. -myrecord$ddd: - Fourth field. - Done w/ ddd. -myrecord$eee: - First redef'd field. - With two lines of comments. - And two post-notation comments. - Done w/ eee. -myrecord$fff: - Second redef'd field. - Done w/ fff. -myrecord$ggg: - Third redef'd field. - Done w/ ggg. -myenum: - My enum type; -FIRST: - First enum value. - I know, the name isn't clever. - Done w/ first. -SECOND: - Second enum value. - Done w/ second. -THIRD: - Third enum value. - Done w/ third. - Done w/ third again. -FORTH: - SIC. - It's a programming language. - Using Reverse Polish Notation. - Done w/ forth. -FIFTH: - First redef'd enum val. - Done w/ fifth. -SIXTH: - Second redef'd enum val. - Done w/ sixth. -SEVENTH: - Third redef'd enum val. - Lucky number seven. - Still works with comma. - Done w/ seventh. diff --git a/testing/btest/Baseline/doc.broxygen.enums/autogen-reST-enums.rst b/testing/btest/Baseline/doc.broxygen.enums/autogen-reST-enums.rst deleted file mode 100644 index c98d2792df..0000000000 --- a/testing/btest/Baseline/doc.broxygen.enums/autogen-reST-enums.rst +++ /dev/null @@ -1,60 +0,0 @@ -.. bro:type:: TestEnum1 - - :Type: :bro:type:`enum` - - .. bro:enum:: ONE TestEnum1 - - like this - - .. bro:enum:: TWO TestEnum1 - - or like this - - .. bro:enum:: THREE TestEnum1 - - multiple - comments - and even - more comments - - .. bro:enum:: FOUR TestEnum1 - - adding another - value - - .. bro:enum:: FIVE TestEnum1 - - adding another - value - - There's tons of ways an enum can look... - -.. bro:type:: TestEnum2 - - :Type: :bro:type:`enum` - - .. bro:enum:: A TestEnum2 - - like this - - .. bro:enum:: B TestEnum2 - - or like this - - .. bro:enum:: C TestEnum2 - - multiple - comments - and even - more comments - - The final comma is optional - -.. bro:id:: TestEnumVal - - :Type: :bro:type:`TestEnum1` - :Attributes: :bro:attr:`&redef` - :Default: ``ONE`` - - this should reference the TestEnum1 type and not a generic "enum" type - diff --git a/testing/btest/Baseline/doc.broxygen.example/example.rst b/testing/btest/Baseline/doc.broxygen.example/example.rst deleted file mode 100644 index d729ab85ee..0000000000 --- a/testing/btest/Baseline/doc.broxygen.example/example.rst +++ /dev/null @@ -1,248 +0,0 @@ -:tocdepth: 3 - -broxygen/example.bro -==================== -.. bro:namespace:: BroxygenExample - -This is an example script that demonstrates Broxygen-style -documentation. It generally will make most sense when viewing -the script's raw source code and comparing to the HTML-rendered -version. - -Comments in the from ``##!`` are meant to summarize the script's -purpose. They are transferred directly in to the generated -`reStructuredText `_ -(reST) document associated with the script. - -.. tip:: You can embed directives and roles within ``##``-stylized comments. - -There's also a custom role to reference any identifier node in -the Bro Sphinx domain that's good for "see alsos", e.g. - -See also: :bro:see:`BroxygenExample::a_var`, -:bro:see:`BroxygenExample::ONE`, :bro:see:`SSH::Info` - -And a custom directive does the equivalent references: - -.. bro:see:: BroxygenExample::a_var BroxygenExample::ONE SSH::Info - -:Namespace: BroxygenExample -:Imports: :doc:`base/frameworks/notice `, :doc:`base/protocols/http `, :doc:`policy/frameworks/software/vulnerable.bro ` - -Summary -~~~~~~~ -Redefinable Options -################### -==================================================================================== ======================================================= -:bro:id:`BroxygenExample::an_option`: :bro:type:`set` :bro:attr:`&redef` Add documentation for "an_option" here. -:bro:id:`BroxygenExample::option_with_init`: :bro:type:`interval` :bro:attr:`&redef` Default initialization will be generated automatically. -==================================================================================== ======================================================= - -State Variables -############### -======================================================================== ======================================================================== -:bro:id:`BroxygenExample::a_var`: :bro:type:`bool` Put some documentation for "a_var" here. -:bro:id:`BroxygenExample::summary_test`: :bro:type:`string` The first sentence for a particular identifier's summary text ends here. -:bro:id:`BroxygenExample::var_without_explicit_type`: :bro:type:`string` Types are inferred, that information is self-documenting. -======================================================================== ======================================================================== - -Types -##### -================================================================================= =========================================================== -:bro:type:`BroxygenExample::ComplexRecord`: :bro:type:`record` :bro:attr:`&redef` General documentation for a type "ComplexRecord" goes here. -:bro:type:`BroxygenExample::Info`: :bro:type:`record` An example record to be used with a logging stream. -:bro:type:`BroxygenExample::SimpleEnum`: :bro:type:`enum` Documentation for the "SimpleEnum" type goes here. -:bro:type:`BroxygenExample::SimpleRecord`: :bro:type:`record` General documentation for a type "SimpleRecord" goes here. -================================================================================= =========================================================== - -Redefinitions -############# -============================================================= ==================================================================== -:bro:type:`BroxygenExample::SimpleEnum`: :bro:type:`enum` Document the "SimpleEnum" redef here with any special info regarding - the *redef* itself. -:bro:type:`BroxygenExample::SimpleRecord`: :bro:type:`record` Document the record extension *redef* itself here. -:bro:type:`Log::ID`: :bro:type:`enum` -:bro:type:`Notice::Type`: :bro:type:`enum` -============================================================= ==================================================================== - -Events -###### -====================================================== ========================== -:bro:id:`BroxygenExample::an_event`: :bro:type:`event` Summarize "an_event" here. -====================================================== ========================== - -Functions -######### -=========================================================== ======================================= -:bro:id:`BroxygenExample::a_function`: :bro:type:`function` Summarize purpose of "a_function" here. -=========================================================== ======================================= - - -Detailed Interface -~~~~~~~~~~~~~~~~~~ -Redefinable Options -################### -.. bro:id:: BroxygenExample::an_option - - :Type: :bro:type:`set` [:bro:type:`addr`, :bro:type:`addr`, :bro:type:`string`] - :Attributes: :bro:attr:`&redef` - :Default: ``{}`` - - Add documentation for "an_option" here. - The type/attribute information is all generated automatically. - -.. bro:id:: BroxygenExample::option_with_init - - :Type: :bro:type:`interval` - :Attributes: :bro:attr:`&redef` - :Default: ``10.0 msecs`` - - Default initialization will be generated automatically. - More docs can be added here. - -State Variables -############### -.. bro:id:: BroxygenExample::a_var - - :Type: :bro:type:`bool` - - Put some documentation for "a_var" here. Any global/non-const that - isn't a function/event/hook is classified as a "state variable" - in the generated docs. - -.. bro:id:: BroxygenExample::summary_test - - :Type: :bro:type:`string` - - The first sentence for a particular identifier's summary text ends here. - And this second sentence doesn't show in the short description provided - by the table of all identifiers declared by this script. - -.. bro:id:: BroxygenExample::var_without_explicit_type - - :Type: :bro:type:`string` - :Default: ``"this works"`` - - Types are inferred, that information is self-documenting. - -Types -##### -.. bro:type:: BroxygenExample::ComplexRecord - - :Type: :bro:type:`record` - - field1: :bro:type:`count` - Counts something. - - field2: :bro:type:`bool` - Toggles something. - - field3: :bro:type:`BroxygenExample::SimpleRecord` - Broxygen automatically tracks types - and cross-references are automatically - inserted in to generated docs. - - msg: :bro:type:`string` :bro:attr:`&default` = ``"blah"`` :bro:attr:`&optional` - Attributes are self-documenting. - :Attributes: :bro:attr:`&redef` - - General documentation for a type "ComplexRecord" goes here. - -.. bro:type:: BroxygenExample::Info - - :Type: :bro:type:`record` - - ts: :bro:type:`time` :bro:attr:`&log` - - uid: :bro:type:`string` :bro:attr:`&log` - - status: :bro:type:`count` :bro:attr:`&log` :bro:attr:`&optional` - - An example record to be used with a logging stream. - Nothing special about it. If another script redefs this type - to add fields, the generated documentation will show all original - fields plus the extensions and the scripts which contributed to it - (provided they are also @load'ed). - -.. bro:type:: BroxygenExample::SimpleEnum - - :Type: :bro:type:`enum` - - .. bro:enum:: BroxygenExample::ONE BroxygenExample::SimpleEnum - - Documentation for particular enum values is added like this. - And can also span multiple lines. - - .. bro:enum:: BroxygenExample::TWO BroxygenExample::SimpleEnum - - Or this style is valid to document the preceding enum value. - - .. bro:enum:: BroxygenExample::THREE BroxygenExample::SimpleEnum - - .. bro:enum:: BroxygenExample::FOUR BroxygenExample::SimpleEnum - - And some documentation for "FOUR". - - .. bro:enum:: BroxygenExample::FIVE BroxygenExample::SimpleEnum - - Also "FIVE". - - Documentation for the "SimpleEnum" type goes here. - It can span multiple lines. - -.. bro:type:: BroxygenExample::SimpleRecord - - :Type: :bro:type:`record` - - field1: :bro:type:`count` - Counts something. - - field2: :bro:type:`bool` - Toggles something. - - field_ext: :bro:type:`string` :bro:attr:`&optional` - Document the extending field like this. - Or here, like this. - - General documentation for a type "SimpleRecord" goes here. - The way fields can be documented is similar to what's already seen - for enums. - -Events -###### -.. bro:id:: BroxygenExample::an_event - - :Type: :bro:type:`event` (name: :bro:type:`string`) - - Summarize "an_event" here. - Give more details about "an_event" here. - - BroxygenExample::a_function should not be confused as a parameter - in the generated docs, but it also doesn't generate a cross-reference - link. Use the see role instead: :bro:see:`BroxygenExample::a_function`. - - - :name: Describe the argument here. - -Functions -######### -.. bro:id:: BroxygenExample::a_function - - :Type: :bro:type:`function` (tag: :bro:type:`string`, msg: :bro:type:`string`) : :bro:type:`string` - - Summarize purpose of "a_function" here. - Give more details about "a_function" here. - Separating the documentation of the params/return values with - empty comments is optional, but improves readability of script. - - - :tag: Function arguments can be described - like this. - - - :msg: Another param. - - - :returns: Describe the return type here. - - diff --git a/testing/btest/Baseline/doc.broxygen.func-params/autogen-reST-func-params.rst b/testing/btest/Baseline/doc.broxygen.func-params/autogen-reST-func-params.rst deleted file mode 100644 index 06f196b73c..0000000000 --- a/testing/btest/Baseline/doc.broxygen.func-params/autogen-reST-func-params.rst +++ /dev/null @@ -1,30 +0,0 @@ -.. bro:id:: test_func_params_func - - :Type: :bro:type:`function` (i: :bro:type:`int`, j: :bro:type:`int`) : :bro:type:`string` - - This is a global function declaration. - - - :i: First param. - - :j: Second param. - - - :returns: A string. - -.. bro:type:: test_func_params_rec - - :Type: :bro:type:`record` - - field_func: :bro:type:`function` (i: :bro:type:`int`, j: :bro:type:`int`) : :bro:type:`string` - This is a record field function. - - - :i: First param. - - :j: Second param. - - - :returns: A string. - - diff --git a/testing/btest/Baseline/doc.broxygen.identifier/test.rst b/testing/btest/Baseline/doc.broxygen.identifier/test.rst deleted file mode 100644 index 0c7c44581d..0000000000 --- a/testing/btest/Baseline/doc.broxygen.identifier/test.rst +++ /dev/null @@ -1,230 +0,0 @@ -.. bro:id:: BroxygenExample::Broxygen_One - - :Type: :bro:type:`Notice::Type` - - Any number of this type of comment - will document "Broxygen_One". - -.. bro:id:: BroxygenExample::Broxygen_Two - - :Type: :bro:type:`Notice::Type` - - Any number of this type of comment - will document "BROXYGEN_TWO". - -.. bro:id:: BroxygenExample::Broxygen_Three - - :Type: :bro:type:`Notice::Type` - - -.. bro:id:: BroxygenExample::Broxygen_Four - - :Type: :bro:type:`Notice::Type` - - Omitting comments is fine, and so is mixing ``##`` and ``##<``, but - it's probably best to use only one style consistently. - -.. bro:id:: BroxygenExample::LOG - - :Type: :bro:type:`Log::ID` - - -.. bro:type:: BroxygenExample::SimpleEnum - - :Type: :bro:type:`enum` - - .. bro:enum:: BroxygenExample::ONE BroxygenExample::SimpleEnum - - Documentation for particular enum values is added like this. - And can also span multiple lines. - - .. bro:enum:: BroxygenExample::TWO BroxygenExample::SimpleEnum - - Or this style is valid to document the preceding enum value. - - .. bro:enum:: BroxygenExample::THREE BroxygenExample::SimpleEnum - - .. bro:enum:: BroxygenExample::FOUR BroxygenExample::SimpleEnum - - And some documentation for "FOUR". - - .. bro:enum:: BroxygenExample::FIVE BroxygenExample::SimpleEnum - - Also "FIVE". - - Documentation for the "SimpleEnum" type goes here. - It can span multiple lines. - -.. bro:id:: BroxygenExample::ONE - - :Type: :bro:type:`BroxygenExample::SimpleEnum` - - Documentation for particular enum values is added like this. - And can also span multiple lines. - -.. bro:id:: BroxygenExample::TWO - - :Type: :bro:type:`BroxygenExample::SimpleEnum` - - Or this style is valid to document the preceding enum value. - -.. bro:id:: BroxygenExample::THREE - - :Type: :bro:type:`BroxygenExample::SimpleEnum` - - -.. bro:id:: BroxygenExample::FOUR - - :Type: :bro:type:`BroxygenExample::SimpleEnum` - - And some documentation for "FOUR". - -.. bro:id:: BroxygenExample::FIVE - - :Type: :bro:type:`BroxygenExample::SimpleEnum` - - Also "FIVE". - -.. bro:type:: BroxygenExample::SimpleRecord - - :Type: :bro:type:`record` - - field1: :bro:type:`count` - Counts something. - - field2: :bro:type:`bool` - Toggles something. - - field_ext: :bro:type:`string` :bro:attr:`&optional` - Document the extending field like this. - Or here, like this. - - General documentation for a type "SimpleRecord" goes here. - The way fields can be documented is similar to what's already seen - for enums. - -.. bro:type:: BroxygenExample::ComplexRecord - - :Type: :bro:type:`record` - - field1: :bro:type:`count` - Counts something. - - field2: :bro:type:`bool` - Toggles something. - - field3: :bro:type:`BroxygenExample::SimpleRecord` - Broxygen automatically tracks types - and cross-references are automatically - inserted in to generated docs. - - msg: :bro:type:`string` :bro:attr:`&default` = ``"blah"`` :bro:attr:`&optional` - Attributes are self-documenting. - :Attributes: :bro:attr:`&redef` - - General documentation for a type "ComplexRecord" goes here. - -.. bro:type:: BroxygenExample::Info - - :Type: :bro:type:`record` - - ts: :bro:type:`time` :bro:attr:`&log` - - uid: :bro:type:`string` :bro:attr:`&log` - - status: :bro:type:`count` :bro:attr:`&log` :bro:attr:`&optional` - - An example record to be used with a logging stream. - Nothing special about it. If another script redefs this type - to add fields, the generated documentation will show all original - fields plus the extensions and the scripts which contributed to it - (provided they are also @load'ed). - -.. bro:id:: BroxygenExample::an_option - - :Type: :bro:type:`set` [:bro:type:`addr`, :bro:type:`addr`, :bro:type:`string`] - :Attributes: :bro:attr:`&redef` - :Default: ``{}`` - - Add documentation for "an_option" here. - The type/attribute information is all generated automatically. - -.. bro:id:: BroxygenExample::option_with_init - - :Type: :bro:type:`interval` - :Attributes: :bro:attr:`&redef` - :Default: ``10.0 msecs`` - - Default initialization will be generated automatically. - More docs can be added here. - -.. bro:id:: BroxygenExample::a_var - - :Type: :bro:type:`bool` - - Put some documentation for "a_var" here. Any global/non-const that - isn't a function/event/hook is classified as a "state variable" - in the generated docs. - -.. bro:id:: BroxygenExample::var_without_explicit_type - - :Type: :bro:type:`string` - :Default: ``"this works"`` - - Types are inferred, that information is self-documenting. - -.. bro:id:: BroxygenExample::summary_test - - :Type: :bro:type:`string` - - The first sentence for a particular identifier's summary text ends here. - And this second sentence doesn't show in the short description provided - by the table of all identifiers declared by this script. - -.. bro:id:: BroxygenExample::a_function - - :Type: :bro:type:`function` (tag: :bro:type:`string`, msg: :bro:type:`string`) : :bro:type:`string` - - Summarize purpose of "a_function" here. - Give more details about "a_function" here. - Separating the documentation of the params/return values with - empty comments is optional, but improves readability of script. - - - :tag: Function arguments can be described - like this. - - - :msg: Another param. - - - :returns: Describe the return type here. - -.. bro:id:: BroxygenExample::an_event - - :Type: :bro:type:`event` (name: :bro:type:`string`) - - Summarize "an_event" here. - Give more details about "an_event" here. - - BroxygenExample::a_function should not be confused as a parameter - in the generated docs, but it also doesn't generate a cross-reference - link. Use the see role instead: :bro:see:`BroxygenExample::a_function`. - - - :name: Describe the argument here. - -.. bro:id:: BroxygenExample::function_without_proto - - :Type: :bro:type:`function` (tag: :bro:type:`string`) : :bro:type:`string` - - -.. bro:type:: BroxygenExample::PrivateRecord - - :Type: :bro:type:`record` - - field1: :bro:type:`bool` - - field2: :bro:type:`count` - - diff --git a/testing/btest/Baseline/doc.broxygen.package/test.rst b/testing/btest/Baseline/doc.broxygen.package/test.rst deleted file mode 100644 index b96de2148b..0000000000 --- a/testing/btest/Baseline/doc.broxygen.package/test.rst +++ /dev/null @@ -1,37 +0,0 @@ -:orphan: - -Package: broxygen -================= - -This package is loaded during the process which automatically generates -reference documentation for all Bro scripts (i.e. "Broxygen"). Its only -purpose is to provide an easy way to load all known Bro scripts plus any -extra scripts needed or used by the documentation process. - -:doc:`/scripts/broxygen/__load__.bro` - - -:doc:`/scripts/broxygen/example.bro` - - This is an example script that demonstrates Broxygen-style - documentation. It generally will make most sense when viewing - the script's raw source code and comparing to the HTML-rendered - version. - - Comments in the from ``##!`` are meant to summarize the script's - purpose. They are transferred directly in to the generated - `reStructuredText `_ - (reST) document associated with the script. - - .. tip:: You can embed directives and roles within ``##``-stylized comments. - - There's also a custom role to reference any identifier node in - the Bro Sphinx domain that's good for "see alsos", e.g. - - See also: :bro:see:`BroxygenExample::a_var`, - :bro:see:`BroxygenExample::ONE`, :bro:see:`SSH::Info` - - And a custom directive does the equivalent references: - - .. bro:see:: BroxygenExample::a_var BroxygenExample::ONE SSH::Info - diff --git a/testing/btest/Baseline/doc.broxygen.package_index/test.rst b/testing/btest/Baseline/doc.broxygen.package_index/test.rst deleted file mode 100644 index f551ab1cd3..0000000000 --- a/testing/btest/Baseline/doc.broxygen.package_index/test.rst +++ /dev/null @@ -1,7 +0,0 @@ -:doc:`broxygen ` - - This package is loaded during the process which automatically generates - reference documentation for all Bro scripts (i.e. "Broxygen"). Its only - purpose is to provide an easy way to load all known Bro scripts plus any - extra scripts needed or used by the documentation process. - diff --git a/testing/btest/Baseline/doc.broxygen.records/autogen-reST-records.rst b/testing/btest/Baseline/doc.broxygen.records/autogen-reST-records.rst deleted file mode 100644 index 60d80f6b07..0000000000 --- a/testing/btest/Baseline/doc.broxygen.records/autogen-reST-records.rst +++ /dev/null @@ -1,28 +0,0 @@ -.. bro:type:: TestRecord1 - - :Type: :bro:type:`record` - - field1: :bro:type:`bool` - - field2: :bro:type:`count` - - -.. bro:type:: TestRecord2 - - :Type: :bro:type:`record` - - A: :bro:type:`count` - document ``A`` - - B: :bro:type:`bool` - document ``B`` - - C: :bro:type:`TestRecord1` - and now ``C`` - is a declared type - - D: :bro:type:`set` [:bro:type:`count`, :bro:type:`bool`] - sets/tables should show the index types - - Here's the ways records and record fields can be documented. - diff --git a/testing/btest/Baseline/doc.broxygen.script_index/test.rst b/testing/btest/Baseline/doc.broxygen.script_index/test.rst deleted file mode 100644 index dda280facf..0000000000 --- a/testing/btest/Baseline/doc.broxygen.script_index/test.rst +++ /dev/null @@ -1,5 +0,0 @@ -.. toctree:: - :maxdepth: 1 - - broxygen/__load__.bro - broxygen/example.bro diff --git a/testing/btest/Baseline/doc.broxygen.script_summary/test.rst b/testing/btest/Baseline/doc.broxygen.script_summary/test.rst deleted file mode 100644 index 125a579c81..0000000000 --- a/testing/btest/Baseline/doc.broxygen.script_summary/test.rst +++ /dev/null @@ -1,23 +0,0 @@ -:doc:`/scripts/broxygen/example.bro` - This is an example script that demonstrates Broxygen-style - documentation. It generally will make most sense when viewing - the script's raw source code and comparing to the HTML-rendered - version. - - Comments in the from ``##!`` are meant to summarize the script's - purpose. They are transferred directly in to the generated - `reStructuredText `_ - (reST) document associated with the script. - - .. tip:: You can embed directives and roles within ``##``-stylized comments. - - There's also a custom role to reference any identifier node in - the Bro Sphinx domain that's good for "see alsos", e.g. - - See also: :bro:see:`BroxygenExample::a_var`, - :bro:see:`BroxygenExample::ONE`, :bro:see:`SSH::Info` - - And a custom directive does the equivalent references: - - .. bro:see:: BroxygenExample::a_var BroxygenExample::ONE SSH::Info - diff --git a/testing/btest/Baseline/doc.broxygen.type-aliases/autogen-reST-type-aliases.rst b/testing/btest/Baseline/doc.broxygen.type-aliases/autogen-reST-type-aliases.rst deleted file mode 100644 index 3a26b8adc6..0000000000 --- a/testing/btest/Baseline/doc.broxygen.type-aliases/autogen-reST-type-aliases.rst +++ /dev/null @@ -1,44 +0,0 @@ -.. bro:type:: BroxygenTest::TypeAlias - - :Type: :bro:type:`bool` - - This is just an alias for a builtin type ``bool``. - -.. bro:type:: BroxygenTest::NotTypeAlias - - :Type: :bro:type:`bool` - - This type should get its own comments, not associated w/ TypeAlias. - -.. bro:type:: BroxygenTest::OtherTypeAlias - - :Type: :bro:type:`bool` - - This cross references ``bool`` in the description of its type - instead of ``TypeAlias`` just because it seems more useful -- - one doesn't have to click through the full type alias chain to - find out what the actual type is... - -.. bro:id:: BroxygenTest::a - - :Type: :bro:type:`BroxygenTest::TypeAlias` - - But this should reference a type of ``TypeAlias``. - -.. bro:id:: BroxygenTest::b - - :Type: :bro:type:`BroxygenTest::OtherTypeAlias` - - And this should reference a type of ``OtherTypeAlias``. - -.. bro:type:: BroxygenTest::MyRecord - - :Type: :bro:type:`record` - - f1: :bro:type:`BroxygenTest::TypeAlias` - - f2: :bro:type:`BroxygenTest::OtherTypeAlias` - - f3: :bro:type:`bool` - - diff --git a/testing/btest/Baseline/doc.broxygen.vectors/autogen-reST-vectors.rst b/testing/btest/Baseline/doc.broxygen.vectors/autogen-reST-vectors.rst deleted file mode 100644 index 37eabb9419..0000000000 --- a/testing/btest/Baseline/doc.broxygen.vectors/autogen-reST-vectors.rst +++ /dev/null @@ -1,33 +0,0 @@ -.. bro:id:: test_vector0 - - :Type: :bro:type:`vector` of :bro:type:`string` - :Default: - - :: - - [] - - Yield type is documented/cross-referenced for primitize types. - -.. bro:id:: test_vector1 - - :Type: :bro:type:`vector` of :bro:type:`TestRecord` - :Default: - - :: - - [] - - Yield type is documented/cross-referenced for composite types. - -.. bro:id:: test_vector2 - - :Type: :bro:type:`vector` of :bro:type:`vector` of :bro:type:`TestRecord` - :Default: - - :: - - [] - - Just showing an even fancier yield type. - diff --git a/testing/btest/Baseline/doc.manual.connection_record_01/.stdout b/testing/btest/Baseline/doc.manual.connection_record_01/.stdout deleted file mode 100644 index 7f134460e3..0000000000 --- a/testing/btest/Baseline/doc.manual.connection_record_01/.stdout +++ /dev/null @@ -1,5 +0,0 @@ -[id=[orig_h=212.180.42.100, orig_p=25000/tcp, resp_h=131.243.64.3, resp_p=53/tcp], orig=[size=29, state=5, num_pkts=6, num_bytes_ip=273, flow_label=0], resp=[size=44, state=5, num_pkts=5, num_bytes_ip=248, flow_label=0], start_time=930613226.067666, duration=0.709643, service={ - -}, addl=, hot=0, history=ShADadFf, uid=UWkUyAuUGXf, tunnel=, conn=[ts=930613226.067666, uid=UWkUyAuUGXf, id=[orig_h=212.180.42.100, orig_p=25000/tcp, resp_h=131.243.64.3, resp_p=53/tcp], proto=tcp, service=, duration=0.709643, orig_bytes=29, resp_bytes=44, conn_state=SF, local_orig=, missed_bytes=0, history=ShADadFf, orig_pkts=6, orig_ip_bytes=273, resp_pkts=5, resp_ip_bytes=248, tunnel_parents={ - -}], extract_orig=F, extract_resp=F] diff --git a/testing/btest/Baseline/doc.manual.connection_record_02/.stdout b/testing/btest/Baseline/doc.manual.connection_record_02/.stdout deleted file mode 100644 index 824dd03097..0000000000 --- a/testing/btest/Baseline/doc.manual.connection_record_02/.stdout +++ /dev/null @@ -1,9 +0,0 @@ -[id=[orig_h=212.180.42.100, orig_p=25000/tcp, resp_h=131.243.64.3, resp_p=53/tcp], orig=[size=29, state=5, num_pkts=6, num_bytes_ip=273, flow_label=0], resp=[size=44, state=5, num_pkts=5, num_bytes_ip=248, flow_label=0], start_time=930613226.067666, duration=0.709643, service={ - -}, addl=, hot=0, history=ShADadFf, uid=UWkUyAuUGXf, tunnel=, conn=[ts=930613226.067666, uid=UWkUyAuUGXf, id=[orig_h=212.180.42.100, orig_p=25000/tcp, resp_h=131.243.64.3, resp_p=53/tcp], proto=tcp, service=, duration=0.709643, orig_bytes=29, resp_bytes=44, conn_state=SF, local_orig=, missed_bytes=0, history=ShADadFf, orig_pkts=6, orig_ip_bytes=273, resp_pkts=5, resp_ip_bytes=248, tunnel_parents={ - -}], extract_orig=F, extract_resp=F, dns=, dns_state=[pending={ - -}, finished_answers={ -34798 -}]] diff --git a/testing/btest/Baseline/doc.manual.data_struct_record_01/.stdout b/testing/btest/Baseline/doc.manual.data_struct_record_01/.stdout deleted file mode 100644 index 4e628b9ae7..0000000000 --- a/testing/btest/Baseline/doc.manual.data_struct_record_01/.stdout +++ /dev/null @@ -1,6 +0,0 @@ -Service: dns(RFC1035) - port: 53/tcp - port: 53/udp -Service: http(RFC2616) - port: 80/tcp - port: 8080/tcp diff --git a/testing/btest/Baseline/doc.manual.data_struct_record_02/.stdout b/testing/btest/Baseline/doc.manual.data_struct_record_02/.stdout deleted file mode 100644 index 0428764bea..0000000000 --- a/testing/btest/Baseline/doc.manual.data_struct_record_02/.stdout +++ /dev/null @@ -1,7 +0,0 @@ -System: morlock - Service: dns(RFC1035) - port: 53/tcp - port: 53/udp - Service: http(RFC2616) - port: 80/tcp - port: 8080/tcp diff --git a/testing/btest/Baseline/doc.manual.data_struct_set_declaration/.stdout b/testing/btest/Baseline/doc.manual.data_struct_set_declaration/.stdout deleted file mode 100644 index d1aa16c7d3..0000000000 --- a/testing/btest/Baseline/doc.manual.data_struct_set_declaration/.stdout +++ /dev/null @@ -1,8 +0,0 @@ -SSL Port: 993/tcp -SSL Port: 22/tcp -SSL Port: 587/tcp -SSL Port: 443/tcp -Non-SSL Port: 143/tcp -Non-SSL Port: 25/tcp -Non-SSL Port: 80/tcp -Non-SSL Port: 23/tcp diff --git a/testing/btest/Baseline/doc.manual.data_struct_table_complex/.stdout b/testing/btest/Baseline/doc.manual.data_struct_table_complex/.stdout deleted file mode 100644 index e22f36a244..0000000000 --- a/testing/btest/Baseline/doc.manual.data_struct_table_complex/.stdout +++ /dev/null @@ -1,4 +0,0 @@ -Kiru was released in 1968 by Toho studios, directed by Kihachi Okamoto and starring Tatsuya Nakadai -Goyokin was released in 1969 by Fuji studios, directed by Hideo Gosha and starring Tatsuya Nakadai -Harakiri was released in 1962 by Shochiku Eiga studios, directed by Masaki Kobayashi and starring Tatsuya Nakadai -Tasogare Seibei was released in 2002 by Eisei Gekijo studios, directed by Yoji Yamada and starring Hiroyuki Sanada diff --git a/testing/btest/Baseline/doc.manual.data_struct_table_declaration/.stdout b/testing/btest/Baseline/doc.manual.data_struct_table_declaration/.stdout deleted file mode 100644 index 19b1648904..0000000000 --- a/testing/btest/Baseline/doc.manual.data_struct_table_declaration/.stdout +++ /dev/null @@ -1,4 +0,0 @@ -Service Name: IMAPS - Common Port: 993/tcp -Service Name: HTTPS - Common Port: 443/tcp -Service Name: SSH - Common Port: 22/tcp -Service Name: SMTPS - Common Port: 587/tcp diff --git a/testing/btest/Baseline/doc.manual.data_struct_vector/.stdout b/testing/btest/Baseline/doc.manual.data_struct_vector/.stdout deleted file mode 100644 index 8348ce7198..0000000000 --- a/testing/btest/Baseline/doc.manual.data_struct_vector/.stdout +++ /dev/null @@ -1,2 +0,0 @@ -[1, 2, 3, 4] -[1, 2, 3, 4] diff --git a/testing/btest/Baseline/doc.manual.data_struct_vector_declaration/.stdout b/testing/btest/Baseline/doc.manual.data_struct_vector_declaration/.stdout deleted file mode 100644 index 48ce5d9c56..0000000000 --- a/testing/btest/Baseline/doc.manual.data_struct_vector_declaration/.stdout +++ /dev/null @@ -1,4 +0,0 @@ -contents of v1: [1, 2, 3, 4] -length of v1: 4 -contents of v1: [1, 2, 3, 4] -length of v2: 4 diff --git a/testing/btest/Baseline/doc.manual.data_struct_vector_iter/.stdout b/testing/btest/Baseline/doc.manual.data_struct_vector_iter/.stdout deleted file mode 100644 index 0326e6580e..0000000000 --- a/testing/btest/Baseline/doc.manual.data_struct_vector_iter/.stdout +++ /dev/null @@ -1,3 +0,0 @@ -1.2.0.0/18 -2.3.0.0/18 -3.4.0.0/18 diff --git a/testing/btest/Baseline/doc.manual.data_type_const/.stdout b/testing/btest/Baseline/doc.manual.data_type_const/.stdout deleted file mode 100644 index 0e49670a83..0000000000 --- a/testing/btest/Baseline/doc.manual.data_type_const/.stdout +++ /dev/null @@ -1,4 +0,0 @@ -{ -[6666/tcp] = IRC, -[80/tcp] = WWW -} diff --git a/testing/btest/Baseline/doc.manual.data_type_const_simple/.stdout b/testing/btest/Baseline/doc.manual.data_type_const_simple/.stdout deleted file mode 100644 index e69de29bb2..0000000000 diff --git a/testing/btest/Baseline/doc.manual.data_type_declaration/.stdout b/testing/btest/Baseline/doc.manual.data_type_declaration/.stdout deleted file mode 100644 index a6f28b5e52..0000000000 --- a/testing/btest/Baseline/doc.manual.data_type_declaration/.stdout +++ /dev/null @@ -1 +0,0 @@ -A: 10, B: 10 diff --git a/testing/btest/Baseline/doc.manual.data_type_interval/.stdout b/testing/btest/Baseline/doc.manual.data_type_interval/.stdout deleted file mode 100644 index 1cd5999711..0000000000 --- a/testing/btest/Baseline/doc.manual.data_type_interval/.stdout +++ /dev/null @@ -1,15 +0,0 @@ -2011/06/18 19:03:08: New connection established from 141.142.220.118 to 208.80.152.118 -2011/06/18 19:03:08: New connection established from 141.142.220.118 to 208.80.152.3 - Time since last connection: 132.0 msecs 97.0 usecs -2011/06/18 19:03:08: New connection established from 141.142.220.118 to 208.80.152.3 - Time since last connection: 177.0 usecs -2011/06/18 19:03:08: New connection established from 141.142.220.118 to 208.80.152.3 - Time since last connection: 2.0 msecs 177.0 usecs -2011/06/18 19:03:08: New connection established from 141.142.220.118 to 208.80.152.3 - Time since last connection: 33.0 msecs 898.0 usecs -2011/06/18 19:03:08: New connection established from 141.142.220.118 to 208.80.152.3 - Time since last connection: 35.0 usecs -2011/06/18 19:03:08: New connection established from 141.142.220.118 to 208.80.152.3 - Time since last connection: 2.0 msecs 532.0 usecs -2011/06/18 19:03:08: New connection established from 141.142.220.118 to 208.80.152.2 - Time since last connection: 7.0 msecs 866.0 usecs diff --git a/testing/btest/Baseline/doc.manual.data_type_local/.stdout b/testing/btest/Baseline/doc.manual.data_type_local/.stdout deleted file mode 100644 index e150c0b19d..0000000000 --- a/testing/btest/Baseline/doc.manual.data_type_local/.stdout +++ /dev/null @@ -1 +0,0 @@ -i + 2 = 12 diff --git a/testing/btest/Baseline/doc.manual.data_type_pattern_01/.stdout b/testing/btest/Baseline/doc.manual.data_type_pattern_01/.stdout deleted file mode 100644 index 11358a776e..0000000000 --- a/testing/btest/Baseline/doc.manual.data_type_pattern_01/.stdout +++ /dev/null @@ -1,3 +0,0 @@ -The - brown fox jumped over the - dog. diff --git a/testing/btest/Baseline/doc.manual.data_type_pattern_02/.stdout b/testing/btest/Baseline/doc.manual.data_type_pattern_02/.stdout deleted file mode 100644 index 808dc3d572..0000000000 --- a/testing/btest/Baseline/doc.manual.data_type_pattern_02/.stdout +++ /dev/null @@ -1,2 +0,0 @@ -equality and /^?(equal)$?/ are not equal -equality and /^?(equality)$?/ are equal diff --git a/testing/btest/Baseline/doc.manual.data_type_subnets/.stdout b/testing/btest/Baseline/doc.manual.data_type_subnets/.stdout deleted file mode 100644 index facaaabe64..0000000000 --- a/testing/btest/Baseline/doc.manual.data_type_subnets/.stdout +++ /dev/null @@ -1,4 +0,0 @@ -172.16.4.56 belongs to subnet 172.16.0.0/20 -172.16.47.254 belongs to subnet 172.16.32.0/20 -172.16.22.45 belongs to subnet 172.16.16.0/20 -172.16.1.1 belongs to subnet 172.16.0.0/20 diff --git a/testing/btest/Baseline/doc.manual.data_type_time/.stdout b/testing/btest/Baseline/doc.manual.data_type_time/.stdout deleted file mode 100644 index 149cb40e2a..0000000000 --- a/testing/btest/Baseline/doc.manual.data_type_time/.stdout +++ /dev/null @@ -1,8 +0,0 @@ -2011/06/18 19:03:08: New connection established from 141.142.220.118 to 208.80.152.118^J -2011/06/18 19:03:08: New connection established from 141.142.220.118 to 208.80.152.3^J -2011/06/18 19:03:08: New connection established from 141.142.220.118 to 208.80.152.3^J -2011/06/18 19:03:08: New connection established from 141.142.220.118 to 208.80.152.3^J -2011/06/18 19:03:08: New connection established from 141.142.220.118 to 208.80.152.3^J -2011/06/18 19:03:08: New connection established from 141.142.220.118 to 208.80.152.3^J -2011/06/18 19:03:08: New connection established from 141.142.220.118 to 208.80.152.3^J -2011/06/18 19:03:08: New connection established from 141.142.220.118 to 208.80.152.2^J diff --git a/testing/btest/Baseline/doc.manual.framework_logging_factorial_01/.stdout b/testing/btest/Baseline/doc.manual.framework_logging_factorial_01/.stdout deleted file mode 100644 index db47b283d0..0000000000 --- a/testing/btest/Baseline/doc.manual.framework_logging_factorial_01/.stdout +++ /dev/null @@ -1,10 +0,0 @@ -1 -2 -6 -24 -120 -720 -5040 -40320 -362880 -3628800 diff --git a/testing/btest/Baseline/doc.manual.framework_logging_factorial_02/factor.log b/testing/btest/Baseline/doc.manual.framework_logging_factorial_02/factor.log deleted file mode 100644 index c643116265..0000000000 --- a/testing/btest/Baseline/doc.manual.framework_logging_factorial_02/factor.log +++ /dev/null @@ -1,19 +0,0 @@ -#separator \x09 -#set_separator , -#empty_field (empty) -#unset_field - -#path factor -#open 2013-03-19-03-25-33 -#fields num factorial_num -#types count count -1 1 -2 2 -3 6 -4 24 -5 120 -6 720 -7 5040 -8 40320 -9 362880 -10 3628800 -#close 2013-03-19-03-25-33 diff --git a/testing/btest/Baseline/doc.manual.framework_logging_factorial_03/factor-mod5.log b/testing/btest/Baseline/doc.manual.framework_logging_factorial_03/factor-mod5.log deleted file mode 100644 index 2a466484d6..0000000000 --- a/testing/btest/Baseline/doc.manual.framework_logging_factorial_03/factor-mod5.log +++ /dev/null @@ -1,15 +0,0 @@ -#separator \x09 -#set_separator , -#empty_field (empty) -#unset_field - -#path factor-mod5 -#open 2013-03-20-03-22-52 -#fields num factorial_num -#types count count -5 120 -6 720 -7 5040 -8 40320 -9 362880 -10 3628800 -#close 2013-03-20-03-22-52 diff --git a/testing/btest/Baseline/doc.manual.framework_logging_factorial_03/factor-non5.log b/testing/btest/Baseline/doc.manual.framework_logging_factorial_03/factor-non5.log deleted file mode 100644 index 4430dcc8a4..0000000000 --- a/testing/btest/Baseline/doc.manual.framework_logging_factorial_03/factor-non5.log +++ /dev/null @@ -1,13 +0,0 @@ -#separator \x09 -#set_separator , -#empty_field (empty) -#unset_field - -#path factor-non5 -#open 2013-03-20-03-22-52 -#fields num factorial_num -#types count count -1 1 -2 2 -3 6 -4 24 -#close 2013-03-20-03-22-52 diff --git a/testing/btest/Baseline/doc.manual.framework_logging_factorial_04/factor-mod5.log b/testing/btest/Baseline/doc.manual.framework_logging_factorial_04/factor-mod5.log deleted file mode 100644 index 6b50ca55e7..0000000000 --- a/testing/btest/Baseline/doc.manual.framework_logging_factorial_04/factor-mod5.log +++ /dev/null @@ -1,15 +0,0 @@ -#separator \x09 -#set_separator , -#empty_field (empty) -#unset_field - -#path factor-mod5 -#open 2013-03-25-02-00-12 -#fields num factorial_num -#types count count -5 120 -6 720 -7 5040 -8 40320 -9 362880 -10 3628800 -#close 2013-03-25-02-00-12 diff --git a/testing/btest/Baseline/doc.manual.framework_logging_factorial_04/factor-non5.log b/testing/btest/Baseline/doc.manual.framework_logging_factorial_04/factor-non5.log deleted file mode 100644 index d272ba48a9..0000000000 --- a/testing/btest/Baseline/doc.manual.framework_logging_factorial_04/factor-non5.log +++ /dev/null @@ -1,13 +0,0 @@ -#separator \x09 -#set_separator , -#empty_field (empty) -#unset_field - -#path factor-non5 -#open 2013-03-25-02-00-12 -#fields num factorial_num -#types count count -1 1 -2 2 -3 6 -4 24 -#close 2013-03-25-02-00-12 diff --git a/testing/btest/Baseline/doc.manual.framework_notice_hook_01/.stdout b/testing/btest/Baseline/doc.manual.framework_notice_hook_01/.stdout deleted file mode 100644 index e69de29bb2..0000000000 diff --git a/testing/btest/Baseline/doc.manual.framework_notice_hook_suppression_01/.stdout b/testing/btest/Baseline/doc.manual.framework_notice_hook_suppression_01/.stdout deleted file mode 100644 index e69de29bb2..0000000000 diff --git a/testing/btest/Baseline/doc.manual.framework_notice_shortcuts_01/.stdout b/testing/btest/Baseline/doc.manual.framework_notice_shortcuts_01/.stdout deleted file mode 100644 index e69de29bb2..0000000000 diff --git a/testing/btest/Baseline/doc.manual.framework_notice_shortcuts_02/.stdout b/testing/btest/Baseline/doc.manual.framework_notice_shortcuts_02/.stdout deleted file mode 100644 index e69de29bb2..0000000000 diff --git a/testing/btest/Baseline/doc.manual.using_bro_sandbox_01/.stdout b/testing/btest/Baseline/doc.manual.using_bro_sandbox_01/.stdout deleted file mode 100644 index e69de29bb2..0000000000 diff --git a/testing/btest/Baseline/doc.manual.using_bro_sandbox_01/conn.log b/testing/btest/Baseline/doc.manual.using_bro_sandbox_01/conn.log deleted file mode 100644 index 6eb08725f5..0000000000 --- a/testing/btest/Baseline/doc.manual.using_bro_sandbox_01/conn.log +++ /dev/null @@ -1,43 +0,0 @@ -#separator \x09 -#set_separator , -#empty_field (empty) -#unset_field - -#path conn -#open 2013-05-05-20-51-24 -#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes tunnel_parents -#types time string addr port addr port enum string interval count count string bool count string count count count count table[string] -1300475167.096535 UWkUyAuUGXf 141.142.220.202 5353 224.0.0.251 5353 udp dns - - - S0 - 0 D 1 73 0 0 - -1300475167.097012 arKYeMETxOg fe80::217:f2ff:fed7:cf65 5353 ff02::fb 5353 udp - - - - S0 - 0 D 1 199 0 0 - -1300475167.099816 k6kgXLOoSKl 141.142.220.50 5353 224.0.0.251 5353 udp - - - - S0 - 0 D 1 179 0 0 - -1300475168.853899 TEfuqmmG4bh 141.142.220.118 43927 141.142.2.2 53 udp dns 0.000435 38 89 SF - 0 Dd 1 66 1 117 - -1300475168.854378 FrJExwHcSal 141.142.220.118 37676 141.142.2.2 53 udp dns 0.000420 52 99 SF - 0 Dd 1 80 1 127 - -1300475168.854837 5OKnoww6xl4 141.142.220.118 40526 141.142.2.2 53 udp dns 0.000392 38 183 SF - 0 Dd 1 66 1 211 - -1300475168.857956 fRFu0wcOle6 141.142.220.118 32902 141.142.2.2 53 udp dns 0.000317 38 89 SF - 0 Dd 1 66 1 117 - -1300475168.858306 qSsw6ESzHV4 141.142.220.118 59816 141.142.2.2 53 udp dns 0.000343 52 99 SF - 0 Dd 1 80 1 127 - -1300475168.858713 iE6yhOq3SF 141.142.220.118 59714 141.142.2.2 53 udp dns 0.000375 38 183 SF - 0 Dd 1 66 1 211 - -1300475168.891644 qCaWGmzFtM5 141.142.220.118 58206 141.142.2.2 53 udp dns 0.000339 38 89 SF - 0 Dd 1 66 1 117 - -1300475168.892037 70MGiRM1Qf4 141.142.220.118 38911 141.142.2.2 53 udp dns 0.000335 52 99 SF - 0 Dd 1 80 1 127 - -1300475168.892414 h5DsfNtYzi1 141.142.220.118 59746 141.142.2.2 53 udp dns 0.000421 38 183 SF - 0 Dd 1 66 1 211 - -1300475168.893988 c4Zw9TmAE05 141.142.220.118 45000 141.142.2.2 53 udp dns 0.000384 38 89 SF - 0 Dd 1 66 1 117 - -1300475168.894422 EAr0uf4mhq 141.142.220.118 48479 141.142.2.2 53 udp dns 0.000317 52 99 SF - 0 Dd 1 80 1 127 - -1300475168.894787 GvmoxJFXdTa 141.142.220.118 48128 141.142.2.2 53 udp dns 0.000423 38 183 SF - 0 Dd 1 66 1 211 - -1300475168.901749 slFea8xwSmb 141.142.220.118 56056 141.142.2.2 53 udp dns 0.000402 36 131 SF - 0 Dd 1 64 1 159 - -1300475168.902195 UfGkYA2HI2g 141.142.220.118 55092 141.142.2.2 53 udp dns 0.000374 36 198 SF - 0 Dd 1 64 1 226 - -1300475169.899438 BWaU4aSuwkc 141.142.220.44 5353 224.0.0.251 5353 udp dns - - - S0 - 0 D 1 85 0 0 - -1300475170.862384 10XodEwRycf 141.142.220.226 137 141.142.220.255 137 udp dns 2.613017 350 0 S0 - 0 D 7 546 0 0 - -1300475171.675372 zno26fFZkrh fe80::3074:17d5:2052:c324 65373 ff02::1:3 5355 udp dns 0.100096 66 0 S0 - 0 D 2 162 0 0 - -1300475171.677081 v5rgkJBig5l 141.142.220.226 55131 224.0.0.252 5355 udp dns 0.100021 66 0 S0 - 0 D 2 122 0 0 - -1300475173.116749 eWZCH7OONC1 fe80::3074:17d5:2052:c324 54213 ff02::1:3 5355 udp dns 0.099801 66 0 S0 - 0 D 2 162 0 0 - -1300475173.117362 0Pwk3ntf8O3 141.142.220.226 55671 224.0.0.252 5355 udp dns 0.099849 66 0 S0 - 0 D 2 122 0 0 - -1300475173.153679 0HKorjr8Zp7 141.142.220.238 56641 141.142.220.255 137 udp dns - - - S0 - 0 D 1 78 0 0 - -1300475168.859163 GSxOnSLghOa 141.142.220.118 49998 208.80.152.3 80 tcp http 0.215893 1130 734 S1 - 0 ShADad 6 1450 4 950 - -1300475168.652003 nQcgTWjvg4c 141.142.220.118 35634 208.80.152.2 80 tcp - 0.061329 463 350 OTH - 0 DdA 2 567 1 402 - -1300475168.895267 0Q4FH8sESw5 141.142.220.118 50001 208.80.152.3 80 tcp http 0.227284 1178 734 S1 - 0 ShADad 6 1498 4 950 - -1300475168.902635 i2rO3KD1Syg 141.142.220.118 35642 208.80.152.2 80 tcp http 0.120041 534 412 S1 - 0 ShADad 4 750 3 576 - -1300475168.892936 Tw8jXtpTGu6 141.142.220.118 50000 208.80.152.3 80 tcp http 0.229603 1148 734 S1 - 0 ShADad 6 1468 4 950 - -1300475168.855305 3PKsZ2Uye21 141.142.220.118 49996 208.80.152.3 80 tcp http 0.218501 1171 733 S1 - 0 ShADad 6 1491 4 949 - -1300475168.892913 P654jzLoe3a 141.142.220.118 49999 208.80.152.3 80 tcp http 0.220961 1137 733 S1 - 0 ShADad 6 1457 4 949 - -1300475169.780331 2cx26uAvUPl 141.142.220.235 6705 173.192.163.128 80 tcp - - - - OTH - 0 h 0 0 1 48 - -1300475168.724007 j4u32Pc5bif 141.142.220.118 48649 208.80.152.118 80 tcp http 0.119905 525 232 S1 - 0 ShADad 4 741 3 396 - -1300475168.855330 VW0XPVINV8a 141.142.220.118 49997 208.80.152.3 80 tcp http 0.219720 1125 734 S1 - 0 ShADad 6 1445 4 950 - -#close 2013-05-05-20-51-24 diff --git a/testing/btest/Baseline/doc.manual.using_bro_sandbox_01/http.log b/testing/btest/Baseline/doc.manual.using_bro_sandbox_01/http.log deleted file mode 100644 index 617c1f0e6e..0000000000 --- a/testing/btest/Baseline/doc.manual.using_bro_sandbox_01/http.log +++ /dev/null @@ -1,23 +0,0 @@ -#separator \x09 -#set_separator , -#empty_field (empty) -#unset_field - -#path http -#open 2013-05-05-21-12-40 -#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p trans_depth method host uri referrer user_agent request_body_len response_body_len status_code status_msg info_code info_msg filename tags username password proxied mime_type md5 extraction_file -#types time string addr port addr port count string string string string string count count count string count string string table[enum] string string table[string] string string file -1300475168.784020 j4u32Pc5bif 141.142.220.118 48649 208.80.152.118 80 1 GET bits.wikimedia.org /skins-1.5/monobook/main.css http://www.wikipedia.org/ Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15 0 0 304 Not Modified - - - (empty) - - - - - - -1300475168.916018 VW0XPVINV8a 141.142.220.118 49997 208.80.152.3 80 1 GET upload.wikimedia.org /wikipedia/commons/6/63/Wikipedia-logo.png http://www.wikipedia.org/ Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15 0 0 304 Not Modified - - - (empty) - - - - - - -1300475168.916183 3PKsZ2Uye21 141.142.220.118 49996 208.80.152.3 80 1 GET upload.wikimedia.org /wikipedia/commons/thumb/b/bb/Wikipedia_wordmark.svg/174px-Wikipedia_wordmark.svg.png http://www.wikipedia.org/ Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15 0 0 304 Not Modified - - - (empty) - - - - - - -1300475168.918358 GSxOnSLghOa 141.142.220.118 49998 208.80.152.3 80 1 GET upload.wikimedia.org /wikipedia/commons/b/bd/Bookshelf-40x201_6.png http://www.wikipedia.org/ Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15 0 0 304 Not Modified - - - (empty) - - - - - - -1300475168.952307 Tw8jXtpTGu6 141.142.220.118 50000 208.80.152.3 80 1 GET upload.wikimedia.org /wikipedia/commons/thumb/8/8a/Wikinews-logo.png/35px-Wikinews-logo.png http://www.wikipedia.org/ Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15 0 0 304 Not Modified - - - (empty) - - - - - - -1300475168.952296 P654jzLoe3a 141.142.220.118 49999 208.80.152.3 80 1 GET upload.wikimedia.org /wikipedia/commons/4/4a/Wiktionary-logo-en-35px.png http://www.wikipedia.org/ Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15 0 0 304 Not Modified - - - (empty) - - - - - - -1300475168.954820 0Q4FH8sESw5 141.142.220.118 50001 208.80.152.3 80 1 GET upload.wikimedia.org /wikipedia/commons/thumb/f/fa/Wikiquote-logo.svg/35px-Wikiquote-logo.svg.png http://www.wikipedia.org/ Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15 0 0 304 Not Modified - - - (empty) - - - - - - -1300475168.962687 i2rO3KD1Syg 141.142.220.118 35642 208.80.152.2 80 1 GET meta.wikimedia.org /images/wikimedia-button.png http://www.wikipedia.org/ Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15 0 0 304 Not Modified - - - (empty) - - - - - - -1300475168.975934 VW0XPVINV8a 141.142.220.118 49997 208.80.152.3 80 2 GET upload.wikimedia.org /wikipedia/commons/thumb/f/fa/Wikibooks-logo.svg/35px-Wikibooks-logo.svg.png http://www.wikipedia.org/ Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15 0 0 304 Not Modified - - - (empty) - - - - - - -1300475168.976436 3PKsZ2Uye21 141.142.220.118 49996 208.80.152.3 80 2 GET upload.wikimedia.org /wikipedia/commons/thumb/d/df/Wikispecies-logo.svg/35px-Wikispecies-logo.svg.png http://www.wikipedia.org/ Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15 0 0 304 Not Modified - - - (empty) - - - - - - -1300475168.979264 GSxOnSLghOa 141.142.220.118 49998 208.80.152.3 80 2 GET upload.wikimedia.org /wikipedia/commons/thumb/4/4c/Wikisource-logo.svg/35px-Wikisource-logo.svg.png http://www.wikipedia.org/ Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15 0 0 304 Not Modified - - - (empty) - - - - - - -1300475169.014619 Tw8jXtpTGu6 141.142.220.118 50000 208.80.152.3 80 2 GET upload.wikimedia.org /wikipedia/commons/thumb/4/4a/Commons-logo.svg/35px-Commons-logo.svg.png http://www.wikipedia.org/ Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15 0 0 304 Not Modified - - - (empty) - - - - - - -1300475169.014593 P654jzLoe3a 141.142.220.118 49999 208.80.152.3 80 2 GET upload.wikimedia.org /wikipedia/commons/thumb/9/91/Wikiversity-logo.svg/35px-Wikiversity-logo.svg.png http://www.wikipedia.org/ Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15 0 0 304 Not Modified - - - (empty) - - - - - - -1300475169.014927 0Q4FH8sESw5 141.142.220.118 50001 208.80.152.3 80 2 GET upload.wikimedia.org /wikipedia/commons/thumb/7/75/Wikimedia_Community_Logo.svg/35px-Wikimedia_Community_Logo.svg.png http://www.wikipedia.org/ Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15 0 0 304 Not Modified - - - (empty) - - - - - - -#close 2013-05-05-21-12-40 diff --git a/testing/btest/Baseline/doc.manual.using_bro_sandbox_02/conn.log b/testing/btest/Baseline/doc.manual.using_bro_sandbox_02/conn.log deleted file mode 100644 index cc68286986..0000000000 --- a/testing/btest/Baseline/doc.manual.using_bro_sandbox_02/conn.log +++ /dev/null @@ -1,15 +0,0 @@ -#separator \x09 -#set_separator , -#empty_field (empty) -#unset_field - -#path conn -#open 2013-05-07-14-38-27 -#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes tunnel_parents -#types time string addr port addr port enum string interval count count string bool count string count count count count table[string] -1320329757.771503 j4u32Pc5bif 10.0.2.15 49286 192.150.187.43 80 tcp http 15.161537 2899 1127 S2 - 0 ShADadF 20 3719 19 1891 - -1320329757.771262 nQcgTWjvg4c 10.0.2.15 49285 192.150.187.43 80 tcp http 15.161772 889 377 S2 - 0 ShADadF 8 1229 8 701 - -1320329757.761327 arKYeMETxOg 10.0.2.15 49283 192.150.187.43 80 tcp http 15.168898 459 189 S2 - 0 ShADadF 5 679 4 353 - -1320329757.458867 UWkUyAuUGXf 10.0.2.15 49282 192.150.187.43 80 tcp http 15.471378 1824 751 S2 - 0 ShADadF 12 2324 13 1275 - -1320329757.761638 k6kgXLOoSKl 10.0.2.15 49284 192.150.187.43 80 tcp http 15.168613 898 376 S2 - 0 ShADadF 8 1238 8 700 - -1320329757.771755 TEfuqmmG4bh 10.0.2.15 49287 192.150.187.43 80 tcp http 15.161267 900 376 S2 - 0 ShADadF 8 1240 8 700 - -#close 2013-05-07-14-38-27 diff --git a/testing/btest/Baseline/doc.manual.using_bro_sandbox_02/http.log b/testing/btest/Baseline/doc.manual.using_bro_sandbox_02/http.log deleted file mode 100644 index 031a9ce2ce..0000000000 --- a/testing/btest/Baseline/doc.manual.using_bro_sandbox_02/http.log +++ /dev/null @@ -1,26 +0,0 @@ -#separator \x09 -#set_separator , -#empty_field (empty) -#unset_field - -#path http -#open 2013-05-07-14-38-27 -#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p trans_depth method host uri referrer user_agent request_body_len response_body_len status_code status_msg info_code info_msg filename tags username password proxied mime_type md5 extraction_file -#types time string addr port addr port count string string string string string count count count string count string string table[enum] string string table[string] string string file -1320329757.460004 UWkUyAuUGXf 10.0.2.15 49282 192.150.187.43 80 1 GET bro-ids.org / - Mozilla/5.0 (X11; Linux i686) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.106 Safari/535.2 0 0 304 Not Modified - - - (empty) - - - - - - -1320329757.772457 UWkUyAuUGXf 10.0.2.15 49282 192.150.187.43 80 2 GET bro-ids.org /css/pygments.css http://bro-ids.org/ Mozilla/5.0 (X11; Linux i686) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.106 Safari/535.2 0 0 304 Not Modified - - - (empty) - - - - - - -1320329757.874406 UWkUyAuUGXf 10.0.2.15 49282 192.150.187.43 80 3 GET bro-ids.org /js/jquery.zrssfeed.js http://bro-ids.org/ Mozilla/5.0 (X11; Linux i686) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.106 Safari/535.2 0 0 304 Not Modified - - - (empty) - - - - - - -1320329757.775110 k6kgXLOoSKl 10.0.2.15 49284 192.150.187.43 80 1 GET bro-ids.org /css/960.css http://bro-ids.org/ Mozilla/5.0 (X11; Linux i686) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.106 Safari/535.2 0 0 304 Not Modified - - - (empty) - - - - - - -1320329757.776072 TEfuqmmG4bh 10.0.2.15 49287 192.150.187.43 80 1 GET bro-ids.org /js/jquery.cycle.all.min.js http://bro-ids.org/ Mozilla/5.0 (X11; Linux i686) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.106 Safari/535.2 0 0 304 Not Modified - - - (empty) - - - - - - -1320329757.776421 nQcgTWjvg4c 10.0.2.15 49285 192.150.187.43 80 1 GET bro-ids.org /js/jquery.tweet.js http://bro-ids.org/ Mozilla/5.0 (X11; Linux i686) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.106 Safari/535.2 0 0 304 Not Modified - - - (empty) - - - - - - -1320329757.776240 j4u32Pc5bif 10.0.2.15 49286 192.150.187.43 80 1 GET bro-ids.org /js/jquery.fancybox-1.3.4.pack.js http://bro-ids.org/ Mozilla/5.0 (X11; Linux i686) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.106 Safari/535.2 0 0 304 Not Modified - - - (empty) - - - - - - -1320329757.775251 arKYeMETxOg 10.0.2.15 49283 192.150.187.43 80 1 GET bro-ids.org /css/bro-ids.css http://bro-ids.org/ Mozilla/5.0 (X11; Linux i686) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.106 Safari/535.2 0 0 304 Not Modified - - - (empty) - - - - - - -1320329757.975651 UWkUyAuUGXf 10.0.2.15 49282 192.150.187.43 80 4 GET bro-ids.org /js/jquery.tableofcontents.js http://bro-ids.org/ Mozilla/5.0 (X11; Linux i686) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.106 Safari/535.2 0 0 304 Not Modified - - - (empty) - - - - - - -1320329757.979943 k6kgXLOoSKl 10.0.2.15 49284 192.150.187.43 80 2 GET bro-ids.org /js/superfish.js http://bro-ids.org/ Mozilla/5.0 (X11; Linux i686) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.106 Safari/535.2 0 0 304 Not Modified - - - (empty) - - - - - - -1320329757.985656 TEfuqmmG4bh 10.0.2.15 49287 192.150.187.43 80 2 GET bro-ids.org /js/hoverIntent.js http://bro-ids.org/ Mozilla/5.0 (X11; Linux i686) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.106 Safari/535.2 0 0 304 Not Modified - - - (empty) - - - - - - -1320329757.989904 nQcgTWjvg4c 10.0.2.15 49285 192.150.187.43 80 2 GET bro-ids.org /js/general.js http://bro-ids.org/ Mozilla/5.0 (X11; Linux i686) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.106 Safari/535.2 0 0 304 Not Modified - - - (empty) - - - - - - -1320329757.991315 j4u32Pc5bif 10.0.2.15 49286 192.150.187.43 80 2 GET bro-ids.org /js/jquery.collapse.js http://bro-ids.org/ Mozilla/5.0 (X11; Linux i686) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.106 Safari/535.2 0 0 304 Not Modified - - - (empty) - - - - - - -1320329758.172397 j4u32Pc5bif 10.0.2.15 49286 192.150.187.43 80 3 GET bro-ids.org /css/print.css http://bro-ids.org/ Mozilla/5.0 (X11; Linux i686) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.106 Safari/535.2 0 0 304 Not Modified - - - (empty) - - - - - - -1320329759.998388 j4u32Pc5bif 10.0.2.15 49286 192.150.187.43 80 4 GET bro-ids.org /documentation/index.html http://bro-ids.org/ Mozilla/5.0 (X11; Linux i686) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.106 Safari/535.2 0 0 304 Not Modified - - - (empty) - - - - - - -1320329760.146412 j4u32Pc5bif 10.0.2.15 49286 192.150.187.43 80 5 GET bro-ids.org /js/breadcrumbs.js http://bro-ids.org/documentation/index.html Mozilla/5.0 (X11; Linux i686) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.106 Safari/535.2 0 0 304 Not Modified - - - (empty) - - - - - - -1320329762.971726 j4u32Pc5bif 10.0.2.15 49286 192.150.187.43 80 6 GET bro-ids.org /documentation/reporting-problems.html http://bro-ids.org/documentation/index.html Mozilla/5.0 (X11; Linux i686) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.106 Safari/535.2 0 0 304 Not Modified - - - (empty) - - - - - - -#close 2013-05-07-14-38-27 diff --git a/testing/btest/Baseline/language.zeek_init/out b/testing/btest/Baseline/language.zeek_init/out index 31b2428745..aa17ec8aa8 100644 --- a/testing/btest/Baseline/language.zeek_init/out +++ b/testing/btest/Baseline/language.zeek_init/out @@ -1,4 +1,8 @@ -zeek init at priority 10! -bro init at priority 5! -zeek init at priority 0! -bro init at priority -10! +zeek_init at priority 10! +bro_init at priority 5! +zeek_init at priority 0! +bro_init at priority -10! +zeek_done at priority 10! +bro_done at priority 5! +zeek_done at priority 0! +bro_done at priority -10! diff --git a/testing/btest/Baseline/plugins.hooks/output b/testing/btest/Baseline/plugins.hooks/output index 04908bed0b..1fb96d9d3c 100644 --- a/testing/btest/Baseline/plugins.hooks/output +++ b/testing/btest/Baseline/plugins.hooks/output @@ -562,7 +562,7 @@ 0.000000 MetaHookPost CallFunction(SumStats::register_observe_plugins, , ()) -> 0.000000 MetaHookPost CallFunction(Unified2::mappings_initialized, , ()) -> 0.000000 MetaHookPost CallFunction(Unified2::start_watching, , ()) -> -0.000000 MetaHookPost CallFunction(bro_init, , ()) -> +0.000000 MetaHookPost CallFunction(zeek_init, , ()) -> 0.000000 MetaHookPost CallFunction(current_time, , ()) -> 0.000000 MetaHookPost CallFunction(filter_change_tracking, , ()) -> 0.000000 MetaHookPost CallFunction(getenv, , (BRO_DEFAULT_LISTEN_ADDRESS)) -> @@ -899,7 +899,7 @@ 0.000000 MetaHookPost LogInit(Log::WRITER_ASCII, default, true, true, packet_filter(0.0,0.0,0.0), 5, {ts (time), node (string), filter (string), init (bool), success (bool)}) -> 0.000000 MetaHookPost LogWrite(Log::WRITER_ASCII, default, packet_filter(0.0,0.0,0.0), 5, {ts (time), node (string), filter (string), init (bool), success (bool)}, ) -> true 0.000000 MetaHookPost QueueEvent(NetControl::init()) -> false -0.000000 MetaHookPost QueueEvent(bro_init()) -> false +0.000000 MetaHookPost QueueEvent(zeek_init()) -> false 0.000000 MetaHookPost QueueEvent(filter_change_tracking()) -> false 0.000000 MetaHookPre CallFunction(Analyzer::__disable_analyzer, , (Analyzer::ANALYZER_BACKDOOR)) 0.000000 MetaHookPre CallFunction(Analyzer::__disable_analyzer, , (Analyzer::ANALYZER_INTERCONN)) @@ -1465,7 +1465,7 @@ 0.000000 MetaHookPre CallFunction(SumStats::register_observe_plugins, , ()) 0.000000 MetaHookPre CallFunction(Unified2::mappings_initialized, , ()) 0.000000 MetaHookPre CallFunction(Unified2::start_watching, , ()) -0.000000 MetaHookPre CallFunction(bro_init, , ()) +0.000000 MetaHookPre CallFunction(zeek_init, , ()) 0.000000 MetaHookPre CallFunction(current_time, , ()) 0.000000 MetaHookPre CallFunction(filter_change_tracking, , ()) 0.000000 MetaHookPre CallFunction(getenv, , (BRO_DEFAULT_LISTEN_ADDRESS)) @@ -1802,7 +1802,7 @@ 0.000000 MetaHookPre LogInit(Log::WRITER_ASCII, default, true, true, packet_filter(0.0,0.0,0.0), 5, {ts (time), node (string), filter (string), init (bool), success (bool)}) 0.000000 MetaHookPre LogWrite(Log::WRITER_ASCII, default, packet_filter(0.0,0.0,0.0), 5, {ts (time), node (string), filter (string), init (bool), success (bool)}, ) 0.000000 MetaHookPre QueueEvent(NetControl::init()) -0.000000 MetaHookPre QueueEvent(bro_init()) +0.000000 MetaHookPre QueueEvent(zeek_init()) 0.000000 MetaHookPre QueueEvent(filter_change_tracking()) 0.000000 | HookCallFunction Analyzer::__disable_analyzer(Analyzer::ANALYZER_BACKDOOR) 0.000000 | HookCallFunction Analyzer::__disable_analyzer(Analyzer::ANALYZER_INTERCONN) @@ -2367,7 +2367,7 @@ 0.000000 | HookCallFunction SumStats::register_observe_plugins() 0.000000 | HookCallFunction Unified2::mappings_initialized() 0.000000 | HookCallFunction Unified2::start_watching() -0.000000 | HookCallFunction bro_init() +0.000000 | HookCallFunction zeek_init() 0.000000 | HookCallFunction current_time() 0.000000 | HookCallFunction filter_change_tracking() 0.000000 | HookCallFunction getenv(BRO_DEFAULT_LISTEN_ADDRESS) @@ -2704,7 +2704,7 @@ 0.000000 | HookLogInit packet_filter 1/1 {ts (time), node (string), filter (string), init (bool), success (bool)} 0.000000 | HookLogWrite packet_filter [ts=1554405757.770254, node=bro, filter=ip or not ip, init=T, success=T] 0.000000 | HookQueueEvent NetControl::init() -0.000000 | HookQueueEvent bro_init() +0.000000 | HookQueueEvent zeek_init() 0.000000 | HookQueueEvent filter_change_tracking() 1362692526.869344 MetaHookPost BroObjDtor() -> 1362692526.869344 MetaHookPost CallFunction(ChecksumOffloading::check, , ()) -> @@ -3240,7 +3240,7 @@ 1362692527.080972 | HookLogInit conn 1/1 {ts (time), uid (string), id.orig_h (addr), id.orig_p (port), id.resp_h (addr), id.resp_p (port), proto (enum), service (string), duration (interval), orig_bytes (count), resp_bytes (count), conn_state (string), local_orig (bool), local_resp (bool), missed_bytes (count), history (string), orig_pkts (count), orig_ip_bytes (count), resp_pkts (count), resp_ip_bytes (count), tunnel_parents (set[string])} 1362692527.080972 | HookLogWrite conn [ts=1362692526.869344, uid=CHhAvVGS1DHFjwGM9, id.orig_h=141.142.228.5, id.orig_p=59856, id.resp_h=192.150.187.43, id.resp_p=80, proto=tcp, service=http, duration=0.211484, orig_bytes=136, resp_bytes=5007, conn_state=SF, local_orig=, local_resp=, missed_bytes=0, history=ShADadFf, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents=] 1362692527.080972 | HookQueueEvent ChecksumOffloading::check() -1362692527.080972 | HookQueueEvent bro_done() +1362692527.080972 | HookQueueEvent zeek_done() 1362692527.080972 | HookQueueEvent connection_state_remove([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=]) 1362692527.080972 | HookQueueEvent filter_change_tracking() 1362692527.080972 | HookQueueEvent get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=], T) diff --git a/testing/btest/Baseline/scripts.policy.misc.dump-events/all-events-no-args.log b/testing/btest/Baseline/scripts.policy.misc.dump-events/all-events-no-args.log index b4be2cc92f..44e1435514 100644 --- a/testing/btest/Baseline/scripts.policy.misc.dump-events/all-events-no-args.log +++ b/testing/btest/Baseline/scripts.policy.misc.dump-events/all-events-no-args.log @@ -1,4 +1,4 @@ - 0.000000 bro_init + 0.000000 zeek_init 0.000000 NetControl::init 0.000000 filter_change_tracking 1254722767.492060 ChecksumOffloading::check @@ -226,5 +226,5 @@ 1437831800.217854 connection_state_remove 1437831800.217854 connection_pending 1437831800.217854 connection_state_remove -1437831800.217854 bro_done +1437831800.217854 zeek_done 1437831800.217854 ChecksumOffloading::check diff --git a/testing/btest/Baseline/scripts.policy.misc.dump-events/all-events.log b/testing/btest/Baseline/scripts.policy.misc.dump-events/all-events.log index 8f6550e2e2..9182b8f999 100644 --- a/testing/btest/Baseline/scripts.policy.misc.dump-events/all-events.log +++ b/testing/btest/Baseline/scripts.policy.misc.dump-events/all-events.log @@ -1,4 +1,4 @@ - 0.000000 bro_init + 0.000000 zeek_init 0.000000 NetControl::init 0.000000 filter_change_tracking 1254722767.492060 ChecksumOffloading::check @@ -1072,5 +1072,5 @@ 1437831800.217854 connection_state_remove [0] c: connection = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=2249, state=4, num_pkts=15, num_bytes_ip=2873, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=3653, state=4, num_pkts=13, num_bytes_ip=4185, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.756702, service={\x0aSSL\x0a}, history=ShADda, uid=C3eiCBGOLw3VtHfOj, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=, server_name=p31-keyvalueservice.icloud.com, session_id=, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=T, server_appdata=0, client_appdata=F, last_alert=, next_protocol=, analyzer_id=, established=T, logged=T, delay_tokens=, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/x-x509-user-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1406, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a User Notice:\x0a Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=, email=, ip=, other_fields=F], basic_constraints=[ca=F, path_len=]], extracted=, extracted_cutoff=, extracted_size=], [ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/x-x509-ca-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1092, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a CPS: http://www.geotrust.com/resources/cps\x0a]], san=, basic_constraints=[ca=T, path_len=0]], extracted=, extracted_cutoff=, extracted_size=]], cert_chain_fuids=[F1vce92FT1oRjKI328, Fxp53s3wA5G3zdEJg8], client_cert_chain=[], client_cert_chain_fuids=[], subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, client_subject=, client_issuer=, server_depth=0, client_depth=0], http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=] -1437831800.217854 bro_done +1437831800.217854 zeek_done 1437831800.217854 ChecksumOffloading::check diff --git a/testing/btest/bifs/all_set.bro b/testing/btest/bifs/all_set.bro index 56f7b6e7f2..86a56ed9fa 100644 --- a/testing/btest/bifs/all_set.bro +++ b/testing/btest/bifs/all_set.bro @@ -2,7 +2,7 @@ # @TEST-EXEC: bro -b %INPUT >out # @TEST-EXEC: btest-diff out -event bro_init() +event zeek_init() { local a = vector( T, F, T ); print all_set(a); diff --git a/testing/btest/bifs/analyzer_name.bro b/testing/btest/bifs/analyzer_name.bro index 266d1c159f..b763aabe08 100644 --- a/testing/btest/bifs/analyzer_name.bro +++ b/testing/btest/bifs/analyzer_name.bro @@ -2,7 +2,7 @@ # @TEST-EXEC: bro -b %INPUT >out # @TEST-EXEC: btest-diff out -event bro_init() +event zeek_init() { local a = Analyzer::ANALYZER_PIA_TCP; print Analyzer::name(a); diff --git a/testing/btest/bifs/any_set.bro b/testing/btest/bifs/any_set.bro index b3e9e3c711..e19a467206 100644 --- a/testing/btest/bifs/any_set.bro +++ b/testing/btest/bifs/any_set.bro @@ -2,7 +2,7 @@ # @TEST-EXEC: bro -b %INPUT >out # @TEST-EXEC: btest-diff out -event bro_init() +event zeek_init() { local a = vector( F, T, F ); print any_set(a); diff --git a/testing/btest/bifs/bloomfilter-seed.bro b/testing/btest/bifs/bloomfilter-seed.bro index 436638e2af..24531de915 100644 --- a/testing/btest/bifs/bloomfilter-seed.bro +++ b/testing/btest/bifs/bloomfilter-seed.bro @@ -34,7 +34,7 @@ function test_bloom_filter() } -event bro_init() +event zeek_init() { test_bloom_filter(); } diff --git a/testing/btest/bifs/bloomfilter.bro b/testing/btest/bifs/bloomfilter.bro index c0ccc2a552..dbad5acf5a 100644 --- a/testing/btest/bifs/bloomfilter.bro +++ b/testing/btest/bifs/bloomfilter.bro @@ -88,7 +88,7 @@ function test_counting_bloom_filter() print bloomfilter_lookup(bf_merged, "baz"); } -event bro_init() +event zeek_init() { test_basic_bloom_filter(); test_counting_bloom_filter(); diff --git a/testing/btest/bifs/bro_version.bro b/testing/btest/bifs/bro_version.bro index 35975559a5..f4de22e09d 100644 --- a/testing/btest/bifs/bro_version.bro +++ b/testing/btest/bifs/bro_version.bro @@ -1,7 +1,7 @@ # # @TEST-EXEC: bro -b %INPUT -event bro_init() +event zeek_init() { local a = bro_version(); if ( |a| == 0 ) diff --git a/testing/btest/bifs/bytestring_to_count.bro b/testing/btest/bifs/bytestring_to_count.bro index db50929cb7..5d15bde38b 100644 --- a/testing/btest/bifs/bytestring_to_count.bro +++ b/testing/btest/bifs/bytestring_to_count.bro @@ -3,7 +3,7 @@ # @TEST-EXEC: btest-diff out -event bro_init() +event zeek_init() { # unsupported byte lengths diff --git a/testing/btest/bifs/bytestring_to_double.bro b/testing/btest/bifs/bytestring_to_double.bro index 78820b207c..6ebcbe503b 100644 --- a/testing/btest/bifs/bytestring_to_double.bro +++ b/testing/btest/bifs/bytestring_to_double.bro @@ -2,7 +2,7 @@ # @TEST-EXEC: bro -b %INPUT >out # @TEST-EXEC: btest-diff out -event bro_init() +event zeek_init() { local s1 = "\x43\x26\x4f\xa0\x71\x30\x80\x00"; # 3.14e15 local s2 = "\xc3\x26\x4f\xa0\x71\x30\x80\x00"; #-3.14e15 diff --git a/testing/btest/bifs/bytestring_to_hexstr.bro b/testing/btest/bifs/bytestring_to_hexstr.bro index 4087047f40..0b3e8154ab 100644 --- a/testing/btest/bifs/bytestring_to_hexstr.bro +++ b/testing/btest/bifs/bytestring_to_hexstr.bro @@ -2,7 +2,7 @@ # @TEST-EXEC: bro -b %INPUT >out # @TEST-EXEC: btest-diff out -event bro_init() +event zeek_init() { print bytestring_to_hexstr("04"); print bytestring_to_hexstr(""); diff --git a/testing/btest/bifs/capture_state_updates.bro b/testing/btest/bifs/capture_state_updates.bro index 6a44e0f86f..17d015a661 100644 --- a/testing/btest/bifs/capture_state_updates.bro +++ b/testing/btest/bifs/capture_state_updates.bro @@ -3,7 +3,7 @@ # @TEST-EXEC: btest-diff out # @TEST-EXEC: test -f testfile -event bro_init() +event zeek_init() { print capture_state_updates("testfile"); } diff --git a/testing/btest/bifs/cat.bro b/testing/btest/bifs/cat.bro index e923d5d066..5e811f147e 100644 --- a/testing/btest/bifs/cat.bro +++ b/testing/btest/bifs/cat.bro @@ -2,7 +2,7 @@ # @TEST-EXEC: bro -b %INPUT >out # @TEST-EXEC: btest-diff out -event bro_init() +event zeek_init() { local a = "foo"; local b = 3; diff --git a/testing/btest/bifs/cat_string_array.bro b/testing/btest/bifs/cat_string_array.bro index e799f4b282..f9aa3f266d 100644 --- a/testing/btest/bifs/cat_string_array.bro +++ b/testing/btest/bifs/cat_string_array.bro @@ -2,7 +2,7 @@ # @TEST-EXEC: bro -b %INPUT >out # @TEST-EXEC: btest-diff out -event bro_init() +event zeek_init() { local a: string_array = { [0] = "this", [1] = "is", [2] = "a", [3] = "test" diff --git a/testing/btest/bifs/check_subnet.bro b/testing/btest/bifs/check_subnet.bro index b725cae73c..d476be1bc8 100644 --- a/testing/btest/bifs/check_subnet.bro +++ b/testing/btest/bifs/check_subnet.bro @@ -30,7 +30,7 @@ function check_member(s: subnet) } -event bro_init() +event zeek_init() { check_member(10.2.0.2/32); check_member(10.2.0.2/31); diff --git a/testing/btest/bifs/checkpoint_state.bro b/testing/btest/bifs/checkpoint_state.bro index 7a46516ba0..e9eeeccb75 100644 --- a/testing/btest/bifs/checkpoint_state.bro +++ b/testing/btest/bifs/checkpoint_state.bro @@ -2,7 +2,7 @@ # @TEST-EXEC: bro -b %INPUT # @TEST-EXEC: test -f .state/state.bst -event bro_init() +event zeek_init() { local a = checkpoint_state(); if ( a != T ) diff --git a/testing/btest/bifs/clear_table.bro b/testing/btest/bifs/clear_table.bro index 9485eba1f5..a6c2e67341 100644 --- a/testing/btest/bifs/clear_table.bro +++ b/testing/btest/bifs/clear_table.bro @@ -2,7 +2,7 @@ # @TEST-EXEC: bro -b %INPUT > out # @TEST-EXEC: btest-diff out -event bro_init() +event zeek_init() { local mytable: table[string] of string = { ["key1"] = "val1" }; diff --git a/testing/btest/bifs/convert_for_pattern.bro b/testing/btest/bifs/convert_for_pattern.bro index b99b010f97..1828284f37 100644 --- a/testing/btest/bifs/convert_for_pattern.bro +++ b/testing/btest/bifs/convert_for_pattern.bro @@ -2,7 +2,7 @@ # @TEST-EXEC: bro -b %INPUT >out # @TEST-EXEC: btest-diff out -event bro_init() +event zeek_init() { print convert_for_pattern("foo"); print convert_for_pattern(""); diff --git a/testing/btest/bifs/count_to_addr.bro b/testing/btest/bifs/count_to_addr.bro index 993a701bc8..4abbaf8d1e 100644 --- a/testing/btest/bifs/count_to_addr.bro +++ b/testing/btest/bifs/count_to_addr.bro @@ -2,7 +2,7 @@ # @TEST-EXEC: bro -b %INPUT >out # @TEST-EXEC: btest-diff out -event bro_init() +event zeek_init() { local a = "1"; print count_to_v4_addr(to_count(a)); diff --git a/testing/btest/bifs/create_file.bro b/testing/btest/bifs/create_file.bro index af2cfb4979..db7d38d087 100644 --- a/testing/btest/bifs/create_file.bro +++ b/testing/btest/bifs/create_file.bro @@ -5,7 +5,7 @@ # @TEST-EXEC: btest-diff testfile2 # @TEST-EXEC: test -f testdir/testfile4 -event bro_init() +event zeek_init() { # Test that creating a file works as expected local a = open("testfile"); diff --git a/testing/btest/bifs/current_analyzer.bro b/testing/btest/bifs/current_analyzer.bro index e221d7aed0..8678907320 100644 --- a/testing/btest/bifs/current_analyzer.bro +++ b/testing/btest/bifs/current_analyzer.bro @@ -1,7 +1,7 @@ # # @TEST-EXEC: bro -b %INPUT -event bro_init() +event zeek_init() { local a = current_analyzer(); if ( a != 0 ) diff --git a/testing/btest/bifs/current_time.bro b/testing/btest/bifs/current_time.bro index 9d4899aa06..4d2712ae98 100644 --- a/testing/btest/bifs/current_time.bro +++ b/testing/btest/bifs/current_time.bro @@ -1,7 +1,7 @@ # # @TEST-EXEC: bro -b %INPUT -event bro_init() +event zeek_init() { local a = current_time(); if ( a <= double_to_time(0) ) diff --git a/testing/btest/bifs/directory_operations.bro b/testing/btest/bifs/directory_operations.bro index 9db34511b2..0a5a8b0413 100644 --- a/testing/btest/bifs/directory_operations.bro +++ b/testing/btest/bifs/directory_operations.bro @@ -2,7 +2,7 @@ # @TEST-EXEC: bro -b %INPUT >out # @TEST-EXEC: btest-diff out -event bro_init() +event zeek_init() { # Test succesful operations... print mkdir("testdir"); diff --git a/testing/btest/bifs/edit.bro b/testing/btest/bifs/edit.bro index 346c0bdbf7..ba6ebdef38 100644 --- a/testing/btest/bifs/edit.bro +++ b/testing/btest/bifs/edit.bro @@ -2,7 +2,7 @@ # @TEST-EXEC: bro -b %INPUT >out # @TEST-EXEC: btest-diff out -event bro_init() +event zeek_init() { local a = "hello there"; diff --git a/testing/btest/bifs/enable_raw_output.test b/testing/btest/bifs/enable_raw_output.test index ebaff36c8f..14bd2110ee 100644 --- a/testing/btest/bifs/enable_raw_output.test +++ b/testing/btest/bifs/enable_raw_output.test @@ -6,7 +6,7 @@ # @TEST-EXEC: btest-diff output # @TEST-EXEC: cmp myfile hookfile -event bro_init() +event zeek_init() { local myfile: file; myfile = open("myfile"); diff --git a/testing/btest/bifs/entropy_test.bro b/testing/btest/bifs/entropy_test.bro index 2a2dd422d1..11effd1159 100644 --- a/testing/btest/bifs/entropy_test.bro +++ b/testing/btest/bifs/entropy_test.bro @@ -2,7 +2,7 @@ # @TEST-EXEC: bro -b %INPUT >out # @TEST-EXEC: btest-diff out -event bro_init() +event zeek_init() { local a = "dh3Hie02uh^s#Sdf9L3frd243h$d78r2G4cM6*Q05d(7rh46f!0|4-f"; local handle = entropy_test_init(); diff --git a/testing/btest/bifs/enum_to_int.bro b/testing/btest/bifs/enum_to_int.bro index 3d577d2920..b48c925c8f 100644 --- a/testing/btest/bifs/enum_to_int.bro +++ b/testing/btest/bifs/enum_to_int.bro @@ -16,7 +16,7 @@ export { }; } -event bro_init() +event zeek_init() { diff --git a/testing/btest/bifs/escape_string.bro b/testing/btest/bifs/escape_string.bro index fd796497be..4ae79a869a 100644 --- a/testing/btest/bifs/escape_string.bro +++ b/testing/btest/bifs/escape_string.bro @@ -2,7 +2,7 @@ # @TEST-EXEC: bro -b %INPUT >out # @TEST-EXEC: btest-diff out -event bro_init() +event zeek_init() { local a = "Test \0string"; diff --git a/testing/btest/bifs/exit.bro b/testing/btest/bifs/exit.bro index b942a5e81c..03ea13efd3 100644 --- a/testing/btest/bifs/exit.bro +++ b/testing/btest/bifs/exit.bro @@ -2,7 +2,7 @@ # @TEST-EXEC: bro -b %INPUT >out || test $? -eq 7 # @TEST-EXEC: btest-diff out -event bro_init() +event zeek_init() { print "hello"; exit(7); diff --git a/testing/btest/bifs/file_mode.bro b/testing/btest/bifs/file_mode.bro index 62bee05c6c..de43439080 100644 --- a/testing/btest/bifs/file_mode.bro +++ b/testing/btest/bifs/file_mode.bro @@ -2,7 +2,7 @@ # @TEST-EXEC: bro -b %INPUT >out # @TEST-EXEC: btest-diff out -event bro_init() +event zeek_init() { local a = 420; # octal: 0644 print file_mode(a); diff --git a/testing/btest/bifs/filter_subnet_table.bro b/testing/btest/bifs/filter_subnet_table.bro index 7659096a71..79829bc252 100644 --- a/testing/btest/bifs/filter_subnet_table.bro +++ b/testing/btest/bifs/filter_subnet_table.bro @@ -32,7 +32,7 @@ global testb: table[subnet] of string = { }; -event bro_init() +event zeek_init() { local c = filter_subnet_table(10.2.0.2/32, testa); print c; diff --git a/testing/btest/bifs/find_all.bro b/testing/btest/bifs/find_all.bro index 4fe451a9d4..cb7e7b35d0 100644 --- a/testing/btest/bifs/find_all.bro +++ b/testing/btest/bifs/find_all.bro @@ -2,7 +2,7 @@ # @TEST-EXEC: bro -b %INPUT >out # @TEST-EXEC: btest-diff out -event bro_init() +event zeek_init() { local a = "this is a test"; local pat = /hi|es/; diff --git a/testing/btest/bifs/find_entropy.bro b/testing/btest/bifs/find_entropy.bro index 2eb24fe118..771a6221f7 100644 --- a/testing/btest/bifs/find_entropy.bro +++ b/testing/btest/bifs/find_entropy.bro @@ -2,7 +2,7 @@ # @TEST-EXEC: bro -b %INPUT >out # @TEST-EXEC: btest-diff out -event bro_init() +event zeek_init() { local a = "dh3Hie02uh^s#Sdf9L3frd243h$d78r2G4cM6*Q05d(7rh46f!0|4-f"; local b = "0011000aaabbbbcccc000011111000000000aaaabbbbcccc0000000"; diff --git a/testing/btest/bifs/find_last.bro b/testing/btest/bifs/find_last.bro index 00ae2a874d..0eab201464 100644 --- a/testing/btest/bifs/find_last.bro +++ b/testing/btest/bifs/find_last.bro @@ -2,7 +2,7 @@ # @TEST-EXEC: bro -b %INPUT >out # @TEST-EXEC: btest-diff out -event bro_init() +event zeek_init() { local a = "this is a test"; local pat = /hi|es/; diff --git a/testing/btest/bifs/fmt.bro b/testing/btest/bifs/fmt.bro index 7fc4dc38d7..979dbafe67 100644 --- a/testing/btest/bifs/fmt.bro +++ b/testing/btest/bifs/fmt.bro @@ -4,7 +4,7 @@ type color: enum { Red, Blue }; -event bro_init() +event zeek_init() { local a = Blue; local b = vector( 1, 2, 3); diff --git a/testing/btest/bifs/fmt_ftp_port.bro b/testing/btest/bifs/fmt_ftp_port.bro index 6a7b4d20c7..b265c0ad67 100644 --- a/testing/btest/bifs/fmt_ftp_port.bro +++ b/testing/btest/bifs/fmt_ftp_port.bro @@ -2,7 +2,7 @@ # @TEST-EXEC: bro -b %INPUT >out # @TEST-EXEC: btest-diff out -event bro_init() +event zeek_init() { local a = 192.168.0.2; local b = 257/tcp; diff --git a/testing/btest/bifs/get_matcher_stats.bro b/testing/btest/bifs/get_matcher_stats.bro index eeaa8cb86a..76d019caca 100644 --- a/testing/btest/bifs/get_matcher_stats.bro +++ b/testing/btest/bifs/get_matcher_stats.bro @@ -10,7 +10,7 @@ signature my_ftp_client { } @TEST-END-FILE -event bro_init() +event zeek_init() { local a = get_matcher_stats(); if ( a$matchers == 0 ) diff --git a/testing/btest/bifs/get_port_transport_proto.bro b/testing/btest/bifs/get_port_transport_proto.bro index ae3c496d88..18dfdd4974 100644 --- a/testing/btest/bifs/get_port_transport_proto.bro +++ b/testing/btest/bifs/get_port_transport_proto.bro @@ -2,7 +2,7 @@ # @TEST-EXEC: bro -b %INPUT >out # @TEST-EXEC: btest-diff out -event bro_init() +event zeek_init() { local a = 123/tcp; local b = 123/udp; diff --git a/testing/btest/bifs/gethostname.bro b/testing/btest/bifs/gethostname.bro index 1d760525cb..b30407190d 100644 --- a/testing/btest/bifs/gethostname.bro +++ b/testing/btest/bifs/gethostname.bro @@ -1,7 +1,7 @@ # # @TEST-EXEC: bro -b %INPUT -event bro_init() +event zeek_init() { local a = gethostname(); if ( |a| == 0 ) diff --git a/testing/btest/bifs/getpid.bro b/testing/btest/bifs/getpid.bro index 1852b1287e..a7348d4743 100644 --- a/testing/btest/bifs/getpid.bro +++ b/testing/btest/bifs/getpid.bro @@ -1,7 +1,7 @@ # # @TEST-EXEC: bro -b %INPUT -event bro_init() +event zeek_init() { local a = getpid(); if ( a == 0 ) diff --git a/testing/btest/bifs/getsetenv.bro b/testing/btest/bifs/getsetenv.bro index d217a14ea9..24fecb7800 100644 --- a/testing/btest/bifs/getsetenv.bro +++ b/testing/btest/bifs/getsetenv.bro @@ -2,7 +2,7 @@ # @TEST-EXEC: TESTBRO=testvalue bro -b %INPUT >out # @TEST-EXEC: btest-diff out -event bro_init() +event zeek_init() { local a = getenv("NOTDEFINED"); local b = getenv("TESTBRO"); diff --git a/testing/btest/bifs/global_ids.bro b/testing/btest/bifs/global_ids.bro index 2dcb6e844d..a6d7b306cb 100644 --- a/testing/btest/bifs/global_ids.bro +++ b/testing/btest/bifs/global_ids.bro @@ -2,7 +2,7 @@ # @TEST-EXEC: bro -b %INPUT >out # @TEST-EXEC: btest-diff out -event bro_init() +event zeek_init() { local a = global_ids(); for ( i in a ) diff --git a/testing/btest/bifs/global_sizes.bro b/testing/btest/bifs/global_sizes.bro index 4b0805172c..1eb2abbd87 100644 --- a/testing/btest/bifs/global_sizes.bro +++ b/testing/btest/bifs/global_sizes.bro @@ -2,7 +2,7 @@ # @TEST-EXEC: bro -b %INPUT >out # @TEST-EXEC: btest-diff out -event bro_init() +event zeek_init() { local a = global_sizes(); for ( i in a ) diff --git a/testing/btest/bifs/haversine_distance.bro b/testing/btest/bifs/haversine_distance.bro index b0a87a2c2d..0d2e7891c0 100644 --- a/testing/btest/bifs/haversine_distance.bro +++ b/testing/btest/bifs/haversine_distance.bro @@ -7,7 +7,7 @@ function test(la1: double, lo1: double, la2: double, lo2: double) print fmt("%.4e", haversine_distance(la1, lo1, la2, lo2)); } -event bro_init() +event zeek_init() { # Test two arbitrary locations. test(37.866798, -122.253601, 48.25, 11.65); diff --git a/testing/btest/bifs/hexdump.bro b/testing/btest/bifs/hexdump.bro index 1c86ce0db8..10e1855a19 100644 --- a/testing/btest/bifs/hexdump.bro +++ b/testing/btest/bifs/hexdump.bro @@ -2,7 +2,7 @@ # @TEST-EXEC: bro -b %INPUT >out # @TEST-EXEC: btest-diff out -event bro_init() +event zeek_init() { local a = "abc\xffdefghijklmnopqrstuvwxyz"; diff --git a/testing/btest/bifs/hexstr_to_bytestring.bro b/testing/btest/bifs/hexstr_to_bytestring.bro index f0815a6269..0d41ca00a1 100644 --- a/testing/btest/bifs/hexstr_to_bytestring.bro +++ b/testing/btest/bifs/hexstr_to_bytestring.bro @@ -3,7 +3,7 @@ # @TEST-EXEC: btest-diff out # @TEST-EXEC: btest-diff .stderr -event bro_init() +event zeek_init() { print hexstr_to_bytestring("3034"); print hexstr_to_bytestring(""); diff --git a/testing/btest/bifs/hll_cardinality.bro b/testing/btest/bifs/hll_cardinality.bro index d1b0807416..6bb9c83708 100644 --- a/testing/btest/bifs/hll_cardinality.bro +++ b/testing/btest/bifs/hll_cardinality.bro @@ -3,7 +3,7 @@ # @TEST-EXEC: btest-diff out # @TEST-EXEC: btest-diff .stderr -event bro_init() +event zeek_init() { local c1 = hll_cardinality_init(0.01, 0.95); local c2 = hll_cardinality_init(0.01, 0.95); diff --git a/testing/btest/bifs/hll_large_estimate.bro b/testing/btest/bifs/hll_large_estimate.bro index b17b50678d..520b9633e3 100644 --- a/testing/btest/bifs/hll_large_estimate.bro +++ b/testing/btest/bifs/hll_large_estimate.bro @@ -6,7 +6,7 @@ # @TEST-EXEC: head -n1 out2 >> out # @TEST-EXEC: btest-diff out -event bro_init() +event zeek_init() { local cp: opaque of cardinality = hll_cardinality_init(0.1, 1.0); local base: count = 2130706432; # 127.0.0.0 diff --git a/testing/btest/bifs/identify_data.bro b/testing/btest/bifs/identify_data.bro index 048c409553..283c50fc86 100644 --- a/testing/btest/bifs/identify_data.bro +++ b/testing/btest/bifs/identify_data.bro @@ -2,7 +2,7 @@ # @TEST-EXEC: bro -b %INPUT | sed 's/; charset=.*//g' >out # @TEST-EXEC: btest-diff out -event bro_init() +event zeek_init() { # plain text local a = "This is a test"; diff --git a/testing/btest/bifs/install_src_addr_filter.test b/testing/btest/bifs/install_src_addr_filter.test index 5b387832de..0ee0c85c43 100644 --- a/testing/btest/bifs/install_src_addr_filter.test +++ b/testing/btest/bifs/install_src_addr_filter.test @@ -1,7 +1,7 @@ # @TEST-EXEC: bro -C -r $TRACES/wikipedia.trace %INPUT >output # @TEST-EXEC: btest-diff output -event bro_init() +event zeek_init() { install_src_addr_filter(141.142.220.118, TH_SYN, 100.0); } diff --git a/testing/btest/bifs/is_ascii.bro b/testing/btest/bifs/is_ascii.bro index fa2d39d2d8..7930dafa58 100644 --- a/testing/btest/bifs/is_ascii.bro +++ b/testing/btest/bifs/is_ascii.bro @@ -2,7 +2,7 @@ # @TEST-EXEC: bro -b %INPUT >out # @TEST-EXEC: btest-diff out -event bro_init() +event zeek_init() { local a = "this is a test\xfe"; local b = "this is a test\x7f"; diff --git a/testing/btest/bifs/is_local_interface.bro b/testing/btest/bifs/is_local_interface.bro index ac21b04bd3..8667babb85 100644 --- a/testing/btest/bifs/is_local_interface.bro +++ b/testing/btest/bifs/is_local_interface.bro @@ -2,7 +2,7 @@ # @TEST-EXEC: bro -b %INPUT >out # @TEST-EXEC: btest-diff out -event bro_init() +event zeek_init() { print is_local_interface(127.0.0.1); print is_local_interface(1.2.3.4); diff --git a/testing/btest/bifs/is_port.bro b/testing/btest/bifs/is_port.bro index 2fe4964913..709c142070 100644 --- a/testing/btest/bifs/is_port.bro +++ b/testing/btest/bifs/is_port.bro @@ -2,7 +2,7 @@ # @TEST-EXEC: bro -b %INPUT >out # @TEST-EXEC: btest-diff out -event bro_init() +event zeek_init() { local a = 123/tcp; local b = 123/udp; diff --git a/testing/btest/bifs/join_string.bro b/testing/btest/bifs/join_string.bro index 0b2d94029a..1ea1afa5c2 100644 --- a/testing/btest/bifs/join_string.bro +++ b/testing/btest/bifs/join_string.bro @@ -2,7 +2,7 @@ # @TEST-EXEC: bro -b %INPUT >out # @TEST-EXEC: btest-diff out -event bro_init() +event zeek_init() { local a: string_array = { [1] = "this", [2] = "is", [3] = "a", [4] = "test" diff --git a/testing/btest/bifs/levenshtein_distance.bro b/testing/btest/bifs/levenshtein_distance.bro index 86d5e386f4..b877a68a22 100644 --- a/testing/btest/bifs/levenshtein_distance.bro +++ b/testing/btest/bifs/levenshtein_distance.bro @@ -2,7 +2,7 @@ # @TEST-EXEC: bro -b %INPUT >out # @TEST-EXEC: btest-diff out -event bro_init() +event zeek_init() { local a = "this is a string"; local b = "this is a tring"; diff --git a/testing/btest/bifs/lookup_ID.bro b/testing/btest/bifs/lookup_ID.bro index e263c192da..94e7bf0180 100644 --- a/testing/btest/bifs/lookup_ID.bro +++ b/testing/btest/bifs/lookup_ID.bro @@ -4,7 +4,7 @@ global a = "bro test"; -event bro_init() +event zeek_init() { local b = "local value"; diff --git a/testing/btest/bifs/lowerupper.bro b/testing/btest/bifs/lowerupper.bro index 77e6b1c9d1..2cb04bfdaa 100644 --- a/testing/btest/bifs/lowerupper.bro +++ b/testing/btest/bifs/lowerupper.bro @@ -2,7 +2,7 @@ # @TEST-EXEC: bro -b %INPUT >out # @TEST-EXEC: btest-diff out -event bro_init() +event zeek_init() { local a = "this is a Test"; diff --git a/testing/btest/bifs/matching_subnets.bro b/testing/btest/bifs/matching_subnets.bro index 87effed19f..3d38d32182 100644 --- a/testing/btest/bifs/matching_subnets.bro +++ b/testing/btest/bifs/matching_subnets.bro @@ -16,7 +16,7 @@ global testt: set[subnet] = { [2607:f8b0:4007:807::200e]/128 }; -event bro_init() +event zeek_init() { print testt; local c = matching_subnets(10.2.0.2/32, testt); diff --git a/testing/btest/bifs/math.bro b/testing/btest/bifs/math.bro index 84ace8620c..288838ffc1 100644 --- a/testing/btest/bifs/math.bro +++ b/testing/btest/bifs/math.bro @@ -2,7 +2,7 @@ # @TEST-EXEC: bro -b %INPUT >out # @TEST-EXEC: btest-diff out -event bro_init() +event zeek_init() { local a = 3.14; local b = 2.71; diff --git a/testing/btest/bifs/merge_pattern.bro b/testing/btest/bifs/merge_pattern.bro index de4a3afd6a..2d99137b56 100644 --- a/testing/btest/bifs/merge_pattern.bro +++ b/testing/btest/bifs/merge_pattern.bro @@ -2,7 +2,7 @@ # @TEST-EXEC: bro -b %INPUT >out # @TEST-EXEC: btest-diff out -event bro_init() +event zeek_init() { local a = /foo/; local b = /b[a-z]+/; diff --git a/testing/btest/bifs/net_stats_trace.test b/testing/btest/bifs/net_stats_trace.test index cd9ee52a27..1cc1ba5567 100644 --- a/testing/btest/bifs/net_stats_trace.test +++ b/testing/btest/bifs/net_stats_trace.test @@ -2,7 +2,7 @@ # @TEST-EXEC: bro -r $TRACES/wikipedia.trace >output %INPUT # @TEST-EXEC: btest-diff output -event bro_done() +event zeek_done() { print get_net_stats(); } diff --git a/testing/btest/bifs/netbios-functions.bro b/testing/btest/bifs/netbios-functions.bro index 9b075e8729..8e65f1d5ec 100644 --- a/testing/btest/bifs/netbios-functions.bro +++ b/testing/btest/bifs/netbios-functions.bro @@ -2,7 +2,7 @@ # @TEST-EXEC: bro -b %INPUT >out # @TEST-EXEC: btest-diff out -event bro_init() +event zeek_init() { local names_to_decode = set( "ejfdebfeebfacacacacacacacacacaaa", # ISATAP diff --git a/testing/btest/bifs/order.bro b/testing/btest/bifs/order.bro index cb4b050686..34c8e8c101 100644 --- a/testing/btest/bifs/order.bro +++ b/testing/btest/bifs/order.bro @@ -20,7 +20,7 @@ function myfunc2(a: double, b: double): int return 1; } -event bro_init() +event zeek_init() { # Tests without supplying a comparison function diff --git a/testing/btest/bifs/parse_ftp.bro b/testing/btest/bifs/parse_ftp.bro index a8993fa6e0..1e982def27 100644 --- a/testing/btest/bifs/parse_ftp.bro +++ b/testing/btest/bifs/parse_ftp.bro @@ -2,7 +2,7 @@ # @TEST-EXEC: bro -b %INPUT >out # @TEST-EXEC: btest-diff out -event bro_init() +event zeek_init() { print parse_ftp_port("192,168,0,2,1,1"); diff --git a/testing/btest/bifs/rand.bro b/testing/btest/bifs/rand.bro index caf3f16031..591f0bf035 100644 --- a/testing/btest/bifs/rand.bro +++ b/testing/btest/bifs/rand.bro @@ -6,7 +6,7 @@ const do_seed = T &redef; -event bro_init() +event zeek_init() { local a = rand(1000); local b = rand(1000); diff --git a/testing/btest/bifs/raw_bytes_to_v4_addr.bro b/testing/btest/bifs/raw_bytes_to_v4_addr.bro index bd685216ef..9ac266a0bd 100644 --- a/testing/btest/bifs/raw_bytes_to_v4_addr.bro +++ b/testing/btest/bifs/raw_bytes_to_v4_addr.bro @@ -2,7 +2,7 @@ # @TEST-EXEC: bro -b %INPUT >out # @TEST-EXEC: btest-diff out -event bro_init() +event zeek_init() { print raw_bytes_to_v4_addr("ABCD"); print raw_bytes_to_v4_addr("ABC"); diff --git a/testing/btest/bifs/reading_traces.bro b/testing/btest/bifs/reading_traces.bro index 46ad04c25f..e6fa21999e 100644 --- a/testing/btest/bifs/reading_traces.bro +++ b/testing/btest/bifs/reading_traces.bro @@ -4,7 +4,7 @@ # @TEST-EXEC: bro -r $TRACES/web.trace %INPUT >out2 # @TEST-EXEC: btest-diff out2 -event bro_init() +event zeek_init() { print reading_traces(); } diff --git a/testing/btest/bifs/record_type_to_vector.bro b/testing/btest/bifs/record_type_to_vector.bro index 9795ce886b..e5e79a4f49 100644 --- a/testing/btest/bifs/record_type_to_vector.bro +++ b/testing/btest/bifs/record_type_to_vector.bro @@ -7,7 +7,7 @@ type myrecord: record { str1: string; }; -event bro_init() +event zeek_init() { print record_type_to_vector("myrecord"); } diff --git a/testing/btest/bifs/records_fields.bro b/testing/btest/bifs/records_fields.bro index 88df239b57..a130a63267 100644 --- a/testing/btest/bifs/records_fields.bro +++ b/testing/btest/bifs/records_fields.bro @@ -24,7 +24,7 @@ type r: record { type mystring: string; -event bro_init() +event zeek_init() { local x: r = [$a=42, $d="Bar", $e=tt]; print x; diff --git a/testing/btest/bifs/resize.bro b/testing/btest/bifs/resize.bro index f4067f31c7..97c3b8c20b 100644 --- a/testing/btest/bifs/resize.bro +++ b/testing/btest/bifs/resize.bro @@ -2,7 +2,7 @@ # @TEST-EXEC: bro -b %INPUT >out # @TEST-EXEC: btest-diff out -event bro_init() +event zeek_init() { local a = vector( 5, 3, 8 ); diff --git a/testing/btest/bifs/reverse.bro b/testing/btest/bifs/reverse.bro index bbb386bb80..b6831ef3a7 100644 --- a/testing/btest/bifs/reverse.bro +++ b/testing/btest/bifs/reverse.bro @@ -2,7 +2,7 @@ # @TEST-EXEC: bro -b %INPUT >out # @TEST-EXEC: btest-diff out -event bro_init() +event zeek_init() { local s1 = "hello world!"; local s2 = "rise to vote sir"; diff --git a/testing/btest/bifs/rotate_file.bro b/testing/btest/bifs/rotate_file.bro index a6109ff677..a7c3bf3971 100644 --- a/testing/btest/bifs/rotate_file.bro +++ b/testing/btest/bifs/rotate_file.bro @@ -2,7 +2,7 @@ # @TEST-EXEC: bro -b %INPUT >out # @TEST-EXEC: btest-diff out -event bro_init() +event zeek_init() { local a = open("testfile"); write_file(a, "this is a test\n"); diff --git a/testing/btest/bifs/rotate_file_by_name.bro b/testing/btest/bifs/rotate_file_by_name.bro index f647edefe2..b02d4011be 100644 --- a/testing/btest/bifs/rotate_file_by_name.bro +++ b/testing/btest/bifs/rotate_file_by_name.bro @@ -2,7 +2,7 @@ # @TEST-EXEC: bro -b %INPUT >out # @TEST-EXEC: btest-diff out -event bro_init() +event zeek_init() { local a = open("testfile"); write_file(a, "this is a test\n"); diff --git a/testing/btest/bifs/same_object.bro b/testing/btest/bifs/same_object.bro index dddfd80d3d..8e38912f58 100644 --- a/testing/btest/bifs/same_object.bro +++ b/testing/btest/bifs/same_object.bro @@ -2,7 +2,7 @@ # @TEST-EXEC: bro -b %INPUT >out # @TEST-EXEC: btest-diff out -event bro_init() +event zeek_init() { local a = "This is a test"; local b: string; diff --git a/testing/btest/bifs/sort.bro b/testing/btest/bifs/sort.bro index 2ddb44b8be..2f3789c8a9 100644 --- a/testing/btest/bifs/sort.bro +++ b/testing/btest/bifs/sort.bro @@ -20,7 +20,7 @@ function myfunc2(a: double, b: double): int return 1; } -event bro_init() +event zeek_init() { # Tests without supplying a comparison function diff --git a/testing/btest/bifs/sort_string_array.bro b/testing/btest/bifs/sort_string_array.bro index 1916f93d0c..3d3949d89b 100644 --- a/testing/btest/bifs/sort_string_array.bro +++ b/testing/btest/bifs/sort_string_array.bro @@ -2,7 +2,7 @@ # @TEST-EXEC: bro -b %INPUT >out # @TEST-EXEC: btest-diff out -event bro_init() +event zeek_init() { local a: string_array = { [1] = "this", [2] = "is", [3] = "a", [4] = "test" diff --git a/testing/btest/bifs/split.bro b/testing/btest/bifs/split.bro index b117844645..2485c3af1f 100644 --- a/testing/btest/bifs/split.bro +++ b/testing/btest/bifs/split.bro @@ -2,7 +2,7 @@ # @TEST-EXEC: bro -b %INPUT >out # @TEST-EXEC: btest-diff out -event bro_init() +event zeek_init() { local a = "this is a test"; local pat = /hi|es/; diff --git a/testing/btest/bifs/split_string.bro b/testing/btest/bifs/split_string.bro index e4d32b7f73..2f67921a04 100644 --- a/testing/btest/bifs/split_string.bro +++ b/testing/btest/bifs/split_string.bro @@ -8,7 +8,7 @@ function print_string_vector(v: string_vec) print v[i]; } -event bro_init() +event zeek_init() { local a = "this is a test"; local pat = /hi|es/; diff --git a/testing/btest/bifs/str_shell_escape.bro b/testing/btest/bifs/str_shell_escape.bro index e631458bc1..9079ef3953 100644 --- a/testing/btest/bifs/str_shell_escape.bro +++ b/testing/btest/bifs/str_shell_escape.bro @@ -2,7 +2,7 @@ # @TEST-EXEC: bro -b %INPUT >out # @TEST-EXEC: btest-diff out -event bro_init() +event zeek_init() { local a = "echo ${TEST} > \"my file\""; diff --git a/testing/btest/bifs/strcmp.bro b/testing/btest/bifs/strcmp.bro index 92d0430f1d..6893656e69 100644 --- a/testing/btest/bifs/strcmp.bro +++ b/testing/btest/bifs/strcmp.bro @@ -2,7 +2,7 @@ # @TEST-EXEC: bro -b %INPUT >out # @TEST-EXEC: btest-diff out -event bro_init() +event zeek_init() { local a = "this"; local b = "testing"; diff --git a/testing/btest/bifs/strftime.bro b/testing/btest/bifs/strftime.bro index 3d9e388c90..8a9f42d8b3 100644 --- a/testing/btest/bifs/strftime.bro +++ b/testing/btest/bifs/strftime.bro @@ -2,7 +2,7 @@ # @TEST-EXEC: bro -b %INPUT >out # @TEST-EXEC: btest-diff out -event bro_init() +event zeek_init() { local f1 = "%Y-%m-%d %H:%M:%S"; local f2 = "%H%M%S %Y%m%d"; diff --git a/testing/btest/bifs/string_fill.bro b/testing/btest/bifs/string_fill.bro index 0968215cc0..81a447ed47 100644 --- a/testing/btest/bifs/string_fill.bro +++ b/testing/btest/bifs/string_fill.bro @@ -2,7 +2,7 @@ # @TEST-EXEC: bro -b %INPUT >out # @TEST-EXEC: btest-diff out -event bro_init() +event zeek_init() { local a = "test "; diff --git a/testing/btest/bifs/string_to_pattern.bro b/testing/btest/bifs/string_to_pattern.bro index 4bd04bbcea..089cc3c557 100644 --- a/testing/btest/bifs/string_to_pattern.bro +++ b/testing/btest/bifs/string_to_pattern.bro @@ -2,7 +2,7 @@ # @TEST-EXEC: bro -b %INPUT >out # @TEST-EXEC: btest-diff out -event bro_init() +event zeek_init() { print string_to_pattern("foo", F); print string_to_pattern("", F); diff --git a/testing/btest/bifs/strip.bro b/testing/btest/bifs/strip.bro index e508f20e3d..ae80811a30 100644 --- a/testing/btest/bifs/strip.bro +++ b/testing/btest/bifs/strip.bro @@ -2,7 +2,7 @@ # @TEST-EXEC: bro -b %INPUT >out # @TEST-EXEC: btest-diff out -event bro_init() +event zeek_init() { local a = " this is a test "; local b = ""; diff --git a/testing/btest/bifs/strptime.bro b/testing/btest/bifs/strptime.bro index 215299b300..c8f57b1dfc 100644 --- a/testing/btest/bifs/strptime.bro +++ b/testing/btest/bifs/strptime.bro @@ -2,7 +2,7 @@ # @TEST-EXEC: bro -b %INPUT >out 2>&1 # @TEST-EXEC: btest-diff out -event bro_init() +event zeek_init() { print strptime("%Y-%m-%d", "2012-10-19"); print strptime("%m", "1980-10-24"); diff --git a/testing/btest/bifs/strstr.bro b/testing/btest/bifs/strstr.bro index 40cd8aa5fd..75a362375a 100644 --- a/testing/btest/bifs/strstr.bro +++ b/testing/btest/bifs/strstr.bro @@ -2,7 +2,7 @@ # @TEST-EXEC: bro -b %INPUT >out # @TEST-EXEC: btest-diff out -event bro_init() +event zeek_init() { local a = "this is a test"; local b = "his"; diff --git a/testing/btest/bifs/sub.bro b/testing/btest/bifs/sub.bro index 773530ac74..f83113ad19 100644 --- a/testing/btest/bifs/sub.bro +++ b/testing/btest/bifs/sub.bro @@ -2,7 +2,7 @@ # @TEST-EXEC: bro -b %INPUT >out # @TEST-EXEC: btest-diff out -event bro_init() +event zeek_init() { local a = "this is a test"; local pat = /is|ss/; diff --git a/testing/btest/bifs/subst_string.bro b/testing/btest/bifs/subst_string.bro index 6ebed72321..186ca7f921 100644 --- a/testing/btest/bifs/subst_string.bro +++ b/testing/btest/bifs/subst_string.bro @@ -2,7 +2,7 @@ # @TEST-EXEC: bro -b %INPUT >out # @TEST-EXEC: btest-diff out -event bro_init() +event zeek_init() { local a = "this is another test"; local b = "is"; diff --git a/testing/btest/bifs/system.bro b/testing/btest/bifs/system.bro index bd27fc3db5..e488601ee5 100644 --- a/testing/btest/bifs/system.bro +++ b/testing/btest/bifs/system.bro @@ -2,7 +2,7 @@ # @TEST-EXEC: bro -b %INPUT # @TEST-EXEC: btest-diff out -event bro_init() +event zeek_init() { local a = system("echo thistest > out"); if ( a != 0 ) diff --git a/testing/btest/bifs/system_env.bro b/testing/btest/bifs/system_env.bro index cfe4e7dd2a..beece2e2c6 100644 --- a/testing/btest/bifs/system_env.bro +++ b/testing/btest/bifs/system_env.bro @@ -2,7 +2,7 @@ # @TEST-EXEC: bro -b %INPUT # @TEST-EXEC: btest-diff testfile -event bro_init() +event zeek_init() { local vars: table[string] of string = { ["TESTBRO"] = "helloworld" }; diff --git a/testing/btest/bifs/to_count.bro b/testing/btest/bifs/to_count.bro index 8de8c5c674..dc87fe94b9 100644 --- a/testing/btest/bifs/to_count.bro +++ b/testing/btest/bifs/to_count.bro @@ -2,7 +2,7 @@ # @TEST-EXEC: bro -b %INPUT >out # @TEST-EXEC: btest-diff out -event bro_init() +event zeek_init() { local a: int = -2; print int_to_count(a); diff --git a/testing/btest/bifs/to_double.bro b/testing/btest/bifs/to_double.bro index b6fb9917a7..b2d2d65f4d 100644 --- a/testing/btest/bifs/to_double.bro +++ b/testing/btest/bifs/to_double.bro @@ -2,7 +2,7 @@ # @TEST-EXEC: bro -b %INPUT >out # @TEST-EXEC: btest-diff out -event bro_init() +event zeek_init() { local a = 1 usec; print interval_to_double(a); diff --git a/testing/btest/bifs/to_int.bro b/testing/btest/bifs/to_int.bro index e65a555cc4..fe7d530835 100644 --- a/testing/btest/bifs/to_int.bro +++ b/testing/btest/bifs/to_int.bro @@ -2,7 +2,7 @@ # @TEST-EXEC: bro -b %INPUT >out # @TEST-EXEC: btest-diff out -event bro_init() +event zeek_init() { print to_int("1"); print to_int("-1"); diff --git a/testing/btest/bifs/to_interval.bro b/testing/btest/bifs/to_interval.bro index 71d73fed62..b877cedacc 100644 --- a/testing/btest/bifs/to_interval.bro +++ b/testing/btest/bifs/to_interval.bro @@ -2,7 +2,7 @@ # @TEST-EXEC: bro -b %INPUT >out # @TEST-EXEC: btest-diff out -event bro_init() +event zeek_init() { local a = 1234563.14; print double_to_interval(a); diff --git a/testing/btest/bifs/to_port.bro b/testing/btest/bifs/to_port.bro index b2289b8a21..9c53de7297 100644 --- a/testing/btest/bifs/to_port.bro +++ b/testing/btest/bifs/to_port.bro @@ -2,7 +2,7 @@ # @TEST-EXEC: bro -b %INPUT >out # @TEST-EXEC: btest-diff out -event bro_init() +event zeek_init() { print to_port("123/tcp"); print to_port("123/udp"); diff --git a/testing/btest/bifs/to_time.bro b/testing/btest/bifs/to_time.bro index d5a81b0934..b286d92ea4 100644 --- a/testing/btest/bifs/to_time.bro +++ b/testing/btest/bifs/to_time.bro @@ -2,7 +2,7 @@ # @TEST-EXEC: bro -b %INPUT >out # @TEST-EXEC: btest-diff out -event bro_init() +event zeek_init() { local a = 1234563.14; print double_to_time(a); diff --git a/testing/btest/bifs/topk.bro b/testing/btest/bifs/topk.bro index 1e650335a7..06246da4ac 100644 --- a/testing/btest/bifs/topk.bro +++ b/testing/btest/bifs/topk.bro @@ -2,7 +2,7 @@ # @TEST-EXEC: btest-diff out # @TEST-EXEC: btest-diff .stderr -event bro_init() +event zeek_init() { local k1 = topk_init(2); diff --git a/testing/btest/bifs/type_name.bro b/testing/btest/bifs/type_name.bro index f331fe6aa9..7377558db2 100644 --- a/testing/btest/bifs/type_name.bro +++ b/testing/btest/bifs/type_name.bro @@ -9,7 +9,7 @@ type myrecord: record { s: string; }; -event bro_init() +event zeek_init() { local a = "foo"; local b = 3; diff --git a/testing/btest/bifs/uuid_to_string.bro b/testing/btest/bifs/uuid_to_string.bro index dc84f349fa..2df9d2f0f0 100644 --- a/testing/btest/bifs/uuid_to_string.bro +++ b/testing/btest/bifs/uuid_to_string.bro @@ -2,7 +2,7 @@ # @TEST-EXEC: bro -b %INPUT >out # @TEST-EXEC: btest-diff out -event bro_init() +event zeek_init() { local a = "\xfe\x80abcdefg0123456"; print uuid_to_string(a); diff --git a/testing/btest/bifs/val_size.bro b/testing/btest/bifs/val_size.bro index 57b512b776..8757bde285 100644 --- a/testing/btest/bifs/val_size.bro +++ b/testing/btest/bifs/val_size.bro @@ -1,7 +1,7 @@ # # @TEST-EXEC: bro -b %INPUT -event bro_init() +event zeek_init() { local a = T; local b = 12; diff --git a/testing/btest/broker/connect-on-retry.bro b/testing/btest/broker/connect-on-retry.bro index 56e479b7ea..7a7db81da9 100644 --- a/testing/btest/broker/connect-on-retry.bro +++ b/testing/btest/broker/connect-on-retry.bro @@ -16,7 +16,7 @@ global event_count = 0; global ping: event(msg: string, c: count); -event bro_init() +event zeek_init() { Broker::subscribe("bro/event/my_topic"); Broker::auto_publish("bro/event/my_topic", ping); @@ -65,7 +65,7 @@ event delayed_listen() Broker::listen("127.0.0.1", to_port(getenv("BROKER_PORT"))); } -event bro_init() +event zeek_init() { Broker::subscribe("bro/event/my_topic"); Broker::auto_publish("bro/event/my_topic", pong); diff --git a/testing/btest/broker/disconnect.bro b/testing/btest/broker/disconnect.bro index 08d80f0441..34d98d20e8 100644 --- a/testing/btest/broker/disconnect.bro +++ b/testing/btest/broker/disconnect.bro @@ -24,7 +24,7 @@ event my_event(i: count) print "sender got event", i; } -event bro_init() +event zeek_init() { Broker::subscribe(test_topic); Broker::peer("127.0.0.1", to_port(getenv("BROKER_PORT"))); @@ -60,7 +60,7 @@ event my_event(i: count) terminate(); } -event bro_init() +event zeek_init() { Broker::subscribe(test_topic); Broker::listen("127.0.0.1", to_port(getenv("BROKER_PORT"))); diff --git a/testing/btest/broker/error.bro b/testing/btest/broker/error.bro index aa413ea2ac..2955997e1f 100644 --- a/testing/btest/broker/error.bro +++ b/testing/btest/broker/error.bro @@ -27,7 +27,7 @@ event Broker::error(code: Broker::ErrorCode, msg: string) print "error", code, msg; } -event bro_init() +event zeek_init() { Broker::subscribe("bro/event/my_topic"); diff --git a/testing/btest/broker/remote_event.bro b/testing/btest/broker/remote_event.bro index a9e22ec25f..548cdb6e5e 100644 --- a/testing/btest/broker/remote_event.bro +++ b/testing/btest/broker/remote_event.bro @@ -15,7 +15,7 @@ global event_count = 0; global ping: event(msg: string, c: count); -event bro_init() +event zeek_init() { Broker::subscribe("bro/event/my_topic"); Broker::peer("127.0.0.1", to_port(getenv("BROKER_PORT"))); @@ -64,7 +64,7 @@ global auto_handler: event(msg: string, c: count); global pong: event(msg: string, c: count); -event bro_init() +event zeek_init() { Broker::subscribe("bro/event/my_topic"); Broker::listen("127.0.0.1", to_port(getenv("BROKER_PORT"))); diff --git a/testing/btest/broker/remote_event_any.bro b/testing/btest/broker/remote_event_any.bro index b45e5017ef..6e111dbbdc 100644 --- a/testing/btest/broker/remote_event_any.bro +++ b/testing/btest/broker/remote_event_any.bro @@ -15,7 +15,7 @@ global event_count = 0; global ping: event(msg: string, c: any); -event bro_init() +event zeek_init() { Broker::subscribe("bro/event/my_topic"); Broker::peer("127.0.0.1", to_port(getenv("BROKER_PORT"))); @@ -67,7 +67,7 @@ global auto_handler: event(msg: string, c: count); global pong: event(msg: string, c: any); -event bro_init() +event zeek_init() { Broker::subscribe("bro/event/my_topic"); Broker::listen("127.0.0.1", to_port(getenv("BROKER_PORT"))); diff --git a/testing/btest/broker/remote_event_auto.bro b/testing/btest/broker/remote_event_auto.bro index 04570b9e6d..0bfcd2ab43 100644 --- a/testing/btest/broker/remote_event_auto.bro +++ b/testing/btest/broker/remote_event_auto.bro @@ -15,7 +15,7 @@ global event_count = 0; global ping: event(msg: string, c: count); -event bro_init() +event zeek_init() { Broker::subscribe("bro/event/my_topic"); Broker::auto_publish("bro/event/my_topic", ping); @@ -59,7 +59,7 @@ global auto_handler: event(msg: string, c: count); global pong: event(msg: string, c: count); -event bro_init() +event zeek_init() { Broker::subscribe("bro/event/my_topic"); Broker::auto_publish("bro/event/my_topic", pong); diff --git a/testing/btest/broker/remote_event_ssl_auth.bro b/testing/btest/broker/remote_event_ssl_auth.bro index 2422638416..f5e2cef26b 100644 --- a/testing/btest/broker/remote_event_ssl_auth.bro +++ b/testing/btest/broker/remote_event_ssl_auth.bro @@ -174,7 +174,7 @@ global event_count = 0; global ping: event(msg: string, c: count); -event bro_init() +event zeek_init() { Broker::subscribe("bro/event/my_topic"); Broker::peer("127.0.0.1", to_port(getenv("BROKER_PORT"))); @@ -225,7 +225,7 @@ global auto_handler: event(msg: string, c: count); global pong: event(msg: string, c: count); -event bro_init() +event zeek_init() { Broker::subscribe("bro/event/my_topic"); Broker::listen("127.0.0.1", to_port(getenv("BROKER_PORT"))); diff --git a/testing/btest/broker/remote_event_vector_any.bro b/testing/btest/broker/remote_event_vector_any.bro index 6f03d97c56..dfd6cfb754 100644 --- a/testing/btest/broker/remote_event_vector_any.bro +++ b/testing/btest/broker/remote_event_vector_any.bro @@ -20,7 +20,7 @@ type myrec: record { global bar: event(x: any); -event bro_init() +event zeek_init() { Broker::subscribe("test"); Broker::peer("127.0.0.1", to_port(getenv("BROKER_PORT"))); @@ -91,7 +91,7 @@ event bar(x: any) process(x); } -event bro_init() +event zeek_init() { Broker::subscribe("test"); Broker::listen("127.0.0.1", to_port(getenv("BROKER_PORT"))); diff --git a/testing/btest/broker/remote_id.bro b/testing/btest/broker/remote_id.bro index 62cddb9f25..dad98ee44a 100644 --- a/testing/btest/broker/remote_id.bro +++ b/testing/btest/broker/remote_id.bro @@ -10,7 +10,7 @@ const test_var = "init" &redef; -event bro_init() +event zeek_init() { Broker::peer("127.0.0.1", to_port(getenv("BROKER_PORT"))); } @@ -44,7 +44,7 @@ event check_var() } } -event bro_init() +event zeek_init() { print "intial val", test_var; Broker::subscribe("bro/ids"); diff --git a/testing/btest/broker/remote_log.bro b/testing/btest/broker/remote_log.bro index dae89d42b2..f5c320dc20 100644 --- a/testing/btest/broker/remote_log.bro +++ b/testing/btest/broker/remote_log.bro @@ -25,7 +25,7 @@ export { }; } -event bro_init() &priority=5 +event zeek_init() &priority=5 { Log::create_stream(Test::LOG, [$columns=Test::Info]); } @@ -42,7 +42,7 @@ event Broker::peer_lost(endpoint: Broker::EndpointInfo, msg: string) @load ./common.bro -event bro_init() +event zeek_init() { Broker::subscribe("bro/"); Broker::listen("127.0.0.1", to_port(getenv("BROKER_PORT"))); @@ -61,7 +61,7 @@ event Broker::peer_removed(endpoint: Broker::EndpointInfo, msg: string) @load ./common.bro -event bro_init() +event zeek_init() { Broker::peer("127.0.0.1", to_port(getenv("BROKER_PORT"))); } diff --git a/testing/btest/broker/remote_log_late_join.bro b/testing/btest/broker/remote_log_late_join.bro index aea7846996..52bcab7d86 100644 --- a/testing/btest/broker/remote_log_late_join.bro +++ b/testing/btest/broker/remote_log_late_join.bro @@ -25,7 +25,7 @@ export { }; } -event bro_init() &priority=5 +event zeek_init() &priority=5 { Log::create_stream(Test::LOG, [$columns=Test::Info]); } @@ -42,7 +42,7 @@ event Broker::peer_lost(endpoint: Broker::EndpointInfo, msg: string) @load ./common.bro -event bro_init() +event zeek_init() { Broker::subscribe("bro/"); Broker::listen("127.0.0.1", to_port(getenv("BROKER_PORT"))); @@ -68,7 +68,7 @@ event doconnect() global n = 0; -event bro_init() +event zeek_init() { schedule 2secs { doconnect() }; Log::write(Test::LOG, [$msg = "ping", $num = n]); diff --git a/testing/btest/broker/remote_log_types.bro b/testing/btest/broker/remote_log_types.bro index 8bbc66eaa2..1a2d04b130 100644 --- a/testing/btest/broker/remote_log_types.bro +++ b/testing/btest/broker/remote_log_types.bro @@ -47,7 +47,7 @@ export { } -event bro_init() &priority=5 +event zeek_init() &priority=5 { Log::create_stream(Test::LOG, [$columns=Test::Info]); } @@ -58,7 +58,7 @@ event bro_init() &priority=5 @load ./common.bro -event bro_init() +event zeek_init() { Broker::subscribe("bro/"); Broker::listen("127.0.0.1", to_port(getenv("BROKER_PORT"))); @@ -77,7 +77,7 @@ event quit_receiver() @load ./common.bro -event bro_init() +event zeek_init() { Broker::peer("127.0.0.1", to_port(getenv("BROKER_PORT"))); } diff --git a/testing/btest/broker/ssl_auth_failure.bro b/testing/btest/broker/ssl_auth_failure.bro index bc90d86298..45138dc15e 100644 --- a/testing/btest/broker/ssl_auth_failure.bro +++ b/testing/btest/broker/ssl_auth_failure.bro @@ -103,7 +103,7 @@ event do_terminate() terminate(); } -event bro_init() +event zeek_init() { Broker::subscribe("bro/event/my_topic"); Broker::peer("127.0.0.1", to_port(getenv("BROKER_PORT"))); @@ -145,7 +145,7 @@ event do_terminate() terminate(); } -event bro_init() +event zeek_init() { Broker::listen("127.0.0.1", to_port(getenv("BROKER_PORT"))); schedule 10secs { do_terminate() }; diff --git a/testing/btest/broker/store/clone.bro b/testing/btest/broker/store/clone.bro index 5620303410..a499d11ea6 100644 --- a/testing/btest/broker/store/clone.bro +++ b/testing/btest/broker/store/clone.bro @@ -48,7 +48,7 @@ event inserted() schedule 6secs { done() }; } -event bro_init() +event zeek_init() { Broker::auto_publish("bro/events", done); Broker::subscribe("bro/"); @@ -129,7 +129,7 @@ event lookup(stage: count) schedule 4sec { done() }; } -event bro_init() +event zeek_init() { Broker::auto_publish("bro/events", inserted); Broker::subscribe("bro/"); diff --git a/testing/btest/broker/store/local.bro b/testing/btest/broker/store/local.bro index b352df93f2..1846d8c2c3 100644 --- a/testing/btest/broker/store/local.bro +++ b/testing/btest/broker/store/local.bro @@ -13,7 +13,7 @@ event done() terminate(); } -event bro_init() +event zeek_init() { h = Broker::create_master("master"); Broker::put(h, "one", "110"); diff --git a/testing/btest/broker/store/ops.bro b/testing/btest/broker/store/ops.bro index 070a0f2ed3..4e89f365bf 100644 --- a/testing/btest/broker/store/ops.bro +++ b/testing/btest/broker/store/ops.bro @@ -83,7 +83,7 @@ event pk1() schedule 1sec { pk2() }; } -event bro_init() +event zeek_init() { h = Broker::create_master("master"); Broker::put(h, "one", "110"); diff --git a/testing/btest/broker/store/record.bro b/testing/btest/broker/store/record.bro index ab862012a6..62ee4735ba 100644 --- a/testing/btest/broker/store/record.bro +++ b/testing/btest/broker/store/record.bro @@ -8,7 +8,7 @@ type R: record { c: count; }; -event bro_init() +event zeek_init() { local cr = Broker::record_create(3); print Broker::record_size(cr); diff --git a/testing/btest/broker/store/set.bro b/testing/btest/broker/store/set.bro index 056b46e221..c2524cec6a 100644 --- a/testing/btest/broker/store/set.bro +++ b/testing/btest/broker/store/set.bro @@ -3,7 +3,7 @@ # @TEST-EXEC: TEST_DIFF_CANONIFIER=$SCRIPTS/diff-sort btest-diff master/out -event bro_init() +event zeek_init() { local cs = Broker::set_create(); diff --git a/testing/btest/broker/store/sqlite.bro b/testing/btest/broker/store/sqlite.bro index fbce1a693a..8adde597f5 100644 --- a/testing/btest/broker/store/sqlite.bro +++ b/testing/btest/broker/store/sqlite.bro @@ -27,7 +27,7 @@ event done() terminate(); } -event bro_init() +event zeek_init() { h = Broker::create_master("master", Broker::SQLITE); diff --git a/testing/btest/broker/store/table.bro b/testing/btest/broker/store/table.bro index 11bd00028b..6fdf7615a6 100644 --- a/testing/btest/broker/store/table.bro +++ b/testing/btest/broker/store/table.bro @@ -3,7 +3,7 @@ # @TEST-EXEC: TEST_DIFF_CANONIFIER=$SCRIPTS/diff-sort btest-diff master/out -event bro_init() +event zeek_init() { local ct = Broker::table_create(); diff --git a/testing/btest/broker/store/type-conversion.bro b/testing/btest/broker/store/type-conversion.bro index c92c1ea4c9..fa9e16d587 100644 --- a/testing/btest/broker/store/type-conversion.bro +++ b/testing/btest/broker/store/type-conversion.bro @@ -11,7 +11,7 @@ type R2: record { r1: R1; }; -event bro_init() +event zeek_init() { ### Print every broker data type print Broker::data_type(Broker::data(T)); diff --git a/testing/btest/broker/store/vector.bro b/testing/btest/broker/store/vector.bro index 7edc4ba050..7c44640334 100644 --- a/testing/btest/broker/store/vector.bro +++ b/testing/btest/broker/store/vector.bro @@ -3,7 +3,7 @@ # @TEST-EXEC: TEST_DIFF_CANONIFIER=$SCRIPTS/diff-sort btest-diff master/out -event bro_init() +event zeek_init() { local cv = Broker::vector_create(); print Broker::vector_size(cv); diff --git a/testing/btest/broker/unpeer.bro b/testing/btest/broker/unpeer.bro index b591815955..5251c9eb60 100644 --- a/testing/btest/broker/unpeer.bro +++ b/testing/btest/broker/unpeer.bro @@ -34,7 +34,7 @@ event unpeer(endpoint: Broker::EndpointInfo) schedule 4secs { do_terminate() }; } -event bro_init() +event zeek_init() { Broker::subscribe("bro/event/my_topic"); Broker::auto_publish("bro/event/my_topic", print_something); @@ -65,7 +65,7 @@ event print_something(i: int) print "Something receiver", i; } -event bro_init() +event zeek_init() { Broker::subscribe("bro/event/my_topic"); Broker::listen("127.0.0.1", to_port(getenv("BROKER_PORT"))); diff --git a/testing/btest/core/discarder.bro b/testing/btest/core/discarder.bro index 9e8f5e7a2f..9c48526bac 100644 --- a/testing/btest/core/discarder.bro +++ b/testing/btest/core/discarder.bro @@ -6,7 +6,7 @@ @TEST-START-FILE discarder-ip.bro -event bro_init() +event zeek_init() { print "################ IP Discarder ################"; } @@ -28,7 +28,7 @@ event new_packet(c: connection, p: pkt_hdr) @TEST-START-FILE discarder-tcp.bro -event bro_init() +event zeek_init() { print "################ TCP Discarder ################"; } @@ -50,7 +50,7 @@ event new_packet(c: connection, p: pkt_hdr) @TEST-START-FILE discarder-udp.bro -event bro_init() +event zeek_init() { print "################ UDP Discarder ################"; } @@ -72,7 +72,7 @@ event new_packet(c: connection, p: pkt_hdr) @TEST-START-FILE discarder-icmp.bro -event bro_init() +event zeek_init() { print "################ ICMP Discarder ################"; } diff --git a/testing/btest/core/div-by-zero.bro b/testing/btest/core/div-by-zero.bro index d1221638d6..da06569c2f 100644 --- a/testing/btest/core/div-by-zero.bro +++ b/testing/btest/core/div-by-zero.bro @@ -26,7 +26,7 @@ event mod_count(a: count, b: count) print a % b; } -event bro_init() +event zeek_init() { event div_int(10, 0); event div_count(10, 0); diff --git a/testing/btest/core/embedded-null.bro b/testing/btest/core/embedded-null.bro index 95a4c965a9..c85da21541 100644 --- a/testing/btest/core/embedded-null.bro +++ b/testing/btest/core/embedded-null.bro @@ -1,7 +1,7 @@ # @TEST-EXEC: bro -b %INPUT 2>&1 # @TEST-EXEC: btest-diff .stdout -event bro_init() +event zeek_init() { local a = "hi\x00there"; unique_id(a); diff --git a/testing/btest/core/event-arg-reuse.bro b/testing/btest/core/event-arg-reuse.bro index ba8e0f0677..3ad5f82cab 100644 --- a/testing/btest/core/event-arg-reuse.bro +++ b/testing/btest/core/event-arg-reuse.bro @@ -14,7 +14,7 @@ event f(a: int) &priority=-5 print "f2", a; } -event bro_init() +event zeek_init() { event f(1); } diff --git a/testing/btest/core/fake_dns.bro b/testing/btest/core/fake_dns.bro index f4d8c46777..f5cd4d2067 100644 --- a/testing/btest/core/fake_dns.bro +++ b/testing/btest/core/fake_dns.bro @@ -19,7 +19,7 @@ function check_terminate() terminate(); } -event bro_init() +event zeek_init() { print addrs; diff --git a/testing/btest/core/file-caching-serialization.test b/testing/btest/core/file-caching-serialization.test index 7ff1d8be8d..c6edeb55c2 100644 --- a/testing/btest/core/file-caching-serialization.test +++ b/testing/btest/core/file-caching-serialization.test @@ -42,7 +42,7 @@ event file_opened(f: file) print f, "opened"; } -event bro_init() +event zeek_init() { for ( i in iterations ) write_to_file(iterations[i]); diff --git a/testing/btest/core/global_opaque_val.bro b/testing/btest/core/global_opaque_val.bro index 84087d8295..0232271ced 100644 --- a/testing/btest/core/global_opaque_val.bro +++ b/testing/btest/core/global_opaque_val.bro @@ -3,7 +3,7 @@ global test = md5_hash_init(); -event bro_init() +event zeek_init() { md5_hash_update(test, "one"); md5_hash_update(test, "two"); diff --git a/testing/btest/core/leaks/basic-cluster.bro b/testing/btest/core/leaks/basic-cluster.bro index fa73fb9a96..d6c017090e 100644 --- a/testing/btest/core/leaks/basic-cluster.bro +++ b/testing/btest/core/leaks/basic-cluster.bro @@ -24,7 +24,7 @@ redef Log::default_rotation_interval = 0secs; global n = 0; -event bro_init() &priority=5 +event zeek_init() &priority=5 { local r1: SumStats::Reducer = [$stream="test", $apply=set(SumStats::SUM, SumStats::MIN, SumStats::MAX, SumStats::AVERAGE, SumStats::STD_DEV, SumStats::VARIANCE, SumStats::UNIQUE)]; SumStats::create([$name="test", @@ -48,7 +48,7 @@ event Broker::peer_lost(endpoint: Broker::EndpointInfo, msg: string) global ready_for_data: event(); -event bro_init() +event zeek_init() { Broker::auto_publish(Cluster::worker_topic, ready_for_data); } diff --git a/testing/btest/core/leaks/broker/clone_store.bro b/testing/btest/core/leaks/broker/clone_store.bro index 68235c7bab..9ee9ee2cd9 100644 --- a/testing/btest/core/leaks/broker/clone_store.bro +++ b/testing/btest/core/leaks/broker/clone_store.bro @@ -49,7 +49,7 @@ event inserted() schedule 2secs { done() }; } -event bro_init() +event zeek_init() { Broker::auto_publish("bro/events", done); Broker::subscribe("bro/"); @@ -127,7 +127,7 @@ event done() terminate(); } -event bro_init() +event zeek_init() { Broker::auto_publish("bro/events", inserted); Broker::subscribe("bro/"); diff --git a/testing/btest/core/leaks/broker/master_store.bro b/testing/btest/core/leaks/broker/master_store.bro index 583f80413b..08919bb461 100644 --- a/testing/btest/core/leaks/broker/master_store.bro +++ b/testing/btest/core/leaks/broker/master_store.bro @@ -85,7 +85,7 @@ event pk1() schedule 1sec { pk2() }; } -event bro_init() +event zeek_init() { h = Broker::create_master("master"); Broker::put(h, "one", "110"); diff --git a/testing/btest/core/leaks/broker/remote_event.test b/testing/btest/core/leaks/broker/remote_event.test index 5000bd98d7..7eb84c94ef 100644 --- a/testing/btest/core/leaks/broker/remote_event.test +++ b/testing/btest/core/leaks/broker/remote_event.test @@ -16,7 +16,7 @@ redef exit_only_after_terminate = T; global event_handler: event(msg: string, c: count); global auto_event_handler: event(msg: string, c: count); -event bro_init() +event zeek_init() { Broker::subscribe("bro/event/"); Broker::auto_publish("bro/event/my_topic", auto_event_handler); @@ -50,7 +50,7 @@ redef exit_only_after_terminate = T; global event_handler: event(msg: string, c: count); global auto_event_handler: event(msg: string, c: count); -event bro_init() +event zeek_init() { Broker::subscribe("bro/event/my_topic"); Broker::peer("127.0.0.1", to_port(getenv("BROKER_PORT")), 1secs); diff --git a/testing/btest/core/leaks/broker/remote_log.test b/testing/btest/core/leaks/broker/remote_log.test index 12abc1a313..0c50856b9b 100644 --- a/testing/btest/core/leaks/broker/remote_log.test +++ b/testing/btest/core/leaks/broker/remote_log.test @@ -27,7 +27,7 @@ export { }; } -event bro_init() &priority=5 +event zeek_init() &priority=5 { Log::create_stream(Test::LOG, [$columns=Test::Info]); } @@ -43,7 +43,7 @@ event Broker::peer_lost(endpoint: Broker::EndpointInfo, msg: string) @load ./common.bro -event bro_init() +event zeek_init() { Broker::subscribe("bro/"); Broker::listen("127.0.0.1", to_port(getenv("BROKER_PORT"))); @@ -60,7 +60,7 @@ event Broker::peer_removed(endpoint: Broker::EndpointInfo, msg: string) @load ./common.bro -event bro_init() +event zeek_init() { Broker::peer("127.0.0.1", to_port(getenv("BROKER_PORT"))); } diff --git a/testing/btest/core/leaks/exec.test b/testing/btest/core/leaks/exec.test index 4cc8240012..d9d96b5693 100644 --- a/testing/btest/core/leaks/exec.test +++ b/testing/btest/core/leaks/exec.test @@ -31,7 +31,7 @@ function test_cmd(label: string, cmd: Exec::Command) } } -event bro_init() +event zeek_init() { test_cmd("test1", [$cmd="bash ../somescript.sh", $read_files=set("out1", "out2")]); diff --git a/testing/btest/core/leaks/hll_cluster.bro b/testing/btest/core/leaks/hll_cluster.bro index e565778fbc..2fae13adad 100644 --- a/testing/btest/core/leaks/hll_cluster.bro +++ b/testing/btest/core/leaks/hll_cluster.bro @@ -31,7 +31,7 @@ global hll_data: event(data: opaque of cardinality); @if ( Cluster::local_node_type() == Cluster::WORKER ) -event bro_init() +event zeek_init() { Broker::auto_publish(Cluster::manager_topic, hll_data); } @@ -94,7 +94,7 @@ event Broker::peer_added(endpoint: Broker::EndpointInfo, msg: string) global result_count = 0; global hll: opaque of cardinality; -event bro_init() +event zeek_init() { hll = hll_cardinality_init(0.01, 0.95); } diff --git a/testing/btest/core/leaks/input-basic.bro b/testing/btest/core/leaks/input-basic.bro index 2f2ecf802d..177cbc5e26 100644 --- a/testing/btest/core/leaks/input-basic.bro +++ b/testing/btest/core/leaks/input-basic.bro @@ -50,7 +50,7 @@ type Val: record { global servers: table[int] of Val = table(); -event bro_init() +event zeek_init() { outfile = open("../out"); # first read in the old stuff into the table... diff --git a/testing/btest/core/leaks/input-errors.bro b/testing/btest/core/leaks/input-errors.bro index 589579779f..93a143c8d5 100644 --- a/testing/btest/core/leaks/input-errors.bro +++ b/testing/btest/core/leaks/input-errors.bro @@ -152,7 +152,7 @@ event kill_me() terminate(); } -event bro_init() +event zeek_init() { outfile = open("out"); Input::add_event([$source="input.log", $name="file", $fields=FileVal, $ev=line_file, $want_record=T]); diff --git a/testing/btest/core/leaks/input-missing-enum.bro b/testing/btest/core/leaks/input-missing-enum.bro index 9037e15ed0..5f931a35f3 100644 --- a/testing/btest/core/leaks/input-missing-enum.bro +++ b/testing/btest/core/leaks/input-missing-enum.bro @@ -26,7 +26,7 @@ type Val: record { global etable: table[int] of Log::ID = table(); -event bro_init() +event zeek_init() { # first read in the old stuff into the table... Input::add_table([$source="../input.log", $name="enum", $idx=Idx, $val=Val, $destination=etable, $want_record=F]); diff --git a/testing/btest/core/leaks/input-optional-event.bro b/testing/btest/core/leaks/input-optional-event.bro index ca141e1c4e..df8d591769 100644 --- a/testing/btest/core/leaks/input-optional-event.bro +++ b/testing/btest/core/leaks/input-optional-event.bro @@ -50,7 +50,7 @@ event servers(desc: Input::EventDescription, tpe: Input::Event, item: Val) print outfile, item; } -event bro_init() +event zeek_init() { outfile = open("../out"); # first read in the old stuff into the table... diff --git a/testing/btest/core/leaks/input-optional-table.bro b/testing/btest/core/leaks/input-optional-table.bro index 95871b1516..f3e4c05fb4 100644 --- a/testing/btest/core/leaks/input-optional-table.bro +++ b/testing/btest/core/leaks/input-optional-table.bro @@ -50,7 +50,7 @@ type Val: record { global servers: table[int] of Val = table(); -event bro_init() +event zeek_init() { outfile = open("../out"); # first read in the old stuff into the table... diff --git a/testing/btest/core/leaks/input-raw.bro b/testing/btest/core/leaks/input-raw.bro index 608ea25030..39ab13adfd 100644 --- a/testing/btest/core/leaks/input-raw.bro +++ b/testing/btest/core/leaks/input-raw.bro @@ -63,7 +63,7 @@ event line(description: Input::EventDescription, tpe: Input::Event, s: string) } } -event bro_init() +event zeek_init() { outfile = open("../out"); try = 0; diff --git a/testing/btest/core/leaks/input-reread.bro b/testing/btest/core/leaks/input-reread.bro index 8b6295c15d..c15a91a6aa 100644 --- a/testing/btest/core/leaks/input-reread.bro +++ b/testing/btest/core/leaks/input-reread.bro @@ -118,7 +118,7 @@ event line(description: Input::TableDescription, tpe: Input::Event, left: Idx, r print outfile, right; } -event bro_init() +event zeek_init() { outfile = open("../out"); try = 0; diff --git a/testing/btest/core/leaks/input-sqlite.bro b/testing/btest/core/leaks/input-sqlite.bro index ae1df163c8..d278a00533 100644 --- a/testing/btest/core/leaks/input-sqlite.bro +++ b/testing/btest/core/leaks/input-sqlite.bro @@ -87,7 +87,7 @@ event line(description: Input::EventDescription, tpe: Input::Event, r: Conn::Inf print outfile, |r$tunnel_parents|; # to make sure I got empty right } -event bro_init() +event zeek_init() { local config_strings: table[string] of string = { ["query"] = "select * from conn;", diff --git a/testing/btest/core/leaks/input-with-remove.bro b/testing/btest/core/leaks/input-with-remove.bro index ba58d7b2f6..59e3f28c0a 100644 --- a/testing/btest/core/leaks/input-with-remove.bro +++ b/testing/btest/core/leaks/input-with-remove.bro @@ -52,7 +52,7 @@ event do_term() { terminate(); } -event bro_init() { +event zeek_init() { schedule 1sec { do() }; diff --git a/testing/btest/core/leaks/returnwhen.bro b/testing/btest/core/leaks/returnwhen.bro index f5160ef250..cf1115a738 100644 --- a/testing/btest/core/leaks/returnwhen.bro +++ b/testing/btest/core/leaks/returnwhen.bro @@ -63,7 +63,7 @@ event do_another() } } -event bro_init() +event zeek_init() { local local_dummy = dummyfunc; diff --git a/testing/btest/core/old_comm_usage.bro b/testing/btest/core/old_comm_usage.bro index 0e9ae2f1f6..8f4e3854aa 100644 --- a/testing/btest/core/old_comm_usage.bro +++ b/testing/btest/core/old_comm_usage.bro @@ -1,7 +1,7 @@ # @TEST-EXEC-FAIL: bro -b %INPUT >out 2>&1 # @TEST-EXEC: TEST_DIFF_CANONIFIER=$SCRIPTS/diff-remove-abspath btest-diff out -event bro_init() +event zeek_init() { terminate_communication(); } diff --git a/testing/btest/core/option-priorities.bro b/testing/btest/core/option-priorities.bro index fd352a5459..088d82ea9f 100644 --- a/testing/btest/core/option-priorities.bro +++ b/testing/btest/core/option-priorities.bro @@ -16,7 +16,7 @@ function option_changed_two(ID: string, new_value: bool, location: string): bool return T; } -event bro_init() +event zeek_init() { print "Old value", testbool; Option::set_change_handler("testbool", option_changed); diff --git a/testing/btest/core/option-redef.bro b/testing/btest/core/option-redef.bro index 3d67a9a755..30d381306a 100644 --- a/testing/btest/core/option-redef.bro +++ b/testing/btest/core/option-redef.bro @@ -9,7 +9,7 @@ redef testopt = 6; option anotheropt = 6; redef anotheropt = 7; -event bro_init() { +event zeek_init() { print testopt; print anotheropt; } diff --git a/testing/btest/core/pcap/dynamic-filter.bro b/testing/btest/core/pcap/dynamic-filter.bro index c1b48155c1..caebaf0558 100644 --- a/testing/btest/core/pcap/dynamic-filter.bro +++ b/testing/btest/core/pcap/dynamic-filter.bro @@ -21,7 +21,7 @@ event new_packet(c: connection, p: pkt_hdr) print "error 4"; } -event bro_init() +event zeek_init() { if ( ! Pcap::precompile_pcap_filter(A, "port 80") ) print "error 1"; diff --git a/testing/btest/core/pcap/filter-error.bro b/testing/btest/core/pcap/filter-error.bro index 10270ed53f..b83b8879a0 100644 --- a/testing/btest/core/pcap/filter-error.bro +++ b/testing/btest/core/pcap/filter-error.bro @@ -7,7 +7,7 @@ redef enum PcapFilterID += { A }; -event bro_init() +event zeek_init() { if ( ! Pcap::precompile_pcap_filter(A, "kaputt, too") ) print "error", Pcap::error(); diff --git a/testing/btest/core/pcap/input-error.bro b/testing/btest/core/pcap/input-error.bro index 44788b3391..5e469e08e8 100644 --- a/testing/btest/core/pcap/input-error.bro +++ b/testing/btest/core/pcap/input-error.bro @@ -5,7 +5,7 @@ redef enum PcapFilterID += { A }; -event bro_init() +event zeek_init() { if ( ! Pcap::precompile_pcap_filter(A, "kaputt, too") ) print "error", Pcap::error(); diff --git a/testing/btest/core/pcap/pseudo-realtime.bro b/testing/btest/core/pcap/pseudo-realtime.bro index 625706f321..c51b5cc32b 100644 --- a/testing/btest/core/pcap/pseudo-realtime.bro +++ b/testing/btest/core/pcap/pseudo-realtime.bro @@ -31,7 +31,7 @@ event new_packet(c: connection, p: pkt_hdr) # print fmt("num=%d agg_delta_network=%.1f agg_delta_real=%.1f", cnt, an, ac); } -event bro_done() +event zeek_done() { local d = (an - ac); if ( d < 0 secs) diff --git a/testing/btest/core/reassembly.bro b/testing/btest/core/reassembly.bro index 30cfaa727e..53489008de 100644 --- a/testing/btest/core/reassembly.bro +++ b/testing/btest/core/reassembly.bro @@ -5,7 +5,7 @@ # @TEST-EXEC: bro -C -r $TRACES/tcp/reassembly.pcap %INPUT >>output # @TEST-EXEC: btest-diff output -event bro_init() +event zeek_init() { print "----------------------"; } diff --git a/testing/btest/core/recursive-event.bro b/testing/btest/core/recursive-event.bro index 245e994cd6..63cb05eb6f 100644 --- a/testing/btest/core/recursive-event.bro +++ b/testing/btest/core/recursive-event.bro @@ -26,7 +26,7 @@ event test() event test(); } -event bro_init() +event zeek_init() { event test(); } diff --git a/testing/btest/core/reporter-error-in-handler.bro b/testing/btest/core/reporter-error-in-handler.bro index c4a21d5902..fc0517ab2a 100644 --- a/testing/btest/core/reporter-error-in-handler.bro +++ b/testing/btest/core/reporter-error-in-handler.bro @@ -23,7 +23,7 @@ event reporter_error(t: time, msg: string, location: string) } } -event bro_init() +event zeek_init() { print a[1]; } diff --git a/testing/btest/core/reporter-fmt-strings.bro b/testing/btest/core/reporter-fmt-strings.bro index 0e0be77844..09c03cf721 100644 --- a/testing/btest/core/reporter-fmt-strings.bro +++ b/testing/btest/core/reporter-fmt-strings.bro @@ -4,7 +4,7 @@ # @TEST-EXEC-FAIL: bro %INPUT >output 2>&1 # @TEST-EXEC: TEST_DIFF_CANONIFIER=$SCRIPTS/diff-remove-abspath btest-diff output -event bro_init() +event zeek_init() { event dont_interpret_this("%s"); } diff --git a/testing/btest/core/reporter-parse-error.bro b/testing/btest/core/reporter-parse-error.bro index 25f33e2785..d57917ff26 100644 --- a/testing/btest/core/reporter-parse-error.bro +++ b/testing/btest/core/reporter-parse-error.bro @@ -2,7 +2,7 @@ # @TEST-EXEC-FAIL: bro %INPUT >output 2>&1 # @TEST-EXEC: TEST_DIFF_CANONIFIER=$SCRIPTS/diff-remove-abspath btest-diff output -event bro_init() +event zeek_init() { print TESTFAILURE; } diff --git a/testing/btest/core/reporter-runtime-error.bro b/testing/btest/core/reporter-runtime-error.bro index f8dd8c504c..9caeddb258 100644 --- a/testing/btest/core/reporter-runtime-error.bro +++ b/testing/btest/core/reporter-runtime-error.bro @@ -4,7 +4,7 @@ global a: table[count] of count; -event bro_init() +event zeek_init() { print a[2]; } diff --git a/testing/btest/core/reporter-type-mismatch.bro b/testing/btest/core/reporter-type-mismatch.bro index 0faa9b85e2..1a375ea84b 100644 --- a/testing/btest/core/reporter-type-mismatch.bro +++ b/testing/btest/core/reporter-type-mismatch.bro @@ -6,7 +6,7 @@ event foo(a: string) { } -event bro_init() +event zeek_init() { event foo(42); } diff --git a/testing/btest/core/reporter.bro b/testing/btest/core/reporter.bro index aa660ef495..bc79ca73d8 100644 --- a/testing/btest/core/reporter.bro +++ b/testing/btest/core/reporter.bro @@ -3,14 +3,14 @@ # @TEST-EXEC: TEST_DIFF_CANONIFIER=$SCRIPTS/diff-remove-abspath btest-diff output # @TEST-EXEC: TEST_DIFF_CANONIFIER=$SCRIPTS/diff-remove-abspath btest-diff logger-test.log -event bro_init() +event zeek_init() { Reporter::info("init test-info"); Reporter::warning("init test-warning"); Reporter::error("init test-error"); } -event bro_done() +event zeek_done() { Reporter::info("done test-info"); Reporter::warning("done test-warning"); diff --git a/testing/btest/core/vector-assignment.bro b/testing/btest/core/vector-assignment.bro index d1f02c124f..9c5cc4e0f6 100644 --- a/testing/btest/core/vector-assignment.bro +++ b/testing/btest/core/vector-assignment.bro @@ -13,7 +13,7 @@ function set_me(val: any) { print a; } -event bro_init() { +event zeek_init() { local b: vector of count = {1, 2, 3}; set_me(b); } diff --git a/testing/btest/core/when-interpreter-exceptions.bro b/testing/btest/core/when-interpreter-exceptions.bro index f259a46bda..f6a1d8a73b 100644 --- a/testing/btest/core/when-interpreter-exceptions.bro +++ b/testing/btest/core/when-interpreter-exceptions.bro @@ -79,7 +79,7 @@ function g(do_exception: bool): bool return F; } -event bro_init() +event zeek_init() { local cmd = Exec::Command($cmd="echo 'bro_init()'"); local stall = Exec::Command($cmd="sleep 30"); diff --git a/testing/btest/doc/broxygen/all_scripts.test b/testing/btest/doc/broxygen/all_scripts.test deleted file mode 100644 index 238ba3a4f3..0000000000 --- a/testing/btest/doc/broxygen/all_scripts.test +++ /dev/null @@ -1,14 +0,0 @@ -# This test is mostly just checking that there's no errors that result -# from loading all scripts and generated docs for each. - -# This must be serialized with communication tests because it does load -# listen.bro in order to document it. - -# @TEST-PORT: BROKER_PORT -# @TEST-EXEC: unset BRO_DISABLE_BROXYGEN; bro -X broxygen.config broxygen DumpEvents::include=/NOTHING_MATCHES/ Broker::default_port=$BROKER_PORT -# @TEST-EXEC: btest-diff .stdout -# @TEST-EXEC: TEST_DIFF_CANONIFIER=$SCRIPTS/diff-remove-abspath btest-diff .stderr - -@TEST-START-FILE broxygen.config -script * scripts/ -@TEST-END-FILE diff --git a/testing/btest/doc/broxygen/command_line.bro b/testing/btest/doc/broxygen/command_line.bro deleted file mode 100644 index d009667b7e..0000000000 --- a/testing/btest/doc/broxygen/command_line.bro +++ /dev/null @@ -1,7 +0,0 @@ -# Shouldn't emit any warnings about not being able to document something -# that's supplied via command line script. - -# @TEST-EXEC: unset BRO_DISABLE_BROXYGEN; bro %INPUT -e 'redef myvar=10; print myvar' >output 2>&1 -# @TEST-EXEC: btest-diff output - -const myvar = 5 &redef; diff --git a/testing/btest/doc/broxygen/comment_retrieval_bifs.bro b/testing/btest/doc/broxygen/comment_retrieval_bifs.bro deleted file mode 100644 index f3c1be6b14..0000000000 --- a/testing/btest/doc/broxygen/comment_retrieval_bifs.bro +++ /dev/null @@ -1,111 +0,0 @@ -# @TEST-EXEC: unset BRO_DISABLE_BROXYGEN; bro -b %INPUT >out -# @TEST-EXEC: btest-diff out - -##! This is a test script. -##! With some summary comments. - -## Hello world. This is an option. -## With some more description here. -## And here. -const myvar = 7 &redef; ##< Maybe just one more. - -## This function prints a string line by line. -## -## lines: A string to print line by line, w/ lines delimited by newline chars. -global print_lines: function(lines: string, prefix: string &default=""); - -## And some more comments on the function implementation. -function print_lines(lines: string, prefix: string) - { - local v: vector of string; - local line_table = split(lines, /\n/); - - for ( i in line_table ) - v[i] = line_table[i]; - - for ( i in v ) - print fmt("%s%s", prefix, v[i]); - } - -function print_comments(name: string, func: function(name: string): string) - { - print fmt("%s:", name); - print_lines(func(name), " "); - } - -## This is an alias for count. -type mytype: count; - -## My record type. -type myrecord: record { - ## The first field. - ## Does something... - aaa: count; ##< Done w/ aaa. - ## The second field. - bbb: string; ##< Done w/ bbb. - ##< No really, done w/ bbb. - ## Third field. - ccc: int; ##< Done w/ ccc. - ## Fourth field. - ddd: interval; ##< Done w/ ddd. -}; - - -## My enum type; -type myenum: enum { - ## First enum value. - ## I know, the name isn't clever. - FIRST, ##< Done w/ first. - ## Second enum value. - SECOND, ##< Done w/ second. - ## Third enum value. - THIRD, ##< Done w/ third. - ##< Done w/ third again. - ## SIC. - ## It's a programming language. - FORTH ##< Using Reverse Polish Notation. - ##< Done w/ forth. -}; - -redef record myrecord += { - ## First redef'd field. - ## With two lines of comments. - eee: count &optional; ##< And two post-notation comments. - ##< Done w/ eee. - ## Second redef'd field. - fff: count &optional; ##< Done w/ fff. - ## Third redef'd field. - ggg: count &optional; ##< Done w/ ggg. -}; - -redef enum myenum += { - ## First redef'd enum val. - FIFTH, ##< Done w/ fifth. - ## Second redef'd enum val. - SIXTH, ##< Done w/ sixth. - ## Third redef'd enum val. - ## Lucky number seven. - SEVENTH, ##< Still works with comma. - ##< Done w/ seventh. -}; - -print_lines(get_script_comments(@DIR + "/" + @FILENAME)); -print_comments("myvar", get_identifier_comments); -print_comments("print_lines", get_identifier_comments); -print_comments("mytype", get_identifier_comments); -print_comments("myrecord", get_identifier_comments); -print_comments("myrecord$aaa", get_record_field_comments); -print_comments("myrecord$bbb", get_record_field_comments); -print_comments("myrecord$ccc", get_record_field_comments); -print_comments("myrecord$ddd", get_record_field_comments); -print_comments("myrecord$eee", get_record_field_comments); -print_comments("myrecord$fff", get_record_field_comments); -print_comments("myrecord$ggg", get_record_field_comments); -print_comments("myenum", get_identifier_comments); -print_comments("FIRST", get_identifier_comments); -print_comments("SECOND", get_identifier_comments); -print_comments("THIRD", get_identifier_comments); -print_comments("FORTH", get_identifier_comments); -print_comments("FIFTH", get_identifier_comments); -print_comments("SIXTH", get_identifier_comments); -print_comments("SEVENTH", get_identifier_comments); diff --git a/testing/btest/doc/broxygen/enums.bro b/testing/btest/doc/broxygen/enums.bro deleted file mode 100644 index 8fbdb11ab6..0000000000 --- a/testing/btest/doc/broxygen/enums.bro +++ /dev/null @@ -1,43 +0,0 @@ -# @TEST-EXEC: unset BRO_DISABLE_BROXYGEN; bro -b -X broxygen.config %INPUT -# @TEST-EXEC: btest-diff autogen-reST-enums.rst - -@TEST-START-FILE broxygen.config -identifier TestEnum* autogen-reST-enums.rst -@TEST-END-FILE - -## There's tons of ways an enum can look... -type TestEnum1: enum { - ## like this - ONE, - TWO, ##< or like this - ## multiple - ## comments - THREE, ##< and even - ##< more comments -}; - -## The final comma is optional -type TestEnum2: enum { - ## like this - A, - B, ##< or like this - ## multiple - ## comments - C ##< and even - ##< more comments -}; - -## redefs should also work -redef enum TestEnum1 += { - ## adding another - FOUR ##< value -}; - -## now with a comma -redef enum TestEnum1 += { - ## adding another - FIVE, ##< value -}; - -## this should reference the TestEnum1 type and not a generic "enum" type -const TestEnumVal = ONE &redef; diff --git a/testing/btest/doc/broxygen/example.bro b/testing/btest/doc/broxygen/example.bro deleted file mode 100644 index 22a6fc7418..0000000000 --- a/testing/btest/doc/broxygen/example.bro +++ /dev/null @@ -1,8 +0,0 @@ -# @TEST-EXEC: unset BRO_DISABLE_BROXYGEN; bro -X broxygen.config %INPUT -# @TEST-EXEC: btest-diff example.rst - -@TEST-START-FILE broxygen.config -script broxygen/example.bro example.rst -@TEST-END-FILE - -@load broxygen/example.bro diff --git a/testing/btest/doc/broxygen/func-params.bro b/testing/btest/doc/broxygen/func-params.bro deleted file mode 100644 index e53ca475f1..0000000000 --- a/testing/btest/doc/broxygen/func-params.bro +++ /dev/null @@ -1,24 +0,0 @@ -# @TEST-EXEC: unset BRO_DISABLE_BROXYGEN; bro -b -X broxygen.config %INPUT -# @TEST-EXEC: btest-diff autogen-reST-func-params.rst - -@TEST-START-FILE broxygen.config -identifier test_func_params* autogen-reST-func-params.rst -@TEST-END-FILE - -## This is a global function declaration. -## -## i: First param. -## j: Second param. -## -## Returns: A string. -global test_func_params_func: function(i: int, j: int): string; - -type test_func_params_rec: record { - ## This is a record field function. - ## - ## i: First param. - ## j: Second param. - ## - ## Returns: A string. - field_func: function(i: int, j: int): string; -}; diff --git a/testing/btest/doc/broxygen/identifier.bro b/testing/btest/doc/broxygen/identifier.bro deleted file mode 100644 index ae49d812a0..0000000000 --- a/testing/btest/doc/broxygen/identifier.bro +++ /dev/null @@ -1,9 +0,0 @@ -# @TEST-PORT: BROKER_PORT -# @TEST-EXEC: unset BRO_DISABLE_BROXYGEN; bro -b -X broxygen.config %INPUT Broker::default_port=$BROKER_PORT -# @TEST-EXEC: btest-diff test.rst - -@TEST-START-FILE broxygen.config -identifier BroxygenExample::* test.rst -@TEST-END-FILE - -@load broxygen diff --git a/testing/btest/doc/broxygen/package.bro b/testing/btest/doc/broxygen/package.bro deleted file mode 100644 index 6a9957804a..0000000000 --- a/testing/btest/doc/broxygen/package.bro +++ /dev/null @@ -1,9 +0,0 @@ -# @TEST-PORT: BROKER_PORT -# @TEST-EXEC: unset BRO_DISABLE_BROXYGEN; bro -b -X broxygen.config %INPUT Broker::default_port=$BROKER_PORT -# @TEST-EXEC: btest-diff test.rst - -@TEST-START-FILE broxygen.config -package broxygen test.rst -@TEST-END-FILE - -@load broxygen diff --git a/testing/btest/doc/broxygen/package_index.bro b/testing/btest/doc/broxygen/package_index.bro deleted file mode 100644 index 49c367aa48..0000000000 --- a/testing/btest/doc/broxygen/package_index.bro +++ /dev/null @@ -1,9 +0,0 @@ -# @TEST-PORT: BROKER_PORT -# @TEST-EXEC: unset BRO_DISABLE_BROXYGEN; bro -b -X broxygen.config %INPUT Broker::default_port=$BROKER_PORT -# @TEST-EXEC: btest-diff test.rst - -@TEST-START-FILE broxygen.config -package_index broxygen test.rst -@TEST-END-FILE - -@load broxygen diff --git a/testing/btest/doc/broxygen/records.bro b/testing/btest/doc/broxygen/records.bro deleted file mode 100644 index fbaa957a9f..0000000000 --- a/testing/btest/doc/broxygen/records.bro +++ /dev/null @@ -1,26 +0,0 @@ -# @TEST-EXEC: unset BRO_DISABLE_BROXYGEN; bro -b -X broxygen.config %INPUT -# @TEST-EXEC: btest-diff autogen-reST-records.rst - -@TEST-START-FILE broxygen.config -identifier TestRecord* autogen-reST-records.rst -@TEST-END-FILE - -# undocumented record -type TestRecord1: record { - field1: bool; - field2: count; -}; - -## Here's the ways records and record fields can be documented. -type TestRecord2: record { - ## document ``A`` - A: count; - - B: bool; ##< document ``B`` - - ## and now ``C`` - C: TestRecord1; ##< is a declared type - - ## sets/tables should show the index types - D: set[count, bool]; -}; diff --git a/testing/btest/doc/broxygen/script_index.bro b/testing/btest/doc/broxygen/script_index.bro deleted file mode 100644 index ab257ad35d..0000000000 --- a/testing/btest/doc/broxygen/script_index.bro +++ /dev/null @@ -1,9 +0,0 @@ -# @TEST-PORT: BROKER_PORT -# @TEST-EXEC: unset BRO_DISABLE_BROXYGEN; bro -b -X broxygen.config %INPUT Broker::default_port=$BROKER_PORT -# @TEST-EXEC: btest-diff test.rst - -@TEST-START-FILE broxygen.config -script_index broxygen/* test.rst -@TEST-END-FILE - -@load broxygen diff --git a/testing/btest/doc/broxygen/script_summary.bro b/testing/btest/doc/broxygen/script_summary.bro deleted file mode 100644 index a517a08072..0000000000 --- a/testing/btest/doc/broxygen/script_summary.bro +++ /dev/null @@ -1,9 +0,0 @@ -# @TEST-PORT: BROKER_PORT -# @TEST-EXEC: unset BRO_DISABLE_BROXYGEN; bro -b -X broxygen.config %INPUT Broker::default_port=$BROKER_PORT -# @TEST-EXEC: btest-diff test.rst - -@TEST-START-FILE broxygen.config -script_summary broxygen/example.bro test.rst -@TEST-END-FILE - -@load broxygen diff --git a/testing/btest/doc/broxygen/type-aliases.bro b/testing/btest/doc/broxygen/type-aliases.bro deleted file mode 100644 index 0971327c2b..0000000000 --- a/testing/btest/doc/broxygen/type-aliases.bro +++ /dev/null @@ -1,34 +0,0 @@ -# @TEST-EXEC: unset BRO_DISABLE_BROXYGEN; bro -b -X broxygen.config %INPUT -# @TEST-EXEC: btest-diff autogen-reST-type-aliases.rst - -@TEST-START-FILE broxygen.config -identifier BroxygenTest::* autogen-reST-type-aliases.rst -@TEST-END-FILE - -module BroxygenTest; - -export { - ## This is just an alias for a builtin type ``bool``. - type TypeAlias: bool; - - ## This type should get its own comments, not associated w/ TypeAlias. - type NotTypeAlias: bool; - - ## This cross references ``bool`` in the description of its type - ## instead of ``TypeAlias`` just because it seems more useful -- - ## one doesn't have to click through the full type alias chain to - ## find out what the actual type is... - type OtherTypeAlias: TypeAlias; - - ## But this should reference a type of ``TypeAlias``. - global a: TypeAlias; - - ## And this should reference a type of ``OtherTypeAlias``. - global b: OtherTypeAlias; - - type MyRecord: record { - f1: TypeAlias; - f2: OtherTypeAlias; - f3: bool; - }; -} diff --git a/testing/btest/doc/broxygen/vectors.bro b/testing/btest/doc/broxygen/vectors.bro deleted file mode 100644 index 7c18225357..0000000000 --- a/testing/btest/doc/broxygen/vectors.bro +++ /dev/null @@ -1,20 +0,0 @@ -# @TEST-EXEC: unset BRO_DISABLE_BROXYGEN; bro -b -X broxygen.config %INPUT -# @TEST-EXEC: btest-diff autogen-reST-vectors.rst - -@TEST-START-FILE broxygen.config -identifier test_vector* autogen-reST-vectors.rst -@TEST-END-FILE - -type TestRecord: record { - field1: bool; - field2: count; -}; - -## Yield type is documented/cross-referenced for primitize types. -global test_vector0: vector of string; - -## Yield type is documented/cross-referenced for composite types. -global test_vector1: vector of TestRecord; - -## Just showing an even fancier yield type. -global test_vector2: vector of vector of TestRecord; diff --git a/testing/btest/doc/record-add.bro b/testing/btest/doc/record-add.bro deleted file mode 100644 index 284ea22959..0000000000 --- a/testing/btest/doc/record-add.bro +++ /dev/null @@ -1,36 +0,0 @@ -# @TEST-EXEC: bro -b %INPUT - -# To support documentation of type aliases, Bro clones declared types -# (see add_type() in Var.cc) in order to keep track of type names and aliases. -# This test makes sure that the cloning is done in a way that's compatible -# with adding fields to a record type -- we want to be sure that cloning -# a type that contains record types will correctly see field additions to -# those contained-records. - -type my_record: record { - field1: bool; - field2: string; -}; - -type super_record: record { - rec: my_record; -}; -type my_table: table[count] of my_record; -type my_vector: vector of my_record; - -redef record my_record += { - field3: count &optional; -}; - -global a: my_record; -global b: super_record; -global c: my_table; -global d: my_vector; - -function test_func() - { - a?$field3; - b$rec?$field3; - c[0]$field3; - d[0]$field3; - } diff --git a/testing/btest/doc/record-attr-check.bro b/testing/btest/doc/record-attr-check.bro deleted file mode 100644 index c7dc74631d..0000000000 --- a/testing/btest/doc/record-attr-check.bro +++ /dev/null @@ -1,9 +0,0 @@ -# @TEST-EXEC: bro -b %INPUT - -type Tag: enum { - SOMETHING -}; - -type R: record { - field1: set[Tag] &default=set(); -}; diff --git a/testing/btest/language/addr.bro b/testing/btest/language/addr.bro index dd7e5e1dff..dff376ec4a 100644 --- a/testing/btest/language/addr.bro +++ b/testing/btest/language/addr.bro @@ -7,7 +7,7 @@ function test_case(msg: string, expect: bool) } -event bro_init() +event zeek_init() { # IPv4 addresses local a1: addr = 0.0.0.0; diff --git a/testing/btest/language/any.bro b/testing/btest/language/any.bro index fca23f6db8..32daa36903 100644 --- a/testing/btest/language/any.bro +++ b/testing/btest/language/any.bro @@ -11,7 +11,7 @@ function anyarg(arg1: any, arg1type: string) test_case( arg1type, type_name(arg1) == arg1type ); } -event bro_init() +event zeek_init() { local any1: any = 5; local any2: any = "bar"; diff --git a/testing/btest/language/at-if-event.bro b/testing/btest/language/at-if-event.bro index 0dd9815908..2ac757810d 100644 --- a/testing/btest/language/at-if-event.bro +++ b/testing/btest/language/at-if-event.bro @@ -12,7 +12,7 @@ lalala } @if ( 1==1 ) -event bro_init() +event zeek_init() @else lalala @endif @@ -24,7 +24,7 @@ lalala @if ( 1==0 ) lalala @else -event bro_init() +event zeek_init() @endif { print "3"; @@ -32,7 +32,7 @@ event bro_init() @if ( 1==1 ) @if ( 1==1 ) -event bro_init() +event zeek_init() @endif @else lalala @@ -42,7 +42,7 @@ lalala } @if ( 1==1 ) -event bro_init() &priority=10 +event zeek_init() &priority=10 @else lalala @endif diff --git a/testing/btest/language/at-if-invalid.bro b/testing/btest/language/at-if-invalid.bro index 1be2b94304..e2e5e2c699 100644 --- a/testing/btest/language/at-if-invalid.bro +++ b/testing/btest/language/at-if-invalid.bro @@ -6,7 +6,7 @@ function foo(c: count): bool global TRUE_CONDITION = T; -event bro_init() +event zeek_init() { local xyz = 0; local local_true_condition = T; diff --git a/testing/btest/language/at-if.bro b/testing/btest/language/at-if.bro index dddf9a22a5..1aba7b9ded 100644 --- a/testing/btest/language/at-if.bro +++ b/testing/btest/language/at-if.bro @@ -11,7 +11,7 @@ function foo(c: count): bool global TRUE_CONDITION = T; -event bro_init() +event zeek_init() { local xyz = 0; diff --git a/testing/btest/language/at-ifdef.bro b/testing/btest/language/at-ifdef.bro index e7bb961833..ebc59f7056 100644 --- a/testing/btest/language/at-ifdef.bro +++ b/testing/btest/language/at-ifdef.bro @@ -8,7 +8,7 @@ function test_case(msg: string, expect: bool) global thisisdefined = 123; -event bro_init() +event zeek_init() { local xyz = 0; diff --git a/testing/btest/language/at-ifndef.bro b/testing/btest/language/at-ifndef.bro index 8bff0c456b..6e4df4dd86 100644 --- a/testing/btest/language/at-ifndef.bro +++ b/testing/btest/language/at-ifndef.bro @@ -8,7 +8,7 @@ function test_case(msg: string, expect: bool) global thisisdefined = 123; -event bro_init() +event zeek_init() { local xyz = 0; diff --git a/testing/btest/language/at-load.bro b/testing/btest/language/at-load.bro index 7427cd639a..ae14eba436 100644 --- a/testing/btest/language/at-load.bro +++ b/testing/btest/language/at-load.bro @@ -5,7 +5,7 @@ @load secondtestfile -event bro_init() +event zeek_init() { test_case( "function", T ); test_case( "global variable", num == 123 ); diff --git a/testing/btest/language/attr-default-coercion.bro b/testing/btest/language/attr-default-coercion.bro index 14590d0033..8304169cfb 100644 --- a/testing/btest/language/attr-default-coercion.bro +++ b/testing/btest/language/attr-default-coercion.bro @@ -16,7 +16,7 @@ function foo(i: int &default = 237, d: double &default = 101) print i, d; } -event bro_init() +event zeek_init() { print t["nope"]; print r; diff --git a/testing/btest/language/bool.bro b/testing/btest/language/bool.bro index 8a1404459c..be54a442d9 100644 --- a/testing/btest/language/bool.bro +++ b/testing/btest/language/bool.bro @@ -7,7 +7,7 @@ function test_case(msg: string, expect: bool) } -event bro_init() +event zeek_init() { local b1: bool = T; local b2: bool = F; diff --git a/testing/btest/language/conditional-expression.bro b/testing/btest/language/conditional-expression.bro index ea0acf009f..4938b87b4d 100644 --- a/testing/btest/language/conditional-expression.bro +++ b/testing/btest/language/conditional-expression.bro @@ -21,7 +21,7 @@ function f2(): bool } -event bro_init() +event zeek_init() { local a: count; local b: count; diff --git a/testing/btest/language/const.bro b/testing/btest/language/const.bro index ee938e8d45..c30a9cec18 100644 --- a/testing/btest/language/const.bro +++ b/testing/btest/language/const.bro @@ -21,7 +21,7 @@ redef foo = 10; const bar = 9; -event bro_init() +event zeek_init() { const baz = 7; local i = foo; @@ -48,7 +48,7 @@ redef foo = 10; const bar = 9; -event bro_init() +event zeek_init() { const baz = 7; local s = 0; diff --git a/testing/btest/language/copy.bro b/testing/btest/language/copy.bro index 3ddbc15e23..e3d6b80d5b 100644 --- a/testing/btest/language/copy.bro +++ b/testing/btest/language/copy.bro @@ -8,7 +8,7 @@ function test_case(msg: string, expect: bool) -event bro_init() +event zeek_init() { # "b" is not a copy of "a" local a: set[string] = set("this", "test"); diff --git a/testing/btest/language/count.bro b/testing/btest/language/count.bro index 39a3786dfb..6e5dca8bc2 100644 --- a/testing/btest/language/count.bro +++ b/testing/btest/language/count.bro @@ -7,7 +7,7 @@ function test_case(msg: string, expect: bool) } -event bro_init() +event zeek_init() { local c1: count = 0; local c2: count = 5; diff --git a/testing/btest/language/deprecated.bro b/testing/btest/language/deprecated.bro index ec9c3c9e1e..9ac6996145 100644 --- a/testing/btest/language/deprecated.bro +++ b/testing/btest/language/deprecated.bro @@ -24,7 +24,7 @@ type my_other_enum: enum { TWO = 2 &deprecated }; -event bro_init() +event zeek_init() { print ZERO; print ONE; diff --git a/testing/btest/language/double.bro b/testing/btest/language/double.bro index f85b216828..f1338ca16d 100644 --- a/testing/btest/language/double.bro +++ b/testing/btest/language/double.bro @@ -7,7 +7,7 @@ function test_case(msg: string, expect: bool) } -event bro_init() +event zeek_init() { local d1: double = 3; local d2: double = +3; diff --git a/testing/btest/language/enum.bro b/testing/btest/language/enum.bro index 6de7d345da..c4aa2d71a1 100644 --- a/testing/btest/language/enum.bro +++ b/testing/btest/language/enum.bro @@ -14,7 +14,7 @@ type color: enum { Red, White, Blue, }; type city: enum { Rome, Paris }; -event bro_init() +event zeek_init() { local e1: color = Blue; local e2: color = White; diff --git a/testing/btest/language/event-local-var.bro b/testing/btest/language/event-local-var.bro index d4dd9d19a5..337cd37bac 100644 --- a/testing/btest/language/event-local-var.bro +++ b/testing/btest/language/event-local-var.bro @@ -7,7 +7,7 @@ event e1(num: count) print fmt("event 1: %s", num); } -event bro_init() +event zeek_init() { # Test assigning a local event variable to an event local v: event(num: count); diff --git a/testing/btest/language/event.bro b/testing/btest/language/event.bro index d4eef24731..5f9f552e0d 100644 --- a/testing/btest/language/event.bro +++ b/testing/btest/language/event.bro @@ -32,7 +32,7 @@ event e3(test: string) global e5: event(num: count); -event bro_init() +event zeek_init() { # Test calling an event with "event" statement event e1(); diff --git a/testing/btest/language/expire-expr-error.bro b/testing/btest/language/expire-expr-error.bro index 7c9a3aa318..b2ac4d7c55 100644 --- a/testing/btest/language/expire-expr-error.bro +++ b/testing/btest/language/expire-expr-error.bro @@ -20,7 +20,7 @@ event do_it() } -event bro_init() &priority=-10 +event zeek_init() &priority=-10 { data[0] = "some data"; schedule 1sec { do_it() }; diff --git a/testing/btest/language/expire-func-undef.bro b/testing/btest/language/expire-func-undef.bro index eb864d2390..2da735a9be 100644 --- a/testing/btest/language/expire-func-undef.bro +++ b/testing/btest/language/expire-func-undef.bro @@ -29,7 +29,7 @@ event new_connection(c: connection) } -event bro_done() +event zeek_done() { for (o in distinct_peers) diff --git a/testing/btest/language/expire-redef.bro b/testing/btest/language/expire-redef.bro index 5cbb00f313..552e26cce0 100644 --- a/testing/btest/language/expire-redef.bro +++ b/testing/btest/language/expire-redef.bro @@ -30,7 +30,7 @@ function expired(tbl: table[int] of string, idx: int): interval return 0sec; } -event bro_init() &priority=-10 +event zeek_init() &priority=-10 { data[0] = "some data"; schedule 4sec { do_it() }; diff --git a/testing/btest/language/expire_func.test b/testing/btest/language/expire_func.test index 653a4d9a86..c66a901a4f 100644 --- a/testing/btest/language/expire_func.test +++ b/testing/btest/language/expire_func.test @@ -9,7 +9,7 @@ function inform_me(s: set[string], idx: string): interval global s: set[string] &create_expire=1secs &expire_func=inform_me; -event bro_init() +event zeek_init() { add s["i"]; add s["am"]; diff --git a/testing/btest/language/expire_func_mod.bro b/testing/btest/language/expire_func_mod.bro index 4790a9650e..8b14dad74c 100644 --- a/testing/btest/language/expire_func_mod.bro +++ b/testing/btest/language/expire_func_mod.bro @@ -33,7 +33,7 @@ function table_expire_func(t: table[string] of count, s: string): interval return 0 secs; } -event bro_init() +event zeek_init() { local s="ashish"; t[s] = 1 ; diff --git a/testing/btest/language/expire_subnet.test b/testing/btest/language/expire_subnet.test index 12d5e56b5a..f0bf388ad0 100644 --- a/testing/btest/language/expire_subnet.test +++ b/testing/btest/language/expire_subnet.test @@ -55,7 +55,7 @@ function execute_test() ### Events ### -event bro_init() +event zeek_init() { step = 0; diff --git a/testing/btest/language/file.bro b/testing/btest/language/file.bro index 47430b6813..80d10a4d1f 100644 --- a/testing/btest/language/file.bro +++ b/testing/btest/language/file.bro @@ -3,7 +3,7 @@ # @TEST-EXEC: btest-diff out2 -event bro_init() +event zeek_init() { local f1: file = open( "out1" ); print f1, 20; diff --git a/testing/btest/language/for.bro b/testing/btest/language/for.bro index 5f0c211597..acf9612927 100644 --- a/testing/btest/language/for.bro +++ b/testing/btest/language/for.bro @@ -8,7 +8,7 @@ function test_case(msg: string, expect: bool) -event bro_init() +event zeek_init() { local vv: vector of string = vector( "a", "b", "c" ); local ct: count = 0; diff --git a/testing/btest/language/func-assignment.bro b/testing/btest/language/func-assignment.bro index 576d7f3270..724eac38ae 100644 --- a/testing/btest/language/func-assignment.bro +++ b/testing/btest/language/func-assignment.bro @@ -16,7 +16,7 @@ type sample_function: record { f: function(str: string): string; }; -event bro_init() +event zeek_init() { local test_sf: sample_function; test_sf$s = "Brogrammers, like bowties, are cool."; diff --git a/testing/btest/language/function.bro b/testing/btest/language/function.bro index ab60c4fa62..db2ac675b0 100644 --- a/testing/btest/language/function.bro +++ b/testing/btest/language/function.bro @@ -45,7 +45,7 @@ function f7(test: string): bool return F; } -event bro_init() +event zeek_init() { f1(); f2(); diff --git a/testing/btest/language/hook.bro b/testing/btest/language/hook.bro index 3edfd9556c..c14e153577 100644 --- a/testing/btest/language/hook.bro +++ b/testing/btest/language/hook.bro @@ -91,7 +91,7 @@ function printMe(s: string): bool return T; } -event bro_init() +event zeek_init() { print hook myhook([$a=1156, $b="hello world"]); diff --git a/testing/btest/language/hook_calls.bro b/testing/btest/language/hook_calls.bro index 41ef6f52ae..0e9e873662 100644 --- a/testing/btest/language/hook_calls.bro +++ b/testing/btest/language/hook_calls.bro @@ -33,7 +33,7 @@ global t: table[count] of hook(i: count) = { [0] = myhook, }; -event bro_init() +event zeek_init() { hook myhook(3); print hook myhook(3); @@ -66,7 +66,7 @@ hook myhook(i: count) if ( i == 0 ) break; } -event bro_init() +event zeek_init() { myhook(3); print myhook(3); diff --git a/testing/btest/language/if.bro b/testing/btest/language/if.bro index 785030a012..9f3be4dd1b 100644 --- a/testing/btest/language/if.bro +++ b/testing/btest/language/if.bro @@ -8,7 +8,7 @@ function test_case(msg: string, expect: bool) -event bro_init() +event zeek_init() { # Test "if" without "else" diff --git a/testing/btest/language/index-assignment-invalid.bro b/testing/btest/language/index-assignment-invalid.bro index 68458eb149..662b73ff91 100644 --- a/testing/btest/language/index-assignment-invalid.bro +++ b/testing/btest/language/index-assignment-invalid.bro @@ -27,7 +27,7 @@ function foo(s: string, c: count) bar(c + 42); } -event bro_init() +event zeek_init() { Queue::put(q, "hello"); Queue::put(q, "goodbye"); diff --git a/testing/btest/language/init-in-anon-function.bro b/testing/btest/language/init-in-anon-function.bro index 45f5f09f09..4da70dd2f4 100644 --- a/testing/btest/language/init-in-anon-function.bro +++ b/testing/btest/language/init-in-anon-function.bro @@ -3,7 +3,7 @@ module Foo; -event bro_init() { +event zeek_init() { Log::remove_default_filter(HTTP::LOG); diff --git a/testing/btest/language/int.bro b/testing/btest/language/int.bro index f511d82bbb..d4314c8367 100644 --- a/testing/btest/language/int.bro +++ b/testing/btest/language/int.bro @@ -7,7 +7,7 @@ function test_case(msg: string, expect: bool) } -event bro_init() +event zeek_init() { local i1: int = 3; local i2: int = +3; diff --git a/testing/btest/language/interval.bro b/testing/btest/language/interval.bro index 0bb912c4d9..c8b975e637 100644 --- a/testing/btest/language/interval.bro +++ b/testing/btest/language/interval.bro @@ -12,7 +12,7 @@ function approx_equal(x: double, y: double): bool return |(x - y)/x| < 1e-6 ? T : F; } -event bro_init() +event zeek_init() { # Constants without space and no letter "s" diff --git a/testing/btest/language/module.bro b/testing/btest/language/module.bro index 3278697a8d..7f2512741f 100644 --- a/testing/btest/language/module.bro +++ b/testing/btest/language/module.bro @@ -30,7 +30,7 @@ event testevent(msg: string) # In this source file, we try to access each exported object from the module -event bro_init() +event zeek_init() { thisisatest::test_case( "function", T ); thisisatest::test_case( "global variable", thisisatest::num == 123 ); diff --git a/testing/btest/language/named-table-ctors.bro b/testing/btest/language/named-table-ctors.bro index 1fad56e30f..45d0974832 100644 --- a/testing/btest/language/named-table-ctors.bro +++ b/testing/btest/language/named-table-ctors.bro @@ -17,7 +17,7 @@ global mytablecomp: FooTableComp = FooTableComp(["test", 1] = "test1", ["cool", 2] = "cool2"); global mytabley: FooTableY = FooTableY(["one"] = 1, ["two"] = 2, ["three"] = 3) &default=0; -event bro_init() +event zeek_init() { print mytable; print mytablerec; diff --git a/testing/btest/language/next-test.bro b/testing/btest/language/next-test.bro index d46ad187c4..83523dd59b 100644 --- a/testing/btest/language/next-test.bro +++ b/testing/btest/language/next-test.bro @@ -4,7 +4,7 @@ # This script tests "next" being called during the last iteration of a # for loop -event bro_done() +event zeek_done() { local number_set: set[count]; diff --git a/testing/btest/language/no-module.bro b/testing/btest/language/no-module.bro index fff55d3854..4d1372f10c 100644 --- a/testing/btest/language/no-module.bro +++ b/testing/btest/language/no-module.bro @@ -23,7 +23,7 @@ event testevent(msg: string) # In this script, we try to access each object defined in the other script -event bro_init() +event zeek_init() { test_case( "function", T ); test_case( "global variable", num == 123 ); diff --git a/testing/btest/language/null-statement.bro b/testing/btest/language/null-statement.bro index 20c70f4876..69861ce96e 100644 --- a/testing/btest/language/null-statement.bro +++ b/testing/btest/language/null-statement.bro @@ -7,7 +7,7 @@ function f1(test: string) ; # null statement in function } -event bro_init() +event zeek_init() { local s1: set[string] = set( "this", "test" ); diff --git a/testing/btest/language/outer_param_binding.bro b/testing/btest/language/outer_param_binding.bro index fb37fd4712..a197cb87fb 100644 --- a/testing/btest/language/outer_param_binding.bro +++ b/testing/btest/language/outer_param_binding.bro @@ -21,7 +21,7 @@ function bar(b: string, c: string) print f$x("2"); } -event bro_init() +event zeek_init() { bar("1", "20"); } diff --git a/testing/btest/language/pattern.bro b/testing/btest/language/pattern.bro index e427b70e80..ae9cb15bf7 100644 --- a/testing/btest/language/pattern.bro +++ b/testing/btest/language/pattern.bro @@ -7,7 +7,7 @@ function test_case(msg: string, expect: bool) } -event bro_init() +event zeek_init() { local p1: pattern = /foo|bar/; local p2: pattern = /oob/; diff --git a/testing/btest/language/port.bro b/testing/btest/language/port.bro index a9c7fd33e7..81d7704c14 100644 --- a/testing/btest/language/port.bro +++ b/testing/btest/language/port.bro @@ -7,7 +7,7 @@ function test_case(msg: string, expect: bool) } -event bro_init() +event zeek_init() { local p1: port = 1/icmp; local p2: port = 2/udp; diff --git a/testing/btest/language/precedence.bro b/testing/btest/language/precedence.bro index 27fc1e024a..9d74c67262 100644 --- a/testing/btest/language/precedence.bro +++ b/testing/btest/language/precedence.bro @@ -9,7 +9,7 @@ function test_case(msg: string, expect: bool) # This is an incomplete set of tests to demonstrate the order of precedence # of bro script operators -event bro_init() +event zeek_init() { local n1: int; local n2: int; diff --git a/testing/btest/language/raw_output_attr.test b/testing/btest/language/raw_output_attr.test index 8bcd479fbf..3af94dc727 100644 --- a/testing/btest/language/raw_output_attr.test +++ b/testing/btest/language/raw_output_attr.test @@ -8,7 +8,7 @@ # first check local variable of file type w/ &raw_output -event bro_init() +event zeek_init() { local myfile: file; myfile = open("myfile"); diff --git a/testing/btest/language/record-ceorce-orphan.bro b/testing/btest/language/record-ceorce-orphan.bro index 126b99d5ff..d72f447a12 100644 --- a/testing/btest/language/record-ceorce-orphan.bro +++ b/testing/btest/language/record-ceorce-orphan.bro @@ -12,7 +12,7 @@ function myfunc(rec: myrec) print rec; } -event bro_init() +event zeek_init() { # Orhpaned fields in a record coercion reflect a programming error, like a typo, so should # be reported at parse-time to prevent unexpected run-time behavior. diff --git a/testing/btest/language/record-coerce-clash.bro b/testing/btest/language/record-coerce-clash.bro index a0bd6f21ad..5dab9ded8a 100644 --- a/testing/btest/language/record-coerce-clash.bro +++ b/testing/btest/language/record-coerce-clash.bro @@ -7,7 +7,7 @@ type myrec: record { cid: conn_id; }; -event bro_init() +event zeek_init() { local mr: myrec; mr = [$cid = [$orig_h=1.2.3.4,$orig_p=0/tcp,$resp_h=0.0.0.0,$resp_p=wrong]]; diff --git a/testing/btest/language/record-function-recursion.bro b/testing/btest/language/record-function-recursion.bro index 90832bfa69..d6a1587962 100644 --- a/testing/btest/language/record-function-recursion.bro +++ b/testing/btest/language/record-function-recursion.bro @@ -13,7 +13,7 @@ redef record Outer += { inner: Inner &optional; }; -event bro_init() { +event zeek_init() { local o = Outer(); print o; print type_name(o); diff --git a/testing/btest/language/record-recursive-coercion.bro b/testing/btest/language/record-recursive-coercion.bro index 0eb24a70d9..4d17c0dee3 100644 --- a/testing/btest/language/record-recursive-coercion.bro +++ b/testing/btest/language/record-recursive-coercion.bro @@ -32,7 +32,7 @@ function foo_func(fc: FooContainer) print fc; } -event bro_init() +event zeek_init() { for ( sw in matched_software ) print matched_software[sw]$version; diff --git a/testing/btest/language/record-type-checking.bro b/testing/btest/language/record-type-checking.bro index d58937d577..5e50a4d8bc 100644 --- a/testing/btest/language/record-type-checking.bro +++ b/testing/btest/language/record-type-checking.bro @@ -13,7 +13,7 @@ global gren: MyRec = MyRec($a = 1); # type clash in init # global, type deduction, anon ctor global grda = [$a = 2]; # fine -event bro_init() +event zeek_init() { grda = MyRec($a = 2); # type clash in assignment } @@ -22,26 +22,26 @@ event bro_init() global grea: MyRec = [$a = 3]; # type clash # local, type deduction, named ctor -event bro_init() +event zeek_init() { local lrdn = MyRec($a = 1000); # type clash } # local, type explicit, named ctor -event bro_init() +event zeek_init() { local lren: MyRec = MyRec($a = 1001); # type clash } # local, type deduction, anon ctor -event bro_init() +event zeek_init() { local lrda = [$a = 1002]; # fine lrda = MyRec($a = 1002); # type clash } # local, type explicit, anon ctor -event bro_init() +event zeek_init() { local lrea: MyRec = [$a = 1003]; # type clash } diff --git a/testing/btest/language/redef-same-prefixtable-idx.bro b/testing/btest/language/redef-same-prefixtable-idx.bro index 13cf27cc0f..e0e16060f4 100644 --- a/testing/btest/language/redef-same-prefixtable-idx.bro +++ b/testing/btest/language/redef-same-prefixtable-idx.bro @@ -10,7 +10,7 @@ redef my_table[3.0.0.0/8] = 2.0.0.0/8; # redef my_table += { [3.0.0.0/8] = 1.0.0.0/8 }; # redef my_table += { [3.0.0.0/8] = 2.0.0.0/8 }; -event bro_init() +event zeek_init() { print my_table; print my_table[3.0.0.0/8]; diff --git a/testing/btest/language/returnwhen.bro b/testing/btest/language/returnwhen.bro index 593841eb7e..79f55fbfc2 100644 --- a/testing/btest/language/returnwhen.bro +++ b/testing/btest/language/returnwhen.bro @@ -58,7 +58,7 @@ event do_another() } } -event bro_init() +event zeek_init() { local local_dummy = dummyfunc; diff --git a/testing/btest/language/set-opt-record-index.bro b/testing/btest/language/set-opt-record-index.bro index d42de8b041..f22c144595 100644 --- a/testing/btest/language/set-opt-record-index.bro +++ b/testing/btest/language/set-opt-record-index.bro @@ -8,7 +8,7 @@ type FOO: record { b: count &optional; }; -event bro_init() +event zeek_init() { local set_of_foo: set[FOO] = set(); diff --git a/testing/btest/language/set-type-checking.bro b/testing/btest/language/set-type-checking.bro index 3c82a29730..3518b8a02d 100644 --- a/testing/btest/language/set-type-checking.bro +++ b/testing/btest/language/set-type-checking.bro @@ -11,7 +11,7 @@ global gen: MySet = MySet(1); # type clash in init # global, type deduction, anon ctor global gda = set(2); # fine -event bro_init() +event zeek_init() { gda = MySet(2); # type clash in assignment } @@ -20,26 +20,26 @@ event bro_init() global gea: MySet = set(3); # type clash # local, type deduction, named ctor -event bro_init() +event zeek_init() { local ldn = MySet(1000); # type clash } # local, type explicit, named ctor -event bro_init() +event zeek_init() { local len: MySet = MySet(1001); # type clash } # local, type deduction, anon ctor -event bro_init() +event zeek_init() { local lda = set(1002); # fine lda = MySet(1002); # type clash } # local, type explicit, anon ctor -event bro_init() +event zeek_init() { local lea: MySet = set(1003); # type clash } @@ -53,7 +53,7 @@ type MyRecord: record { global set_of_records: set[MyRecord]; -event bro_init() +event zeek_init() { # Set ctor w/ anonymous record ctor should coerce. set_of_records = set([$user="testuser", $host="testhost", $path="testpath"]); diff --git a/testing/btest/language/set.bro b/testing/btest/language/set.bro index 56cd649b49..53cf400795 100644 --- a/testing/btest/language/set.bro +++ b/testing/btest/language/set.bro @@ -13,7 +13,7 @@ global sg2: set[port, string, bool] = { [10/udp, "curly", F], [11/udp, "braces", T] }; global sg3 = { "more", "curly", "braces" }; -event bro_init() +event zeek_init() { local s1: set[string] = set( "test", "example" ); local s2: set[string] = set(); diff --git a/testing/btest/language/short-circuit.bro b/testing/btest/language/short-circuit.bro index 598ac8da35..70928f6441 100644 --- a/testing/btest/language/short-circuit.bro +++ b/testing/btest/language/short-circuit.bro @@ -21,7 +21,7 @@ function f_func(): bool } -event bro_init() +event zeek_init() { local res: bool; diff --git a/testing/btest/language/string.bro b/testing/btest/language/string.bro index abaa556b26..936ac3e493 100644 --- a/testing/btest/language/string.bro +++ b/testing/btest/language/string.bro @@ -7,7 +7,7 @@ function test_case(msg: string, expect: bool) } -event bro_init() +event zeek_init() { local s1: string = "a\ty"; # tab local s2: string = "a\nb"; # newline diff --git a/testing/btest/language/strings.bro b/testing/btest/language/strings.bro index f601797978..992fb2c5b3 100644 --- a/testing/btest/language/strings.bro +++ b/testing/btest/language/strings.bro @@ -4,7 +4,7 @@ # Demo policy for string functions # -event bro_init() +event zeek_init() { local s1: string = "broisaveryneatids"; diff --git a/testing/btest/language/subnet.bro b/testing/btest/language/subnet.bro index b3b50e085f..32cf11701e 100644 --- a/testing/btest/language/subnet.bro +++ b/testing/btest/language/subnet.bro @@ -7,7 +7,7 @@ function test_case(msg: string, expect: bool) } -event bro_init() +event zeek_init() { # IPv4 addr local a1: addr = 192.1.2.3; diff --git a/testing/btest/language/switch-incomplete.bro b/testing/btest/language/switch-incomplete.bro index 7ee800b274..dedf529ccb 100644 --- a/testing/btest/language/switch-incomplete.bro +++ b/testing/btest/language/switch-incomplete.bro @@ -1,7 +1,7 @@ # @TEST-EXEC-FAIL: bro -b %INPUT >out 2>&1 # @TEST-EXEC: TEST_DIFF_CANONIFIER=$SCRIPTS/diff-remove-abspath btest-diff out -event bro_init() +event zeek_init() { switch ( 1 ) { case 1: diff --git a/testing/btest/language/switch-statement.bro b/testing/btest/language/switch-statement.bro index 152b14f87d..1035cb4b2e 100644 --- a/testing/btest/language/switch-statement.bro +++ b/testing/btest/language/switch-statement.bro @@ -219,7 +219,7 @@ function test_switch(actual: string, expect: string) print fmt("%s != %s", actual, expect); } -event bro_init() +event zeek_init() { test_switch( switch_bool(T) , "true" ); test_switch( switch_bool(F) , "false" ); diff --git a/testing/btest/language/switch-types-vars.bro b/testing/btest/language/switch-types-vars.bro index 1b0ca5591b..3e33e1c17f 100644 --- a/testing/btest/language/switch-types-vars.bro +++ b/testing/btest/language/switch-types-vars.bro @@ -36,7 +36,7 @@ function switch_one(v: any) } } -event bro_init() +event zeek_init() { switch_one("My StrIng"); switch_one(42); diff --git a/testing/btest/language/switch-types.bro b/testing/btest/language/switch-types.bro index 468ba93922..2ebddea6f0 100644 --- a/testing/btest/language/switch-types.bro +++ b/testing/btest/language/switch-types.bro @@ -30,7 +30,7 @@ function switch_one_no_default(v: any): string } -event bro_init() +event zeek_init() { print switch_one("string"); print switch_one(42); diff --git a/testing/btest/language/table-init-attrs.bro b/testing/btest/language/table-init-attrs.bro index 76d98b9fed..9d3403642a 100644 --- a/testing/btest/language/table-init-attrs.bro +++ b/testing/btest/language/table-init-attrs.bro @@ -51,7 +51,7 @@ global inception_table2: table[count] of table[count] of string = { [0] = table([13] = "bar") &default="forty-two", } &default=table() &default="we need to go deeper"; -event bro_init() +event zeek_init() { print "my_set_ctor_init"; print my_set_ctor_init; diff --git a/testing/btest/language/table-init.bro b/testing/btest/language/table-init.bro index 7419a50879..cc94589974 100644 --- a/testing/btest/language/table-init.bro +++ b/testing/btest/language/table-init.bro @@ -6,7 +6,7 @@ global global_table: table[count] of string = { [2] = "two" } &default = "global table default"; -event bro_init() +event zeek_init() { local local_table: table[count] of string = { [3] = "three", diff --git a/testing/btest/language/table-type-checking.bro b/testing/btest/language/table-type-checking.bro index f579a83d37..639a2d021d 100644 --- a/testing/btest/language/table-type-checking.bro +++ b/testing/btest/language/table-type-checking.bro @@ -12,7 +12,7 @@ global gen: MyTable = MyTable(["one"] = 1); # type clash in init # global, type deduction, anon ctor global gda = table(["two"] = 2); # fine global gda2 = MyTable([2/tcp] = 2); # fine -event bro_init() +event zeek_init() { gda = gda2; # type clash } @@ -21,26 +21,26 @@ event bro_init() global gea: MyTable = table(["three"] = 3); # type clash # local, type deduction, named ctor -event bro_init() +event zeek_init() { local ldn = MyTable(["thousand"] = 1000); # type clash } # local, type explicit, named ctor -event bro_init() +event zeek_init() { local len: MyTable = MyTable(["thousand-one"] = 1001); # type clash } # local, type deduction, anon ctor -event bro_init() +event zeek_init() { local lda = table(["thousand-two"] = 1002); # fine lda = MyTable(["thousand-two"] = 1002); # type clash } # local, type explicit, anon ctor -event bro_init() +event zeek_init() { local lea: MyTable = table(["thousand-three"] = 1003); # type clash } diff --git a/testing/btest/language/table.bro b/testing/btest/language/table.bro index 3c8e8db280..98f7daa8e3 100644 --- a/testing/btest/language/table.bro +++ b/testing/btest/language/table.bro @@ -10,7 +10,7 @@ function test_case(msg: string, expect: bool) # type is not explicitly specified global tg1 = { [1] = "type", [2] = "inference", [3] = "test" }; -event bro_init() +event zeek_init() { local t1: table[count] of string = table( [5] = "test", [0] = "example" ); local t2: table[count] of string = table(); diff --git a/testing/btest/language/time.bro b/testing/btest/language/time.bro index dd4b6336fe..e8b71219ca 100644 --- a/testing/btest/language/time.bro +++ b/testing/btest/language/time.bro @@ -7,7 +7,7 @@ function test_case(msg: string, expect: bool) } -event bro_init() +event zeek_init() { local t1: time = current_time(); local t2: time = t1 + 3 sec; diff --git a/testing/btest/language/timeout.bro b/testing/btest/language/timeout.bro index 632ab18b5f..47906b35fb 100644 --- a/testing/btest/language/timeout.bro +++ b/testing/btest/language/timeout.bro @@ -2,7 +2,7 @@ # @TEST-EXEC: btest-diff out -event bro_init() +event zeek_init() { local h1: addr = 1.2.3.4; diff --git a/testing/btest/language/type-cast-any.bro b/testing/btest/language/type-cast-any.bro index ddd4ea2dbe..ad18a28646 100644 --- a/testing/btest/language/type-cast-any.bro +++ b/testing/btest/language/type-cast-any.bro @@ -27,7 +27,7 @@ function cast_to_X(a: any, b: X) print a, P, P is X, fmt("%s==%s => %s", b, P, Cmp); } -event bro_init() +event zeek_init() { local x: X; x = [$a = 1.2.3.4, $b=1947/tcp]; diff --git a/testing/btest/language/type-cast-error-dynamic.bro b/testing/btest/language/type-cast-error-dynamic.bro index c18548b0c4..fb0605b196 100644 --- a/testing/btest/language/type-cast-error-dynamic.bro +++ b/testing/btest/language/type-cast-error-dynamic.bro @@ -11,7 +11,7 @@ function cast_to_string(a: any) print a as string; } -event bro_init() +event zeek_init() { cast_to_string(42); } diff --git a/testing/btest/language/type-cast-error-static.bro b/testing/btest/language/type-cast-error-static.bro index 3533fef3cb..3d1afbe095 100644 --- a/testing/btest/language/type-cast-error-static.bro +++ b/testing/btest/language/type-cast-error-static.bro @@ -6,7 +6,7 @@ type X: record { b: port; }; -event bro_init() +event zeek_init() { local x: X; x = [$a = 1.2.3.4, $b=1947/tcp]; diff --git a/testing/btest/language/type-cast-same.bro b/testing/btest/language/type-cast-same.bro index 93c3b633fa..58e98bb0c0 100644 --- a/testing/btest/language/type-cast-same.bro +++ b/testing/btest/language/type-cast-same.bro @@ -6,7 +6,7 @@ type X: record { b: port; }; -event bro_init() +event zeek_init() { local x: X; x = [$a = 1.2.3.4, $b=1947/tcp]; diff --git a/testing/btest/language/type-check-any.bro b/testing/btest/language/type-check-any.bro index 5d882c8997..1b681a3420 100644 --- a/testing/btest/language/type-check-any.bro +++ b/testing/btest/language/type-check-any.bro @@ -11,7 +11,7 @@ function check(a: any) print a, a is string, a is count, a is X; } -event bro_init() +event zeek_init() { local x: X; x = [$a = 1.2.3.4, $b=1947/tcp]; diff --git a/testing/btest/language/type-check-vector.bro b/testing/btest/language/type-check-vector.bro index 461fb312fb..b92c654fb6 100644 --- a/testing/btest/language/type-check-vector.bro +++ b/testing/btest/language/type-check-vector.bro @@ -9,7 +9,7 @@ function check(a: any) print a as myvec; } -event bro_init() +event zeek_init() { local v = myvec("one", "two", 3); check(v); diff --git a/testing/btest/language/type-type-error.bro b/testing/btest/language/type-type-error.bro index 047e4b34ef..2f3e3913ef 100644 --- a/testing/btest/language/type-type-error.bro +++ b/testing/btest/language/type-type-error.bro @@ -5,7 +5,7 @@ type r: record { a: string; }; -event bro_init() +event zeek_init() { # This should generate a parse error indicating that the type identifier # is incorrectly used in an expression expecting a real value and not diff --git a/testing/btest/language/undefined-delete-field.bro b/testing/btest/language/undefined-delete-field.bro index 8271f016fe..a45e093527 100644 --- a/testing/btest/language/undefined-delete-field.bro +++ b/testing/btest/language/undefined-delete-field.bro @@ -7,7 +7,7 @@ type MyRecordType: record b: count; }; -event bro_init() +event zeek_init() { local x = MyRecordType($a=1, $b=2); diff --git a/testing/btest/language/uninitialized-local.bro b/testing/btest/language/uninitialized-local.bro index ae486ebf1f..ec4a6e61de 100644 --- a/testing/btest/language/uninitialized-local.bro +++ b/testing/btest/language/uninitialized-local.bro @@ -16,7 +16,7 @@ event testit() my_vector[0] = my_string; } -event bro_init() +event zeek_init() { event testit(); } diff --git a/testing/btest/language/uninitialized-local2.bro b/testing/btest/language/uninitialized-local2.bro index f11a5fda10..ed4045a1a3 100644 --- a/testing/btest/language/uninitialized-local2.bro +++ b/testing/btest/language/uninitialized-local2.bro @@ -19,7 +19,7 @@ event test() print "var_b is", var_b; } -event bro_init() +event zeek_init() { event test(); } diff --git a/testing/btest/language/vector-any-append.bro b/testing/btest/language/vector-any-append.bro index 816627fbf1..d501af6b15 100644 --- a/testing/btest/language/vector-any-append.bro +++ b/testing/btest/language/vector-any-append.bro @@ -11,7 +11,7 @@ function append(v: vector of any) v += |v|; } -event bro_init() +event zeek_init() { local v: vector of count; assign(v); diff --git a/testing/btest/language/vector-type-checking.bro b/testing/btest/language/vector-type-checking.bro index b4c75118d1..c0003503a4 100644 --- a/testing/btest/language/vector-type-checking.bro +++ b/testing/btest/language/vector-type-checking.bro @@ -12,7 +12,7 @@ global gen: MyVec = MyVec("one"); # type clash in init # global, type deduction, anon ctor global gda = vector("two"); # fine global gda2 = MyVec(2); # fine -event bro_init() +event zeek_init() { gda = gda2; # type clash } @@ -21,26 +21,26 @@ event bro_init() global gea: MyVec = vector("three"); # type clash # local, type deduction, named ctor -event bro_init() +event zeek_init() { local ldn = MyVec("thousand"); # type clash } # local, type explicit, named ctor -event bro_init() +event zeek_init() { local len: MyVec = MyVec("thousand-one"); # type clash } # local, type deduction, anon ctor -event bro_init() +event zeek_init() { local lda = vector("thousand-two"); # fine lda = MyVec("thousand-two"); # type clash } # local, type explicit, anon ctor -event bro_init() +event zeek_init() { local lea: MyVec = vector("thousand-three"); # type clash } diff --git a/testing/btest/language/vector.bro b/testing/btest/language/vector.bro index 0eafd6c60c..36ff7c0267 100644 --- a/testing/btest/language/vector.bro +++ b/testing/btest/language/vector.bro @@ -10,7 +10,7 @@ function test_case(msg: string, expect: bool) # Note: only global vectors can be initialized with curly braces global vg1: vector of string = { "curly", "braces" }; -event bro_init() +event zeek_init() { local v1: vector of string = vector( "test", "example" ); local v2: vector of string = vector(); diff --git a/testing/btest/language/when-unitialized-rhs.bro b/testing/btest/language/when-unitialized-rhs.bro index 21b94c6e02..196834c2ae 100644 --- a/testing/btest/language/when-unitialized-rhs.bro +++ b/testing/btest/language/when-unitialized-rhs.bro @@ -4,7 +4,7 @@ global crashMe: function(): string; global x: int; -event bro_init() +event zeek_init() { when( local result = crashMe() ) { diff --git a/testing/btest/language/when.bro b/testing/btest/language/when.bro index a2bad6a620..36914ce993 100644 --- a/testing/btest/language/when.bro +++ b/testing/btest/language/when.bro @@ -5,7 +5,7 @@ redef exit_only_after_terminate = T; -event bro_init() +event zeek_init() { local h: addr = 127.0.0.1; diff --git a/testing/btest/language/while.bro b/testing/btest/language/while.bro index 6828b00b41..d6588589f7 100644 --- a/testing/btest/language/while.bro +++ b/testing/btest/language/while.bro @@ -67,7 +67,7 @@ function test_return(): vector of string return rval; } -event bro_init() +event zeek_init() { test_noop(); test_it(); diff --git a/testing/btest/plugins/bifs-and-scripts-install.sh b/testing/btest/plugins/bifs-and-scripts-install.sh index 60c754f8ff..09013a0876 100644 --- a/testing/btest/plugins/bifs-and-scripts-install.sh +++ b/testing/btest/plugins/bifs-and-scripts-install.sh @@ -18,7 +18,7 @@ cat >scripts/demo/foo/__load__.bro <scripts/demo/foo/manually.bro <scripts/demo/foo/base/at-startup.bro <scripts/demo/foo/__load__.bro <scripts/demo/foo/manually.bro <scripts/demo/foo/base/at-startup.bro <&1 # @TEST-EXEC: btest-diff .stdout -event bro_init() +event zeek_init() { print "This should fail but not crash"; print Files::lookup_file("asdf"); diff --git a/testing/btest/scripts/base/frameworks/file-analysis/bifs/register_mime_type.bro b/testing/btest/scripts/base/frameworks/file-analysis/bifs/register_mime_type.bro index 9b6d11ce0d..df4573e418 100644 --- a/testing/btest/scripts/base/frameworks/file-analysis/bifs/register_mime_type.bro +++ b/testing/btest/scripts/base/frameworks/file-analysis/bifs/register_mime_type.bro @@ -1,7 +1,7 @@ # @TEST-EXEC: bro -r $TRACES/http/get.trace %INPUT # @TEST-EXEC: btest-diff files.log -event bro_init() +event zeek_init() { Files::register_for_mime_type(Files::ANALYZER_MD5, "text/plain"); }; diff --git a/testing/btest/scripts/base/frameworks/file-analysis/input/basic.bro b/testing/btest/scripts/base/frameworks/file-analysis/input/basic.bro index 053341c840..8598d3c1f4 100644 --- a/testing/btest/scripts/base/frameworks/file-analysis/input/basic.bro +++ b/testing/btest/scripts/base/frameworks/file-analysis/input/basic.bro @@ -18,7 +18,7 @@ redef test_get_file_name = function(f: fa_file): string T -42 SSH::LOG 21 123 10.0.0.0/24 1.2.3.4 3.14 1315801931.273616 100.000000 hurz 2,4,1,3 CC,AA,BB EMPTY 10,20,30 EMPTY 4242 @TEST-END-FILE -event bro_init() +event zeek_init() { local source: string = "../input.log"; Input::add_analysis([$source=source, $reader=Input::READER_BINARY, diff --git a/testing/btest/scripts/base/frameworks/input/basic.bro b/testing/btest/scripts/base/frameworks/input/basic.bro index 356b87d70b..02c3b4ff79 100644 --- a/testing/btest/scripts/base/frameworks/input/basic.bro +++ b/testing/btest/scripts/base/frameworks/input/basic.bro @@ -47,7 +47,7 @@ type Val: record { global servers: table[int] of Val = table(); -event bro_init() +event zeek_init() { outfile = open("../out"); # first read in the old stuff into the table... diff --git a/testing/btest/scripts/base/frameworks/input/bignumber.bro b/testing/btest/scripts/base/frameworks/input/bignumber.bro index 15d711b1c4..b5b9d3fcae 100644 --- a/testing/btest/scripts/base/frameworks/input/bignumber.bro +++ b/testing/btest/scripts/base/frameworks/input/bignumber.bro @@ -26,7 +26,7 @@ type Val: record { global servers: table[int] of Val = table(); -event bro_init() +event zeek_init() { outfile = open("../out"); # first read in the old stuff into the table... diff --git a/testing/btest/scripts/base/frameworks/input/binary.bro b/testing/btest/scripts/base/frameworks/input/binary.bro index 11701fbd8a..072db53e11 100644 --- a/testing/btest/scripts/base/frameworks/input/binary.bro +++ b/testing/btest/scripts/base/frameworks/input/binary.bro @@ -45,7 +45,7 @@ event line(description: Input::EventDescription, tpe: Input::Event, a: string, b } } -event bro_init() +event zeek_init() { try = 0; outfile = open("../out"); diff --git a/testing/btest/scripts/base/frameworks/input/config/basic.bro b/testing/btest/scripts/base/frameworks/input/config/basic.bro index c8d68fc822..a0a7df017f 100644 --- a/testing/btest/scripts/base/frameworks/input/config/basic.bro +++ b/testing/btest/scripts/base/frameworks/input/config/basic.bro @@ -67,7 +67,7 @@ event Input::end_of_data(name: string, source:string) terminate(); } -event bro_init() +event zeek_init() { outfile = open("../out"); Input::add_table([$reader=Input::READER_CONFIG, $source="../configfile", $name="configuration", $idx=Idx, $val=Val, $destination=currconfig, $want_record=F]); diff --git a/testing/btest/scripts/base/frameworks/input/config/errors.bro b/testing/btest/scripts/base/frameworks/input/config/errors.bro index 4f398956dc..262b4ff36d 100644 --- a/testing/btest/scripts/base/frameworks/input/config/errors.bro +++ b/testing/btest/scripts/base/frameworks/input/config/errors.bro @@ -58,7 +58,7 @@ event Input::end_of_data(name: string, source:string) terminate(); } -event bro_init() +event zeek_init() { outfile = open("../out"); Input::add_table([$reader=Input::READER_CONFIG, $source="../configfile", $name="configuration", $idx=Idx, $val=Val, $destination=currconfig, $want_record=F]); diff --git a/testing/btest/scripts/base/frameworks/input/default.bro b/testing/btest/scripts/base/frameworks/input/default.bro index c5b0e2f967..3c9880696d 100644 --- a/testing/btest/scripts/base/frameworks/input/default.bro +++ b/testing/btest/scripts/base/frameworks/input/default.bro @@ -33,7 +33,7 @@ event line(description: Input::EventDescription, tpe: Input::Event, val: Val) print outfile, val; } -event bro_init() +event zeek_init() { outfile = open("../out"); Input::add_event([$source="../input.log", $name="input", $fields=Val, $ev=line, $want_record=T]); diff --git a/testing/btest/scripts/base/frameworks/input/empty-values-hashing.bro b/testing/btest/scripts/base/frameworks/input/empty-values-hashing.bro index b46c299c2c..b43044b963 100644 --- a/testing/btest/scripts/base/frameworks/input/empty-values-hashing.bro +++ b/testing/btest/scripts/base/frameworks/input/empty-values-hashing.bro @@ -52,7 +52,7 @@ event line(description: Input::TableDescription, tpe: Input::Event, left: Idx, r print outfile, right; } -event bro_init() +event zeek_init() { outfile = open("../out"); try = 0; diff --git a/testing/btest/scripts/base/frameworks/input/emptyvals.bro b/testing/btest/scripts/base/frameworks/input/emptyvals.bro index 57e79dd977..6e45f56e8d 100644 --- a/testing/btest/scripts/base/frameworks/input/emptyvals.bro +++ b/testing/btest/scripts/base/frameworks/input/emptyvals.bro @@ -29,7 +29,7 @@ type Val: record { global servers: table[int] of Val = table(); -event bro_init() +event zeek_init() { outfile = open("../out"); # first read in the old stuff into the table... diff --git a/testing/btest/scripts/base/frameworks/input/errors.bro b/testing/btest/scripts/base/frameworks/input/errors.bro index 0d0376694a..296c43f450 100644 --- a/testing/btest/scripts/base/frameworks/input/errors.bro +++ b/testing/btest/scripts/base/frameworks/input/errors.bro @@ -148,7 +148,7 @@ event kill_me() terminate(); } -event bro_init() +event zeek_init() { outfile = open("out"); Input::add_event([$source="input.log", $name="file", $fields=FileVal, $ev=line_file, $want_record=T]); diff --git a/testing/btest/scripts/base/frameworks/input/event.bro b/testing/btest/scripts/base/frameworks/input/event.bro index 6b6a391939..1ac4e38af5 100644 --- a/testing/btest/scripts/base/frameworks/input/event.bro +++ b/testing/btest/scripts/base/frameworks/input/event.bro @@ -35,7 +35,7 @@ event line(description: Input::EventDescription, tpe: Input::Event, i: int, b: b print outfile, b; } -event bro_init() +event zeek_init() { outfile = open("../out"); Input::add_event([$source="../input.log", $name="input", $fields=Val, $ev=line, $want_record=F]); diff --git a/testing/btest/scripts/base/frameworks/input/invalid-lines.bro b/testing/btest/scripts/base/frameworks/input/invalid-lines.bro index 83be1efd09..2a2e2b1e63 100644 --- a/testing/btest/scripts/base/frameworks/input/invalid-lines.bro +++ b/testing/btest/scripts/base/frameworks/input/invalid-lines.bro @@ -50,7 +50,7 @@ type Val: record { global servers: table[int] of Val = table(); global servers2: table[int] of Val = table(); -event bro_init() +event zeek_init() { outfile = open("../out"); # first read in the old stuff into the table... diff --git a/testing/btest/scripts/base/frameworks/input/invalidnumbers.bro b/testing/btest/scripts/base/frameworks/input/invalidnumbers.bro index f2fefaa5d0..4acaa63ee6 100644 --- a/testing/btest/scripts/base/frameworks/input/invalidnumbers.bro +++ b/testing/btest/scripts/base/frameworks/input/invalidnumbers.bro @@ -30,7 +30,7 @@ type Val: record { global servers: table[int] of Val = table(); -event bro_init() +event zeek_init() { outfile = open("../out"); # first read in the old stuff into the table... diff --git a/testing/btest/scripts/base/frameworks/input/invalidset.bro b/testing/btest/scripts/base/frameworks/input/invalidset.bro index 932060424e..d1ca5e3262 100644 --- a/testing/btest/scripts/base/frameworks/input/invalidset.bro +++ b/testing/btest/scripts/base/frameworks/input/invalidset.bro @@ -45,7 +45,7 @@ event line(description: Input::EventDescription, tpe: Input::Event, v: Val) print outfile, "Event", v; } -event bro_init() +event zeek_init() { outfile = open("../out"); # first read in the old stuff into the table... diff --git a/testing/btest/scripts/base/frameworks/input/invalidtext.bro b/testing/btest/scripts/base/frameworks/input/invalidtext.bro index 3f5b590dec..3a30da30c8 100644 --- a/testing/btest/scripts/base/frameworks/input/invalidtext.bro +++ b/testing/btest/scripts/base/frameworks/input/invalidtext.bro @@ -46,7 +46,7 @@ event line(description: Input::EventDescription, tpe: Input::Event, v: Val) print outfile, "Event", v; } -event bro_init() +event zeek_init() { outfile = open("../out"); # first read in the old stuff into the table... diff --git a/testing/btest/scripts/base/frameworks/input/missing-enum.bro b/testing/btest/scripts/base/frameworks/input/missing-enum.bro index 0d37aae453..abdc608447 100644 --- a/testing/btest/scripts/base/frameworks/input/missing-enum.bro +++ b/testing/btest/scripts/base/frameworks/input/missing-enum.bro @@ -22,7 +22,7 @@ type Val: record { global etable: table[int] of Log::ID = table(); -event bro_init() +event zeek_init() { # first read in the old stuff into the table... Input::add_table([$source="../input.log", $name="enum", $idx=Idx, $val=Val, $destination=etable, $want_record=F]); diff --git a/testing/btest/scripts/base/frameworks/input/missing-file-initially.bro b/testing/btest/scripts/base/frameworks/input/missing-file-initially.bro index 7c9f51994c..0fed78d120 100644 --- a/testing/btest/scripts/base/frameworks/input/missing-file-initially.bro +++ b/testing/btest/scripts/base/frameworks/input/missing-file-initially.bro @@ -50,7 +50,7 @@ event line2(description: Input::EventDescription, tpe: Input::Event, v: Val) } -event bro_init() +event zeek_init() { Input::add_event([$source="../does-not-exist.dat", $name="input", $reader=Input::READER_ASCII, $mode=Input::REREAD, $fields=Val, $ev=line, $want_record=T]); Input::add_event([$source="../does-not-exist.dat", $name="inputstream", $reader=Input::READER_ASCII, $mode=Input::STREAM, $fields=Val, $ev=line, $want_record=T]); diff --git a/testing/btest/scripts/base/frameworks/input/missing-file.bro b/testing/btest/scripts/base/frameworks/input/missing-file.bro index 2ec3bb937f..90fbeb175e 100644 --- a/testing/btest/scripts/base/frameworks/input/missing-file.bro +++ b/testing/btest/scripts/base/frameworks/input/missing-file.bro @@ -19,7 +19,7 @@ event line(description: Input::EventDescription, tpe: Input::Event, i: int, b: b { } -event bro_init() +event zeek_init() { try = 0; outfile = open("../out"); diff --git a/testing/btest/scripts/base/frameworks/input/onecolumn-norecord.bro b/testing/btest/scripts/base/frameworks/input/onecolumn-norecord.bro index c38c4efd85..723227a1c3 100644 --- a/testing/btest/scripts/base/frameworks/input/onecolumn-norecord.bro +++ b/testing/btest/scripts/base/frameworks/input/onecolumn-norecord.bro @@ -28,7 +28,7 @@ type Val: record { global servers: table[int] of bool = table(); -event bro_init() +event zeek_init() { outfile = open("../out"); Input::add_table([$source="../input.log", $name="input", $idx=Idx, $val=Val, $destination=servers, $want_record=F]); diff --git a/testing/btest/scripts/base/frameworks/input/onecolumn-record.bro b/testing/btest/scripts/base/frameworks/input/onecolumn-record.bro index 3ee82983ff..33da194d84 100644 --- a/testing/btest/scripts/base/frameworks/input/onecolumn-record.bro +++ b/testing/btest/scripts/base/frameworks/input/onecolumn-record.bro @@ -28,7 +28,7 @@ type Val: record { global servers: table[int] of Val = table(); -event bro_init() +event zeek_init() { outfile = open("../out"); Input::add_table([$name="input", $source="../input.log", $idx=Idx, $val=Val, $destination=servers]); diff --git a/testing/btest/scripts/base/frameworks/input/optional.bro b/testing/btest/scripts/base/frameworks/input/optional.bro index 56c261999d..9b9d569ffe 100644 --- a/testing/btest/scripts/base/frameworks/input/optional.bro +++ b/testing/btest/scripts/base/frameworks/input/optional.bro @@ -35,7 +35,7 @@ type Val: record { global servers: table[int] of Val = table(); -event bro_init() +event zeek_init() { outfile = open("../out"); # first read in the old stuff into the table... diff --git a/testing/btest/scripts/base/frameworks/input/port-embedded.bro b/testing/btest/scripts/base/frameworks/input/port-embedded.bro index 8aab733069..32feb47c34 100644 --- a/testing/btest/scripts/base/frameworks/input/port-embedded.bro +++ b/testing/btest/scripts/base/frameworks/input/port-embedded.bro @@ -32,7 +32,7 @@ event line(description: Input::TableDescription, tpe: Input::Event, left: Idx, r print left, right; } -event bro_init() +event zeek_init() { Input::add_table([$source="../input.log", $name="input", $idx=Idx, $val=Val, $ev=line, $destination=servers]); } diff --git a/testing/btest/scripts/base/frameworks/input/port.bro b/testing/btest/scripts/base/frameworks/input/port.bro index 48571c5ecd..d0bb823b74 100644 --- a/testing/btest/scripts/base/frameworks/input/port.bro +++ b/testing/btest/scripts/base/frameworks/input/port.bro @@ -27,7 +27,7 @@ type Val: record { global servers: table[addr] of Val = table(); -event bro_init() +event zeek_init() { outfile = open("../out"); Input::add_table([$source="../input.log", $name="input", $idx=Idx, $val=Val, $destination=servers]); diff --git a/testing/btest/scripts/base/frameworks/input/predicate-stream.bro b/testing/btest/scripts/base/frameworks/input/predicate-stream.bro index aac44fb8ee..f8e7f8fdf3 100644 --- a/testing/btest/scripts/base/frameworks/input/predicate-stream.bro +++ b/testing/btest/scripts/base/frameworks/input/predicate-stream.bro @@ -64,7 +64,7 @@ event line(description: Input::TableDescription, tpe: Input::Event, left: Idx, r terminate(); } -event bro_init() +event zeek_init() { outfile = open("../out"); ct = 0; diff --git a/testing/btest/scripts/base/frameworks/input/predicate.bro b/testing/btest/scripts/base/frameworks/input/predicate.bro index 9946e72211..171e1d42de 100644 --- a/testing/btest/scripts/base/frameworks/input/predicate.bro +++ b/testing/btest/scripts/base/frameworks/input/predicate.bro @@ -34,7 +34,7 @@ type Val: record { global servers: table[int] of bool = table(); -event bro_init() +event zeek_init() { outfile = open("../out"); # first read in the old stuff into the table... diff --git a/testing/btest/scripts/base/frameworks/input/predicatemodify.bro b/testing/btest/scripts/base/frameworks/input/predicatemodify.bro index 13ed38d6ba..80e8c6aac8 100644 --- a/testing/btest/scripts/base/frameworks/input/predicatemodify.bro +++ b/testing/btest/scripts/base/frameworks/input/predicatemodify.bro @@ -31,7 +31,7 @@ type Val: record { global servers: table[int, string] of Val = table(); -event bro_init() +event zeek_init() { outfile = open("../out"); diff --git a/testing/btest/scripts/base/frameworks/input/predicatemodifyandreread.bro b/testing/btest/scripts/base/frameworks/input/predicatemodifyandreread.bro index 2c6b58ff2d..53708b4fdd 100644 --- a/testing/btest/scripts/base/frameworks/input/predicatemodifyandreread.bro +++ b/testing/btest/scripts/base/frameworks/input/predicatemodifyandreread.bro @@ -75,7 +75,7 @@ global servers: table[int, string] of Val = table(); global outfile: file; global try: count; -event bro_init() +event zeek_init() { try = 0; outfile = open("../out"); diff --git a/testing/btest/scripts/base/frameworks/input/predicaterefusesecondsamerecord.bro b/testing/btest/scripts/base/frameworks/input/predicaterefusesecondsamerecord.bro index ae756431cd..6d4147ad06 100644 --- a/testing/btest/scripts/base/frameworks/input/predicaterefusesecondsamerecord.bro +++ b/testing/btest/scripts/base/frameworks/input/predicaterefusesecondsamerecord.bro @@ -35,7 +35,7 @@ type Val: record { global servers: table[addr] of Val = table(); -event bro_init() +event zeek_init() { outfile = open("../out"); # first read in the old stuff into the table... diff --git a/testing/btest/scripts/base/frameworks/input/raw/basic.bro b/testing/btest/scripts/base/frameworks/input/raw/basic.bro index 377e34aca7..cb9e0269ea 100644 --- a/testing/btest/scripts/base/frameworks/input/raw/basic.bro +++ b/testing/btest/scripts/base/frameworks/input/raw/basic.bro @@ -38,7 +38,7 @@ event line(description: Input::EventDescription, tpe: Input::Event, s: string) } } -event bro_init() +event zeek_init() { try = 0; outfile = open("../out"); diff --git a/testing/btest/scripts/base/frameworks/input/raw/execute.bro b/testing/btest/scripts/base/frameworks/input/raw/execute.bro index 783b974c0f..018b62d75b 100644 --- a/testing/btest/scripts/base/frameworks/input/raw/execute.bro +++ b/testing/btest/scripts/base/frameworks/input/raw/execute.bro @@ -32,7 +32,7 @@ event line(description: Input::EventDescription, tpe: Input::Event, s: string) terminate(); } -event bro_init() +event zeek_init() { outfile = open("../out.tmp"); Input::add_event([$source="wc -l ../input.log |", $reader=Input::READER_RAW, $name="input", $fields=Val, $ev=line, $want_record=F]); diff --git a/testing/btest/scripts/base/frameworks/input/raw/executestdin.bro b/testing/btest/scripts/base/frameworks/input/raw/executestdin.bro index b78dd4e0e3..1c24c3ab8a 100644 --- a/testing/btest/scripts/base/frameworks/input/raw/executestdin.bro +++ b/testing/btest/scripts/base/frameworks/input/raw/executestdin.bro @@ -72,7 +72,7 @@ function more_input(name_prefix: string) $config=config_strings]); } -event bro_init() +event zeek_init() { outfile = open("../out"); ++total_processes; diff --git a/testing/btest/scripts/base/frameworks/input/raw/executestream.bro b/testing/btest/scripts/base/frameworks/input/raw/executestream.bro index 240761ee03..ded6588269 100644 --- a/testing/btest/scripts/base/frameworks/input/raw/executestream.bro +++ b/testing/btest/scripts/base/frameworks/input/raw/executestream.bro @@ -56,7 +56,7 @@ event line(description: Input::EventDescription, tpe: Input::Event, s: string) } } -event bro_init() +event zeek_init() { outfile = open("../out"); try = 0; diff --git a/testing/btest/scripts/base/frameworks/input/raw/long.bro b/testing/btest/scripts/base/frameworks/input/raw/long.bro index 266021ae28..40f84c8597 100644 --- a/testing/btest/scripts/base/frameworks/input/raw/long.bro +++ b/testing/btest/scripts/base/frameworks/input/raw/long.bro @@ -29,7 +29,7 @@ event line(description: Input::EventDescription, tpe: Input::Event, s: string) } } -event bro_init() +event zeek_init() { try = 0; outfile = open("../out"); diff --git a/testing/btest/scripts/base/frameworks/input/raw/offset.bro b/testing/btest/scripts/base/frameworks/input/raw/offset.bro index f37fb9c28a..0fdb6d65e9 100644 --- a/testing/btest/scripts/base/frameworks/input/raw/offset.bro +++ b/testing/btest/scripts/base/frameworks/input/raw/offset.bro @@ -33,7 +33,7 @@ event line(description: Input::EventDescription, tpe: Input::Event, s: string) } } -event bro_init() +event zeek_init() { try = 0; outfile = open("../out"); diff --git a/testing/btest/scripts/base/frameworks/input/raw/rereadraw.bro b/testing/btest/scripts/base/frameworks/input/raw/rereadraw.bro index f3dfb11ea5..ae977b4b2d 100644 --- a/testing/btest/scripts/base/frameworks/input/raw/rereadraw.bro +++ b/testing/btest/scripts/base/frameworks/input/raw/rereadraw.bro @@ -38,7 +38,7 @@ event line(description: Input::EventDescription, tpe: Input::Event, s: string) } } -event bro_init() +event zeek_init() { try = 0; outfile = open("../out"); diff --git a/testing/btest/scripts/base/frameworks/input/raw/stderr.bro b/testing/btest/scripts/base/frameworks/input/raw/stderr.bro index 8ff4cc7f1b..b62b135e43 100644 --- a/testing/btest/scripts/base/frameworks/input/raw/stderr.bro +++ b/testing/btest/scripts/base/frameworks/input/raw/stderr.bro @@ -54,7 +54,7 @@ event InputRaw::process_finished(name: string, source:string, exit_code:count, s terminate(); } -event bro_init() +event zeek_init() { local config_strings: table[string] of string = { ["read_stderr"] = "1" diff --git a/testing/btest/scripts/base/frameworks/input/raw/streamraw.bro b/testing/btest/scripts/base/frameworks/input/raw/streamraw.bro index 331db7eeb8..923428717f 100644 --- a/testing/btest/scripts/base/frameworks/input/raw/streamraw.bro +++ b/testing/btest/scripts/base/frameworks/input/raw/streamraw.bro @@ -56,7 +56,7 @@ event line(description: Input::EventDescription, tpe: Input::Event, s: string) } } -event bro_init() +event zeek_init() { outfile = open("../out"); try = 0; diff --git a/testing/btest/scripts/base/frameworks/input/repeat.bro b/testing/btest/scripts/base/frameworks/input/repeat.bro index 5093e30351..86245ef9f0 100644 --- a/testing/btest/scripts/base/frameworks/input/repeat.bro +++ b/testing/btest/scripts/base/frameworks/input/repeat.bro @@ -31,7 +31,7 @@ global destination: table[int] of bool = table(); const one_to_32: vector of count = {1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32}; -event bro_init() +event zeek_init() { try = 0; outfile = open("../out"); diff --git a/testing/btest/scripts/base/frameworks/input/reread.bro b/testing/btest/scripts/base/frameworks/input/reread.bro index 53cb2a91a8..e34ae0a5ae 100644 --- a/testing/btest/scripts/base/frameworks/input/reread.bro +++ b/testing/btest/scripts/base/frameworks/input/reread.bro @@ -103,7 +103,7 @@ event line(description: Input::TableDescription, tpe: Input::Event, left: Idx, r print outfile, right; } -event bro_init() +event zeek_init() { outfile = open("../out"); try = 0; diff --git a/testing/btest/scripts/base/frameworks/input/set.bro b/testing/btest/scripts/base/frameworks/input/set.bro index d79e9ae17a..52c0b8feef 100644 --- a/testing/btest/scripts/base/frameworks/input/set.bro +++ b/testing/btest/scripts/base/frameworks/input/set.bro @@ -27,7 +27,7 @@ type Idx: record { global servers: set[addr] = set(); -event bro_init() +event zeek_init() { outfile = open("../out"); # first read in the old stuff into the table... diff --git a/testing/btest/scripts/base/frameworks/input/setseparator.bro b/testing/btest/scripts/base/frameworks/input/setseparator.bro index 39a785236a..3e052c4b44 100644 --- a/testing/btest/scripts/base/frameworks/input/setseparator.bro +++ b/testing/btest/scripts/base/frameworks/input/setseparator.bro @@ -27,7 +27,7 @@ type Val: record { global servers: table[int] of Val = table(); -event bro_init() +event zeek_init() { outfile = open("../out"); # first read in the old stuff into the table... diff --git a/testing/btest/scripts/base/frameworks/input/setspecialcases.bro b/testing/btest/scripts/base/frameworks/input/setspecialcases.bro index 40a708f772..801a3229c5 100644 --- a/testing/btest/scripts/base/frameworks/input/setspecialcases.bro +++ b/testing/btest/scripts/base/frameworks/input/setspecialcases.bro @@ -31,7 +31,7 @@ type Val: record { global servers: table[int] of Val = table(); -event bro_init() +event zeek_init() { outfile = open("../out"); # first read in the old stuff into the table... diff --git a/testing/btest/scripts/base/frameworks/input/sqlite/basic.bro b/testing/btest/scripts/base/frameworks/input/sqlite/basic.bro index eb1411970b..fdb946e02c 100644 --- a/testing/btest/scripts/base/frameworks/input/sqlite/basic.bro +++ b/testing/btest/scripts/base/frameworks/input/sqlite/basic.bro @@ -86,7 +86,7 @@ event line(description: Input::EventDescription, tpe: Input::Event, r: Conn::Inf print outfile, |r$tunnel_parents|; # to make sure I got empty right } -event bro_init() +event zeek_init() { local config_strings: table[string] of string = { ["query"] = "select * from conn;", diff --git a/testing/btest/scripts/base/frameworks/input/sqlite/error.bro b/testing/btest/scripts/base/frameworks/input/sqlite/error.bro index 08938e6df5..7a46160dc0 100644 --- a/testing/btest/scripts/base/frameworks/input/sqlite/error.bro +++ b/testing/btest/scripts/base/frameworks/input/sqlite/error.bro @@ -79,7 +79,7 @@ event term_me() terminate(); } -event bro_init() +event zeek_init() { local config_strings: table[string] of string = { ["query"] = "select * from ssh;", diff --git a/testing/btest/scripts/base/frameworks/input/sqlite/port.bro b/testing/btest/scripts/base/frameworks/input/sqlite/port.bro index 6fc18139fe..ddf4a844bb 100644 --- a/testing/btest/scripts/base/frameworks/input/sqlite/port.bro +++ b/testing/btest/scripts/base/frameworks/input/sqlite/port.bro @@ -35,7 +35,7 @@ event line(description: Input::EventDescription, tpe: Input::Event, p: port) print outfile, p; } -event bro_init() +event zeek_init() { local config_strings: table[string] of string = { ["query"] = "select port as p, proto from port;", diff --git a/testing/btest/scripts/base/frameworks/input/sqlite/types.bro b/testing/btest/scripts/base/frameworks/input/sqlite/types.bro index 42f8717c12..894db886b5 100644 --- a/testing/btest/scripts/base/frameworks/input/sqlite/types.bro +++ b/testing/btest/scripts/base/frameworks/input/sqlite/types.bro @@ -73,7 +73,7 @@ event line(description: Input::EventDescription, tpe: Input::Event, p: SSH::Log) print outfile, |p$vs|; } -event bro_init() +event zeek_init() { local config_strings: table[string] of string = { ["query"] = "select * from ssh;", diff --git a/testing/btest/scripts/base/frameworks/input/stream.bro b/testing/btest/scripts/base/frameworks/input/stream.bro index 8ed498f074..20f1b682fa 100644 --- a/testing/btest/scripts/base/frameworks/input/stream.bro +++ b/testing/btest/scripts/base/frameworks/input/stream.bro @@ -80,7 +80,7 @@ event line(description: Input::TableDescription, tpe: Input::Event, left: Idx, r } } -event bro_init() +event zeek_init() { outfile = open("../out"); try = 0; diff --git a/testing/btest/scripts/base/frameworks/input/subrecord-event.bro b/testing/btest/scripts/base/frameworks/input/subrecord-event.bro index ec1cc37efc..fdcef27d68 100644 --- a/testing/btest/scripts/base/frameworks/input/subrecord-event.bro +++ b/testing/btest/scripts/base/frameworks/input/subrecord-event.bro @@ -64,7 +64,7 @@ event line(description: Input::EventDescription, tpe: Input::Event, value: Val) } } -event bro_init() +event zeek_init() { try = 0; outfile = open("../out"); diff --git a/testing/btest/scripts/base/frameworks/input/subrecord.bro b/testing/btest/scripts/base/frameworks/input/subrecord.bro index 0f960c6d3c..797768a7a7 100644 --- a/testing/btest/scripts/base/frameworks/input/subrecord.bro +++ b/testing/btest/scripts/base/frameworks/input/subrecord.bro @@ -51,7 +51,7 @@ type Val: record { global servers: table[int] of Val = table(); -event bro_init() +event zeek_init() { outfile = open("../out"); # first read in the old stuff into the table... diff --git a/testing/btest/scripts/base/frameworks/input/tableevent.bro b/testing/btest/scripts/base/frameworks/input/tableevent.bro index 760b19d24f..370265508d 100644 --- a/testing/btest/scripts/base/frameworks/input/tableevent.bro +++ b/testing/btest/scripts/base/frameworks/input/tableevent.bro @@ -47,7 +47,7 @@ event line(description: Input::TableDescription, tpe: Input::Event, left: Idx, r } } -event bro_init() +event zeek_init() { try = 0; outfile = open("../out"); diff --git a/testing/btest/scripts/base/frameworks/input/twotables.bro b/testing/btest/scripts/base/frameworks/input/twotables.bro index 5b6d833da3..12d5394a54 100644 --- a/testing/btest/scripts/base/frameworks/input/twotables.bro +++ b/testing/btest/scripts/base/frameworks/input/twotables.bro @@ -81,7 +81,7 @@ event line(description: Input::TableDescription, tpe: Input::Event, left: Idx, r # print event_out, right; } -event bro_init() +event zeek_init() { event_out = open ("../event.out"); pred1_out = open ("../pred1.out"); diff --git a/testing/btest/scripts/base/frameworks/input/unsupported_types.bro b/testing/btest/scripts/base/frameworks/input/unsupported_types.bro index beedc0a633..3090cf10c9 100644 --- a/testing/btest/scripts/base/frameworks/input/unsupported_types.bro +++ b/testing/btest/scripts/base/frameworks/input/unsupported_types.bro @@ -45,7 +45,7 @@ type Val: record { global servers: table[int] of Val = table(); -event bro_init() +event zeek_init() { outfile = open("../out"); # first read in the old stuff into the table... diff --git a/testing/btest/scripts/base/frameworks/input/windows.bro b/testing/btest/scripts/base/frameworks/input/windows.bro index 275f5e0713..8addf0c6ad 100644 --- a/testing/btest/scripts/base/frameworks/input/windows.bro +++ b/testing/btest/scripts/base/frameworks/input/windows.bro @@ -7,11 +7,11 @@ redef exit_only_after_terminate = T; @TEST-START-FILE input.log -#separator \x09 -#path ssh -#fields b i e c p sn a d t iv s sc ss se vc ve ns -#types bool int enum count port subnet addr double time interval string table table table vector vector string -T -42 SSH::LOG 21 123 10.0.0.0/24 1.2.3.4 3.14 1315801931.273616 100.000000 hurz 2,4,1,3 CC,AA,BB EMPTY 10,20,30 EMPTY 4242 +#separator \x09 +#path ssh +#fields b i e c p sn a d t iv s sc ss se vc ve ns +#types bool int enum count port subnet addr double time interval string table table table vector vector string +T -42 SSH::LOG 21 123 10.0.0.0/24 1.2.3.4 3.14 1315801931.273616 100.000000 hurz 2,4,1,3 CC,AA,BB EMPTY 10,20,30 EMPTY 4242 @TEST-END-FILE @load base/protocols/ssh @@ -47,7 +47,7 @@ type Val: record { global servers: table[int] of Val = table(); -event bro_init() +event zeek_init() { outfile = open("../out"); # first read in the old stuff into the table... diff --git a/testing/btest/scripts/base/frameworks/intel/expire-item.bro b/testing/btest/scripts/base/frameworks/intel/expire-item.bro index 08d80714bc..a3a45cd1c0 100644 --- a/testing/btest/scripts/base/frameworks/intel/expire-item.bro +++ b/testing/btest/scripts/base/frameworks/intel/expire-item.bro @@ -61,7 +61,7 @@ hook Intel::item_expired(indicator: string, indicator_type: Intel::Type, print fmt("Expired: %s", indicator); } -event bro_init() &priority=-10 +event zeek_init() &priority=-10 { schedule 1.5sec { do_it() }; } diff --git a/testing/btest/scripts/base/frameworks/intel/input-and-match.bro b/testing/btest/scripts/base/frameworks/intel/input-and-match.bro index 8f74117201..bea8abfd88 100644 --- a/testing/btest/scripts/base/frameworks/intel/input-and-match.bro +++ b/testing/btest/scripts/base/frameworks/intel/input-and-match.bro @@ -32,7 +32,7 @@ event Intel::log_intel(rec: Intel::Info) terminate(); } -event bro_init() &priority=-10 +event zeek_init() &priority=-10 { schedule 1sec { do_it() }; } diff --git a/testing/btest/scripts/base/frameworks/intel/match-subnet.bro b/testing/btest/scripts/base/frameworks/intel/match-subnet.bro index 8e3fe74116..9c46dd7c93 100644 --- a/testing/btest/scripts/base/frameworks/intel/match-subnet.bro +++ b/testing/btest/scripts/base/frameworks/intel/match-subnet.bro @@ -29,7 +29,7 @@ event do_it() $where=SOMEWHERE]); } -event bro_init() &priority=-10 +event zeek_init() &priority=-10 { schedule 1sec { do_it() }; } diff --git a/testing/btest/scripts/base/frameworks/intel/read-file-dist-cluster.bro b/testing/btest/scripts/base/frameworks/intel/read-file-dist-cluster.bro index a4becfb2b3..22ff478aa3 100644 --- a/testing/btest/scripts/base/frameworks/intel/read-file-dist-cluster.bro +++ b/testing/btest/scripts/base/frameworks/intel/read-file-dist-cluster.bro @@ -45,7 +45,7 @@ event do_it() Intel::seen([$indicator="e@mail.com", $indicator_type=Intel::EMAIL, $where=Intel::IN_A_TEST]); } -event bro_init() +event zeek_init() { # Delay the workers searching for hits briefly to allow for the data distribution # mechanism to distribute the data to the workers. diff --git a/testing/btest/scripts/base/frameworks/intel/remove-non-existing.bro b/testing/btest/scripts/base/frameworks/intel/remove-non-existing.bro index 1885f5bcf8..7bc071c17a 100644 --- a/testing/btest/scripts/base/frameworks/intel/remove-non-existing.bro +++ b/testing/btest/scripts/base/frameworks/intel/remove-non-existing.bro @@ -25,7 +25,7 @@ event do_it() terminate(); } -event bro_init() &priority=-10 +event zeek_init() &priority=-10 { schedule 1sec { do_it() }; } diff --git a/testing/btest/scripts/base/frameworks/logging/adapt-filter.bro b/testing/btest/scripts/base/frameworks/logging/adapt-filter.bro index 2db881deea..d342186ca3 100644 --- a/testing/btest/scripts/base/frameworks/logging/adapt-filter.bro +++ b/testing/btest/scripts/base/frameworks/logging/adapt-filter.bro @@ -19,7 +19,7 @@ export { } &log; } -event bro_init() +event zeek_init() { Log::create_stream(SSH::LOG, [$columns=Info]); diff --git a/testing/btest/scripts/base/frameworks/logging/ascii-binary.bro b/testing/btest/scripts/base/frameworks/logging/ascii-binary.bro index fcbac3be58..1df620e19b 100644 --- a/testing/btest/scripts/base/frameworks/logging/ascii-binary.bro +++ b/testing/btest/scripts/base/frameworks/logging/ascii-binary.bro @@ -15,7 +15,7 @@ export { redef LogAscii::separator = "|"; -event bro_init() +event zeek_init() { Log::create_stream(SSH::LOG, [$columns=Info]); Log::write(SSH::LOG, [$data="abc\n\xffdef", $data2="DATA2"]); diff --git a/testing/btest/scripts/base/frameworks/logging/ascii-double.bro b/testing/btest/scripts/base/frameworks/logging/ascii-double.bro index b824d93676..1b310fd8ff 100644 --- a/testing/btest/scripts/base/frameworks/logging/ascii-double.bro +++ b/testing/btest/scripts/base/frameworks/logging/ascii-double.bro @@ -23,7 +23,7 @@ function logwrite(val: double) Log::write(Test::LOG, [$d=val]); } -event bro_init() +event zeek_init() { local d: double; local dmax: double = 1.79e308; diff --git a/testing/btest/scripts/base/frameworks/logging/ascii-empty.bro b/testing/btest/scripts/base/frameworks/logging/ascii-empty.bro index 0bb5900e30..bb38f988ae 100644 --- a/testing/btest/scripts/base/frameworks/logging/ascii-empty.bro +++ b/testing/btest/scripts/base/frameworks/logging/ascii-empty.bro @@ -23,7 +23,7 @@ export { } &log; } -event bro_init() +event zeek_init() { Log::create_stream(SSH::LOG, [$columns=Log]); diff --git a/testing/btest/scripts/base/frameworks/logging/ascii-escape-binary.bro b/testing/btest/scripts/base/frameworks/logging/ascii-escape-binary.bro index 3df3ea1d25..d7e7739547 100644 --- a/testing/btest/scripts/base/frameworks/logging/ascii-escape-binary.bro +++ b/testing/btest/scripts/base/frameworks/logging/ascii-escape-binary.bro @@ -12,7 +12,7 @@ export { } &log; } -event bro_init() +event zeek_init() { local a = "abc\0def"; local b = escape_string(a); diff --git a/testing/btest/scripts/base/frameworks/logging/ascii-escape-empty-str.bro b/testing/btest/scripts/base/frameworks/logging/ascii-escape-empty-str.bro index e18926a194..0145c52243 100644 --- a/testing/btest/scripts/base/frameworks/logging/ascii-escape-empty-str.bro +++ b/testing/btest/scripts/base/frameworks/logging/ascii-escape-empty-str.bro @@ -14,7 +14,7 @@ export { } &log; } -event bro_init() +event zeek_init() { Log::create_stream(test::LOG, [$columns=Log]); diff --git a/testing/btest/scripts/base/frameworks/logging/ascii-escape-notset-str.bro b/testing/btest/scripts/base/frameworks/logging/ascii-escape-notset-str.bro index 8c1401b179..c42a92fdac 100644 --- a/testing/btest/scripts/base/frameworks/logging/ascii-escape-notset-str.bro +++ b/testing/btest/scripts/base/frameworks/logging/ascii-escape-notset-str.bro @@ -14,7 +14,7 @@ export { } &log; } -event bro_init() +event zeek_init() { Log::create_stream(Test::LOG, [$columns=Log]); Log::write(Test::LOG, [$x=LogAscii::unset_field, $z=""]); diff --git a/testing/btest/scripts/base/frameworks/logging/ascii-escape-set-separator.bro b/testing/btest/scripts/base/frameworks/logging/ascii-escape-set-separator.bro index f5fb7a6259..03139bf2b8 100644 --- a/testing/btest/scripts/base/frameworks/logging/ascii-escape-set-separator.bro +++ b/testing/btest/scripts/base/frameworks/logging/ascii-escape-set-separator.bro @@ -11,7 +11,7 @@ export { } &log; } -event bro_init() +event zeek_init() { Log::create_stream(Test::LOG, [$columns=Log]); diff --git a/testing/btest/scripts/base/frameworks/logging/ascii-escape.bro b/testing/btest/scripts/base/frameworks/logging/ascii-escape.bro index d73464777a..9fa6555391 100644 --- a/testing/btest/scripts/base/frameworks/logging/ascii-escape.bro +++ b/testing/btest/scripts/base/frameworks/logging/ascii-escape.bro @@ -18,7 +18,7 @@ export { } &log; } -event bro_init() +event zeek_init() { Log::create_stream(SSH::LOG, [$columns=Log]); diff --git a/testing/btest/scripts/base/frameworks/logging/ascii-gz-rotate.bro b/testing/btest/scripts/base/frameworks/logging/ascii-gz-rotate.bro index 2a1c388322..3e73b56500 100644 --- a/testing/btest/scripts/base/frameworks/logging/ascii-gz-rotate.bro +++ b/testing/btest/scripts/base/frameworks/logging/ascii-gz-rotate.bro @@ -17,7 +17,7 @@ export { redef Log::default_rotation_interval = 1hr; redef LogAscii::gzip_level = 1; -event bro_init() +event zeek_init() { Log::create_stream(Test::LOG, [$columns=Log]); diff --git a/testing/btest/scripts/base/frameworks/logging/ascii-gz.bro b/testing/btest/scripts/base/frameworks/logging/ascii-gz.bro index 9563f42c40..74573fe3d4 100644 --- a/testing/btest/scripts/base/frameworks/logging/ascii-gz.bro +++ b/testing/btest/scripts/base/frameworks/logging/ascii-gz.bro @@ -42,7 +42,7 @@ function foo(i : count) : string return "Bar"; } -event bro_init() +event zeek_init() { Log::create_stream(SSH::LOG, [$columns=Log]); local filter = Log::Filter($name="ssh-uncompressed", $path="ssh-uncompressed", diff --git a/testing/btest/scripts/base/frameworks/logging/ascii-json-iso-timestamps.bro b/testing/btest/scripts/base/frameworks/logging/ascii-json-iso-timestamps.bro index 8cb1210a68..bfe998a78e 100644 --- a/testing/btest/scripts/base/frameworks/logging/ascii-json-iso-timestamps.bro +++ b/testing/btest/scripts/base/frameworks/logging/ascii-json-iso-timestamps.bro @@ -17,7 +17,7 @@ export { } &log; } -event bro_init() +event zeek_init() { Log::create_stream(SSH::LOG, [$columns=Log]); Log::write(SSH::LOG, [ diff --git a/testing/btest/scripts/base/frameworks/logging/ascii-json-optional.bro b/testing/btest/scripts/base/frameworks/logging/ascii-json-optional.bro index c26683a338..01662e1442 100644 --- a/testing/btest/scripts/base/frameworks/logging/ascii-json-optional.bro +++ b/testing/btest/scripts/base/frameworks/logging/ascii-json-optional.bro @@ -17,7 +17,7 @@ export { global log_test: event(rec: Info); } -event bro_init() &priority=5 +event zeek_init() &priority=5 { Log::create_stream(testing::LOG, [$columns=testing::Info, $ev=log_test]); local info: Info; diff --git a/testing/btest/scripts/base/frameworks/logging/ascii-json.bro b/testing/btest/scripts/base/frameworks/logging/ascii-json.bro index 2b6055930f..8985715d1d 100644 --- a/testing/btest/scripts/base/frameworks/logging/ascii-json.bro +++ b/testing/btest/scripts/base/frameworks/logging/ascii-json.bro @@ -40,7 +40,7 @@ function foo(i : count) : string return "Bar"; } -event bro_init() +event zeek_init() { Log::create_stream(SSH::LOG, [$columns=Log]); diff --git a/testing/btest/scripts/base/frameworks/logging/ascii-line-like-comment.bro b/testing/btest/scripts/base/frameworks/logging/ascii-line-like-comment.bro index 4670811b2a..33de6e720a 100644 --- a/testing/btest/scripts/base/frameworks/logging/ascii-line-like-comment.bro +++ b/testing/btest/scripts/base/frameworks/logging/ascii-line-like-comment.bro @@ -13,7 +13,7 @@ export { }; } -event bro_init() +event zeek_init() { Log::create_stream(Test::LOG, [$columns=Info]); Log::write(Test::LOG, [$data="Test1"]); diff --git a/testing/btest/scripts/base/frameworks/logging/ascii-options.bro b/testing/btest/scripts/base/frameworks/logging/ascii-options.bro index 474b179536..b72f077c81 100644 --- a/testing/btest/scripts/base/frameworks/logging/ascii-options.bro +++ b/testing/btest/scripts/base/frameworks/logging/ascii-options.bro @@ -19,7 +19,7 @@ export { } &log; } -event bro_init() +event zeek_init() { Log::create_stream(SSH::LOG, [$columns=Log]); diff --git a/testing/btest/scripts/base/frameworks/logging/ascii-timestamps.bro b/testing/btest/scripts/base/frameworks/logging/ascii-timestamps.bro index e63e30f6c6..2e786f4927 100644 --- a/testing/btest/scripts/base/frameworks/logging/ascii-timestamps.bro +++ b/testing/btest/scripts/base/frameworks/logging/ascii-timestamps.bro @@ -12,7 +12,7 @@ export { }; } -event bro_init() +event zeek_init() { Log::create_stream(Test::LOG, [$columns=Info]); Log::write(Test::LOG, [$data=double_to_time(1234567890)]); diff --git a/testing/btest/scripts/base/frameworks/logging/ascii-tsv.bro b/testing/btest/scripts/base/frameworks/logging/ascii-tsv.bro index 09276a08fd..c29b291003 100644 --- a/testing/btest/scripts/base/frameworks/logging/ascii-tsv.bro +++ b/testing/btest/scripts/base/frameworks/logging/ascii-tsv.bro @@ -17,7 +17,7 @@ export { } &log; } -event bro_init() +event zeek_init() { Log::create_stream(SSH::LOG, [$columns=Log]); diff --git a/testing/btest/scripts/base/frameworks/logging/attr-extend.bro b/testing/btest/scripts/base/frameworks/logging/attr-extend.bro index 7f58f3f8c1..7aece07642 100644 --- a/testing/btest/scripts/base/frameworks/logging/attr-extend.bro +++ b/testing/btest/scripts/base/frameworks/logging/attr-extend.bro @@ -26,7 +26,7 @@ redef record Log += { } &log; -event bro_init() +event zeek_init() { Log::create_stream(SSH::LOG, [$columns=Log]); diff --git a/testing/btest/scripts/base/frameworks/logging/attr.bro b/testing/btest/scripts/base/frameworks/logging/attr.bro index 8ec3d1c385..84287cc280 100644 --- a/testing/btest/scripts/base/frameworks/logging/attr.bro +++ b/testing/btest/scripts/base/frameworks/logging/attr.bro @@ -15,7 +15,7 @@ export { }; } -event bro_init() +event zeek_init() { Log::create_stream(SSH::LOG, [$columns=Log]); diff --git a/testing/btest/scripts/base/frameworks/logging/disable-stream.bro b/testing/btest/scripts/base/frameworks/logging/disable-stream.bro index c2f64da8e6..e3b2aa2b93 100644 --- a/testing/btest/scripts/base/frameworks/logging/disable-stream.bro +++ b/testing/btest/scripts/base/frameworks/logging/disable-stream.bro @@ -15,7 +15,7 @@ export { } &log; } -event bro_init() +event zeek_init() { Log::create_stream(SSH::LOG, [$columns=Log]); diff --git a/testing/btest/scripts/base/frameworks/logging/empty-event.bro b/testing/btest/scripts/base/frameworks/logging/empty-event.bro index 6aa867220f..e7928de5c7 100644 --- a/testing/btest/scripts/base/frameworks/logging/empty-event.bro +++ b/testing/btest/scripts/base/frameworks/logging/empty-event.bro @@ -17,7 +17,7 @@ export { global log_ssh: event(rec: Log); -event bro_init() +event zeek_init() { Log::create_stream(SSH::LOG, [$columns=Log, $ev=log_ssh]); diff --git a/testing/btest/scripts/base/frameworks/logging/enable-stream.bro b/testing/btest/scripts/base/frameworks/logging/enable-stream.bro index 0f525eced1..95d02068d8 100644 --- a/testing/btest/scripts/base/frameworks/logging/enable-stream.bro +++ b/testing/btest/scripts/base/frameworks/logging/enable-stream.bro @@ -15,7 +15,7 @@ export { } &log; } -event bro_init() +event zeek_init() { Log::create_stream(SSH::LOG, [$columns=Log]); diff --git a/testing/btest/scripts/base/frameworks/logging/events.bro b/testing/btest/scripts/base/frameworks/logging/events.bro index bf156e6d60..d1cf0fba7e 100644 --- a/testing/btest/scripts/base/frameworks/logging/events.bro +++ b/testing/btest/scripts/base/frameworks/logging/events.bro @@ -20,7 +20,7 @@ export { global ssh_log: event(rec: Log); -event bro_init() +event zeek_init() { Log::create_stream(SSH::LOG, [$columns=Log, $ev=ssh_log]); diff --git a/testing/btest/scripts/base/frameworks/logging/exclude.bro b/testing/btest/scripts/base/frameworks/logging/exclude.bro index 7b245541ab..b776cf91a4 100644 --- a/testing/btest/scripts/base/frameworks/logging/exclude.bro +++ b/testing/btest/scripts/base/frameworks/logging/exclude.bro @@ -15,7 +15,7 @@ export { } &log; } -event bro_init() +event zeek_init() { Log::create_stream(SSH::LOG, [$columns=Log]); diff --git a/testing/btest/scripts/base/frameworks/logging/field-extension-cluster-error.bro b/testing/btest/scripts/base/frameworks/logging/field-extension-cluster-error.bro index dd30ad4c6f..4c3d1016d3 100644 --- a/testing/btest/scripts/base/frameworks/logging/field-extension-cluster-error.bro +++ b/testing/btest/scripts/base/frameworks/logging/field-extension-cluster-error.bro @@ -62,7 +62,7 @@ event kill_worker() Broker::publish("death", slow_death); } -event bro_init() +event zeek_init() { if ( Cluster::node == "worker-1" ) { diff --git a/testing/btest/scripts/base/frameworks/logging/field-extension-cluster.bro b/testing/btest/scripts/base/frameworks/logging/field-extension-cluster.bro index d38b5b744b..61e322c026 100644 --- a/testing/btest/scripts/base/frameworks/logging/field-extension-cluster.bro +++ b/testing/btest/scripts/base/frameworks/logging/field-extension-cluster.bro @@ -55,7 +55,7 @@ event kill_worker() Broker::publish("death", slow_death); } -event bro_init() +event zeek_init() { if ( Cluster::node == "worker-1" ) { diff --git a/testing/btest/scripts/base/frameworks/logging/file.bro b/testing/btest/scripts/base/frameworks/logging/file.bro index 94bdad6b1b..011c9bbe82 100644 --- a/testing/btest/scripts/base/frameworks/logging/file.bro +++ b/testing/btest/scripts/base/frameworks/logging/file.bro @@ -15,7 +15,7 @@ export { const foo_log = open_log_file("Foo") &redef; -event bro_init() +event zeek_init() { Log::create_stream(SSH::LOG, [$columns=Log]); Log::write(SSH::LOG, [$t=network_time(), $f=foo_log]); diff --git a/testing/btest/scripts/base/frameworks/logging/include.bro b/testing/btest/scripts/base/frameworks/logging/include.bro index d0fea93c99..7179c54338 100644 --- a/testing/btest/scripts/base/frameworks/logging/include.bro +++ b/testing/btest/scripts/base/frameworks/logging/include.bro @@ -15,7 +15,7 @@ export { } &log; } -event bro_init() +event zeek_init() { Log::create_stream(SSH::LOG, [$columns=Log]); diff --git a/testing/btest/scripts/base/frameworks/logging/no-local.bro b/testing/btest/scripts/base/frameworks/logging/no-local.bro index 9ae7d32d61..9418afea14 100644 --- a/testing/btest/scripts/base/frameworks/logging/no-local.bro +++ b/testing/btest/scripts/base/frameworks/logging/no-local.bro @@ -17,7 +17,7 @@ export { redef Log::enable_local_logging = F; -event bro_init() +event zeek_init() { Log::create_stream(SSH::LOG, [$columns=Log]); diff --git a/testing/btest/scripts/base/frameworks/logging/none-debug.bro b/testing/btest/scripts/base/frameworks/logging/none-debug.bro index 5d2e98323a..9a9f73d8f9 100644 --- a/testing/btest/scripts/base/frameworks/logging/none-debug.bro +++ b/testing/btest/scripts/base/frameworks/logging/none-debug.bro @@ -20,7 +20,7 @@ export { } &log; } -event bro_init() +event zeek_init() { local config: table[string] of string; config["foo"]="bar"; diff --git a/testing/btest/scripts/base/frameworks/logging/path-func-column-demote.bro b/testing/btest/scripts/base/frameworks/logging/path-func-column-demote.bro index aff886c2f4..ebb514042e 100644 --- a/testing/btest/scripts/base/frameworks/logging/path-func-column-demote.bro +++ b/testing/btest/scripts/base/frameworks/logging/path-func-column-demote.bro @@ -16,7 +16,7 @@ function split_log(id: Log::ID, path: string, rec: record {id:conn_id;}): string return Site::is_local_addr(rec$id$orig_h) ? "local" : "remote"; } -event bro_init() +event zeek_init() { # Add a new filter to the Conn::LOG stream that logs only # timestamp and originator address. diff --git a/testing/btest/scripts/base/frameworks/logging/path-func.bro b/testing/btest/scripts/base/frameworks/logging/path-func.bro index 684aa03ed6..fa52cccc48 100644 --- a/testing/btest/scripts/base/frameworks/logging/path-func.bro +++ b/testing/btest/scripts/base/frameworks/logging/path-func.bro @@ -28,7 +28,7 @@ function path_func(id: Log::ID, path: string, rec: Log) : string return fmt("%s-%d-%s", path, c, rec$country); } -event bro_init() +event zeek_init() { Log::create_stream(SSH::LOG, [$columns=Log]); Log::remove_default_filter(SSH::LOG); diff --git a/testing/btest/scripts/base/frameworks/logging/pred.bro b/testing/btest/scripts/base/frameworks/logging/pred.bro index e13c726656..c6f85183b4 100644 --- a/testing/btest/scripts/base/frameworks/logging/pred.bro +++ b/testing/btest/scripts/base/frameworks/logging/pred.bro @@ -24,7 +24,7 @@ function fail(rec: Log): bool return rec$status != "success"; } -event bro_init() +event zeek_init() { Log::create_stream(Test::LOG, [$columns=Log]); Log::remove_default_filter(Test::LOG); diff --git a/testing/btest/scripts/base/frameworks/logging/remove.bro b/testing/btest/scripts/base/frameworks/logging/remove.bro index 3b80d24e9f..2247648e7c 100644 --- a/testing/btest/scripts/base/frameworks/logging/remove.bro +++ b/testing/btest/scripts/base/frameworks/logging/remove.bro @@ -20,7 +20,7 @@ export { } &log; } -event bro_init() +event zeek_init() { Log::create_stream(SSH::LOG, [$columns=Log]); Log::add_filter(SSH::LOG, [$name="f1", $path="ssh.failure", $pred=function(rec: Log): bool { return rec$status == "failure"; }]); diff --git a/testing/btest/scripts/base/frameworks/logging/rotate-custom.bro b/testing/btest/scripts/base/frameworks/logging/rotate-custom.bro index c0f0ef8643..89264fa6e5 100644 --- a/testing/btest/scripts/base/frameworks/logging/rotate-custom.bro +++ b/testing/btest/scripts/base/frameworks/logging/rotate-custom.bro @@ -28,7 +28,7 @@ function custom_rotate(info: Log::RotationInfo) : bool return T; } -event bro_init() +event zeek_init() { Log::create_stream(Test::LOG, [$columns=Log]); Log::add_filter(Test::LOG, [$name="2nd", $path="test2", $interv=30mins, $postprocessor=custom_rotate]); diff --git a/testing/btest/scripts/base/frameworks/logging/rotate.bro b/testing/btest/scripts/base/frameworks/logging/rotate.bro index 501c0db8ea..2a988a88f0 100644 --- a/testing/btest/scripts/base/frameworks/logging/rotate.bro +++ b/testing/btest/scripts/base/frameworks/logging/rotate.bro @@ -21,7 +21,7 @@ export { redef Log::default_rotation_interval = 1hr; redef Log::default_rotation_postprocessor_cmd = "echo"; -event bro_init() +event zeek_init() { Log::create_stream(Test::LOG, [$columns=Log]); } diff --git a/testing/btest/scripts/base/frameworks/logging/sqlite/error.bro b/testing/btest/scripts/base/frameworks/logging/sqlite/error.bro index e48e066c6c..d453804858 100644 --- a/testing/btest/scripts/base/frameworks/logging/sqlite/error.bro +++ b/testing/btest/scripts/base/frameworks/logging/sqlite/error.bro @@ -73,7 +73,7 @@ function foo(i : count) : string return "Bar"; } -event bro_init() +event zeek_init() { Log::create_stream(SSH::LOG, [$columns=Log]); Log::remove_filter(SSH::LOG, "default"); diff --git a/testing/btest/scripts/base/frameworks/logging/sqlite/set.bro b/testing/btest/scripts/base/frameworks/logging/sqlite/set.bro index 0cceb7af08..8612cd5765 100644 --- a/testing/btest/scripts/base/frameworks/logging/sqlite/set.bro +++ b/testing/btest/scripts/base/frameworks/logging/sqlite/set.bro @@ -32,7 +32,7 @@ function foo(i : count) : string return "Bar"; } -event bro_init() +event zeek_init() { Log::create_stream(SSH::LOG, [$columns=Log]); Log::remove_filter(SSH::LOG, "default"); diff --git a/testing/btest/scripts/base/frameworks/logging/sqlite/simultaneous-writes.bro b/testing/btest/scripts/base/frameworks/logging/sqlite/simultaneous-writes.bro index 2e864aa791..7f9ea2d870 100644 --- a/testing/btest/scripts/base/frameworks/logging/sqlite/simultaneous-writes.bro +++ b/testing/btest/scripts/base/frameworks/logging/sqlite/simultaneous-writes.bro @@ -47,7 +47,7 @@ function foo(i : count) : string return "Bar"; } -event bro_init() +event zeek_init() { Log::create_stream(SSH::LOG, [$columns=Log]); Log::create_stream(SSH::LOG2, [$columns=Log]); diff --git a/testing/btest/scripts/base/frameworks/logging/sqlite/types.bro b/testing/btest/scripts/base/frameworks/logging/sqlite/types.bro index 6c088e9f2f..e878ec32d3 100644 --- a/testing/btest/scripts/base/frameworks/logging/sqlite/types.bro +++ b/testing/btest/scripts/base/frameworks/logging/sqlite/types.bro @@ -45,7 +45,7 @@ function foo(i : count) : string return "Bar"; } -event bro_init() +event zeek_init() { Log::create_stream(SSH::LOG, [$columns=Log]); Log::remove_filter(SSH::LOG, "default"); diff --git a/testing/btest/scripts/base/frameworks/logging/stdout.bro b/testing/btest/scripts/base/frameworks/logging/stdout.bro index f431a5b6c9..bce55fd0ca 100644 --- a/testing/btest/scripts/base/frameworks/logging/stdout.bro +++ b/testing/btest/scripts/base/frameworks/logging/stdout.bro @@ -16,7 +16,7 @@ export { } &log; } -event bro_init() +event zeek_init() { Log::create_stream(SSH::LOG, [$columns=Log]); diff --git a/testing/btest/scripts/base/frameworks/logging/test-logging.bro b/testing/btest/scripts/base/frameworks/logging/test-logging.bro index 9f90d515fb..f7d07e843a 100644 --- a/testing/btest/scripts/base/frameworks/logging/test-logging.bro +++ b/testing/btest/scripts/base/frameworks/logging/test-logging.bro @@ -15,7 +15,7 @@ export { } &log; } -event bro_init() +event zeek_init() { Log::create_stream(SSH::LOG, [$columns=Log]); diff --git a/testing/btest/scripts/base/frameworks/logging/types.bro b/testing/btest/scripts/base/frameworks/logging/types.bro index d79c667e50..9d208335ad 100644 --- a/testing/btest/scripts/base/frameworks/logging/types.bro +++ b/testing/btest/scripts/base/frameworks/logging/types.bro @@ -40,7 +40,7 @@ function foo(i : count) : string return "Bar"; } -event bro_init() +event zeek_init() { Log::create_stream(SSH::LOG, [$columns=Log]); diff --git a/testing/btest/scripts/base/frameworks/logging/unset-record.bro b/testing/btest/scripts/base/frameworks/logging/unset-record.bro index bb922dc9c8..00f97ffc1a 100644 --- a/testing/btest/scripts/base/frameworks/logging/unset-record.bro +++ b/testing/btest/scripts/base/frameworks/logging/unset-record.bro @@ -14,7 +14,7 @@ type Bar: record { b: count &log; }; -event bro_init() +event zeek_init() { Log::create_stream(TESTING, [$columns=Bar]); diff --git a/testing/btest/scripts/base/frameworks/logging/vec.bro b/testing/btest/scripts/base/frameworks/logging/vec.bro index 00c5ff5117..6809e132bc 100644 --- a/testing/btest/scripts/base/frameworks/logging/vec.bro +++ b/testing/btest/scripts/base/frameworks/logging/vec.bro @@ -12,7 +12,7 @@ export { }; } -event bro_init() +event zeek_init() { Log::create_stream(SSH::LOG, [$columns=Log]); diff --git a/testing/btest/scripts/base/frameworks/logging/writer-path-conflict.bro b/testing/btest/scripts/base/frameworks/logging/writer-path-conflict.bro index 908fb43c72..916e5a6775 100644 --- a/testing/btest/scripts/base/frameworks/logging/writer-path-conflict.bro +++ b/testing/btest/scripts/base/frameworks/logging/writer-path-conflict.bro @@ -7,7 +7,7 @@ @load base/protocols/http -event bro_init() +event zeek_init() { # Both the default filter for the http stream and this new one will # attempt to have the same writer write to path "http", which will diff --git a/testing/btest/scripts/base/frameworks/netcontrol/acld-hook.bro b/testing/btest/scripts/base/frameworks/netcontrol/acld-hook.bro index 9e0db8531a..c391d9ecc1 100644 --- a/testing/btest/scripts/base/frameworks/netcontrol/acld-hook.bro +++ b/testing/btest/scripts/base/frameworks/netcontrol/acld-hook.bro @@ -14,7 +14,7 @@ redef exit_only_after_terminate = T; global have_peer = F; global did_init = F; -event bro_init() +event zeek_init() { suspend_processing(); } @@ -101,7 +101,7 @@ event die() terminate(); } -event bro_init() +event zeek_init() { Broker::subscribe("bro/event/netcontroltest"); Broker::listen("127.0.0.1", to_port(getenv("BROKER_PORT"))); diff --git a/testing/btest/scripts/base/frameworks/netcontrol/acld.bro b/testing/btest/scripts/base/frameworks/netcontrol/acld.bro index 243e5e9b7c..8647ca92e2 100644 --- a/testing/btest/scripts/base/frameworks/netcontrol/acld.bro +++ b/testing/btest/scripts/base/frameworks/netcontrol/acld.bro @@ -15,7 +15,7 @@ redef exit_only_after_terminate = T; global have_peer = F; global did_init = F; -event bro_init() +event zeek_init() { suspend_processing(); } @@ -106,7 +106,7 @@ event die() terminate(); } -event bro_init() +event zeek_init() { Broker::subscribe("bro/event/netcontroltest"); Broker::listen("127.0.0.1", to_port(getenv("BROKER_PORT"))); diff --git a/testing/btest/scripts/base/frameworks/netcontrol/basic-cluster.bro b/testing/btest/scripts/base/frameworks/netcontrol/basic-cluster.bro index 50c04433ad..91dfd05217 100644 --- a/testing/btest/scripts/base/frameworks/netcontrol/basic-cluster.bro +++ b/testing/btest/scripts/base/frameworks/netcontrol/basic-cluster.bro @@ -26,7 +26,7 @@ redef Log::default_rotation_interval = 0secs; @load base/frameworks/netcontrol @if ( Cluster::local_node_type() == Cluster::WORKER ) -event bro_init() +event zeek_init() { suspend_processing(); } diff --git a/testing/btest/scripts/base/frameworks/netcontrol/broker.bro b/testing/btest/scripts/base/frameworks/netcontrol/broker.bro index 4d232c3325..08cc38ed78 100644 --- a/testing/btest/scripts/base/frameworks/netcontrol/broker.bro +++ b/testing/btest/scripts/base/frameworks/netcontrol/broker.bro @@ -15,7 +15,7 @@ redef exit_only_after_terminate = T; global have_peer = F; global did_init = F; -event bro_init() +event zeek_init() { suspend_processing(); } @@ -90,7 +90,7 @@ event die() terminate(); } -event bro_init() +event zeek_init() { Broker::subscribe("bro/event/netcontroltest"); Broker::listen("127.0.0.1", to_port(getenv("BROKER_PORT"))); diff --git a/testing/btest/scripts/base/frameworks/notice/suppression-disable.bro b/testing/btest/scripts/base/frameworks/notice/suppression-disable.bro index 96b932caf8..5eeab5bff2 100644 --- a/testing/btest/scripts/base/frameworks/notice/suppression-disable.bro +++ b/testing/btest/scripts/base/frameworks/notice/suppression-disable.bro @@ -18,7 +18,7 @@ event second_notice() NOTICE([$note=Test_Notice, $msg="another test", $identifier="static"]); } -event bro_init() +event zeek_init() { NOTICE([$note=Test_Notice, $msg="test", $identifier="static"]); schedule 1msec { second_notice() }; diff --git a/testing/btest/scripts/base/frameworks/notice/suppression.bro b/testing/btest/scripts/base/frameworks/notice/suppression.bro index 87ce3672b6..d91aa17a2e 100644 --- a/testing/btest/scripts/base/frameworks/notice/suppression.bro +++ b/testing/btest/scripts/base/frameworks/notice/suppression.bro @@ -15,7 +15,7 @@ event second_notice() NOTICE([$note=Test_Notice, $msg="another test", $identifier="static"]); } -event bro_init() +event zeek_init() { NOTICE([$note=Test_Notice, $msg="test", $identifier="static"]); schedule 1msec { second_notice() }; diff --git a/testing/btest/scripts/base/frameworks/openflow/broker-basic.bro b/testing/btest/scripts/base/frameworks/openflow/broker-basic.bro index 9d43089b93..db73f22e51 100644 --- a/testing/btest/scripts/base/frameworks/openflow/broker-basic.bro +++ b/testing/btest/scripts/base/frameworks/openflow/broker-basic.bro @@ -15,7 +15,7 @@ redef exit_only_after_terminate = T; global of_controller: OpenFlow::Controller; -event bro_init() +event zeek_init() { suspend_processing(); of_controller = OpenFlow::broker_new("broker1", 127.0.0.1, to_port(getenv("BROKER_PORT")), "bro/openflow", 42); @@ -80,7 +80,7 @@ event die() terminate(); } -event bro_init() +event zeek_init() { Broker::subscribe("bro/openflow"); Broker::listen("127.0.0.1", to_port(getenv("BROKER_PORT"))); diff --git a/testing/btest/scripts/base/frameworks/openflow/log-basic.bro b/testing/btest/scripts/base/frameworks/openflow/log-basic.bro index d4f08e7822..5aa615f691 100644 --- a/testing/btest/scripts/base/frameworks/openflow/log-basic.bro +++ b/testing/btest/scripts/base/frameworks/openflow/log-basic.bro @@ -8,7 +8,7 @@ global of_controller: OpenFlow::Controller; global cookie_id: count = 42; -event bro_init() +event zeek_init() { of_controller = OpenFlow::log_new(42); diff --git a/testing/btest/scripts/base/frameworks/openflow/log-cluster.bro b/testing/btest/scripts/base/frameworks/openflow/log-cluster.bro index 33f20f8ce5..50b6c976b5 100644 --- a/testing/btest/scripts/base/frameworks/openflow/log-cluster.bro +++ b/testing/btest/scripts/base/frameworks/openflow/log-cluster.bro @@ -22,7 +22,7 @@ redef Log::default_rotation_interval = 0secs; global of_controller: OpenFlow::Controller; @if ( Cluster::local_node_type() == Cluster::WORKER ) -event bro_init() +event zeek_init() { suspend_processing(); } @@ -33,7 +33,7 @@ event Broker::peer_added(endpoint: Broker::EndpointInfo, msg: string) } @endif -event bro_init() +event zeek_init() { of_controller = OpenFlow::log_new(42); } diff --git a/testing/btest/scripts/base/frameworks/openflow/ryu-basic.bro b/testing/btest/scripts/base/frameworks/openflow/ryu-basic.bro index 3bfaa4c076..9df9822450 100644 --- a/testing/btest/scripts/base/frameworks/openflow/ryu-basic.bro +++ b/testing/btest/scripts/base/frameworks/openflow/ryu-basic.bro @@ -6,7 +6,7 @@ global of_controller: OpenFlow::Controller; -event bro_init() +event zeek_init() { of_controller = OpenFlow::ryu_new(127.0.0.1, 8080, 42); of_controller$state$ryu_debug=T; diff --git a/testing/btest/scripts/base/frameworks/reporter/disable-stderr.bro b/testing/btest/scripts/base/frameworks/reporter/disable-stderr.bro index b1afb99b5c..bf449e886d 100644 --- a/testing/btest/scripts/base/frameworks/reporter/disable-stderr.bro +++ b/testing/btest/scripts/base/frameworks/reporter/disable-stderr.bro @@ -7,7 +7,7 @@ redef Reporter::errors_to_stderr = F; global test: table[count] of string = {}; -event bro_init() +event zeek_init() { print test[3]; } diff --git a/testing/btest/scripts/base/frameworks/reporter/stderr.bro b/testing/btest/scripts/base/frameworks/reporter/stderr.bro index ef01c9fdf9..6b878ceef5 100644 --- a/testing/btest/scripts/base/frameworks/reporter/stderr.bro +++ b/testing/btest/scripts/base/frameworks/reporter/stderr.bro @@ -4,7 +4,7 @@ global test: table[count] of string = {}; -event bro_init() +event zeek_init() { print test[3]; } diff --git a/testing/btest/scripts/base/frameworks/software/version-parsing.bro b/testing/btest/scripts/base/frameworks/software/version-parsing.bro index 806a058a03..fd43145826 100644 --- a/testing/btest/scripts/base/frameworks/software/version-parsing.bro +++ b/testing/btest/scripts/base/frameworks/software/version-parsing.bro @@ -133,7 +133,7 @@ global matched_software: table[string] of Software::Description = { [$name="Android (Google Pixel)", $version=[$major=9], $unparsed_version=""], }; -event bro_init() +event zeek_init() { for ( sw in matched_software ) { diff --git a/testing/btest/scripts/base/frameworks/sumstats/basic-cluster.bro b/testing/btest/scripts/base/frameworks/sumstats/basic-cluster.bro index 8f4bd26ef1..31e2a68fd3 100644 --- a/testing/btest/scripts/base/frameworks/sumstats/basic-cluster.bro +++ b/testing/btest/scripts/base/frameworks/sumstats/basic-cluster.bro @@ -21,7 +21,7 @@ redef Log::default_rotation_interval = 0secs; global n = 0; -event bro_init() &priority=5 +event zeek_init() &priority=5 { local r1: SumStats::Reducer = [$stream="test", $apply=set(SumStats::SUM, SumStats::MIN, SumStats::MAX, SumStats::AVERAGE, SumStats::STD_DEV, SumStats::VARIANCE, SumStats::UNIQUE, SumStats::HLL_UNIQUE)]; SumStats::create([$name="test", @@ -71,7 +71,7 @@ event ready_for_data() @if ( Cluster::local_node_type() == Cluster::MANAGER ) -event bro_init() &priority=100 +event zeek_init() &priority=100 { Broker::auto_publish(Cluster::worker_topic, ready_for_data); } diff --git a/testing/btest/scripts/base/frameworks/sumstats/basic.bro b/testing/btest/scripts/base/frameworks/sumstats/basic.bro index 40f269ab1a..1362c739cf 100644 --- a/testing/btest/scripts/base/frameworks/sumstats/basic.bro +++ b/testing/btest/scripts/base/frameworks/sumstats/basic.bro @@ -4,7 +4,7 @@ redef exit_only_after_terminate=T; -event bro_init() &priority=5 +event zeek_init() &priority=5 { local r1: SumStats::Reducer = [$stream="test.metric", $apply=set(SumStats::SUM, diff --git a/testing/btest/scripts/base/frameworks/sumstats/cluster-intermediate-update.bro b/testing/btest/scripts/base/frameworks/sumstats/cluster-intermediate-update.bro index 949fcb3644..81a3a1c0e2 100644 --- a/testing/btest/scripts/base/frameworks/sumstats/cluster-intermediate-update.bro +++ b/testing/btest/scripts/base/frameworks/sumstats/cluster-intermediate-update.bro @@ -18,7 +18,7 @@ redef Cluster::nodes = { redef Log::default_rotation_interval = 0secs; -event bro_init() &priority=5 +event zeek_init() &priority=5 { local r1: SumStats::Reducer = [$stream="test.metric", $apply=set(SumStats::SUM)]; SumStats::create([$name="test", diff --git a/testing/btest/scripts/base/frameworks/sumstats/last-cluster.bro b/testing/btest/scripts/base/frameworks/sumstats/last-cluster.bro index da8f8fb80f..55b0e30069 100644 --- a/testing/btest/scripts/base/frameworks/sumstats/last-cluster.bro +++ b/testing/btest/scripts/base/frameworks/sumstats/last-cluster.bro @@ -27,7 +27,7 @@ event do_observe() schedule 0.1secs { do_observe() }; } -event bro_init() +event zeek_init() { local r1 = SumStats::Reducer($stream="test", $apply=set(SumStats::LAST), diff --git a/testing/btest/scripts/base/frameworks/sumstats/on-demand-cluster.bro b/testing/btest/scripts/base/frameworks/sumstats/on-demand-cluster.bro index bb429a52cb..225b3951f2 100644 --- a/testing/btest/scripts/base/frameworks/sumstats/on-demand-cluster.bro +++ b/testing/btest/scripts/base/frameworks/sumstats/on-demand-cluster.bro @@ -22,7 +22,7 @@ redef Log::default_rotation_interval = 0secs; global n = 0; -event bro_init() &priority=5 +event zeek_init() &priority=5 { local r1 = SumStats::Reducer($stream="test", $apply=set(SumStats::SUM, SumStats::MIN, SumStats::MAX, SumStats::AVERAGE, SumStats::STD_DEV, SumStats::VARIANCE, SumStats::UNIQUE)); SumStats::create([$name="test sumstat", @@ -37,7 +37,7 @@ event Broker::peer_lost(endpoint: Broker::EndpointInfo, msg: string) global ready_for_data: event(); -event bro_init() +event zeek_init() { Broker::auto_publish(Cluster::worker_topic, ready_for_data); } diff --git a/testing/btest/scripts/base/frameworks/sumstats/on-demand.bro b/testing/btest/scripts/base/frameworks/sumstats/on-demand.bro index 78aba726ca..99658ad7d0 100644 --- a/testing/btest/scripts/base/frameworks/sumstats/on-demand.bro +++ b/testing/btest/scripts/base/frameworks/sumstats/on-demand.bro @@ -28,7 +28,7 @@ event on_demand_key() } } -event bro_init() &priority=5 +event zeek_init() &priority=5 { local r1: SumStats::Reducer = [$stream="test.reducer", $apply=set(SumStats::SUM)]; diff --git a/testing/btest/scripts/base/frameworks/sumstats/sample-cluster.bro b/testing/btest/scripts/base/frameworks/sumstats/sample-cluster.bro index 227313635a..36a1859f99 100644 --- a/testing/btest/scripts/base/frameworks/sumstats/sample-cluster.bro +++ b/testing/btest/scripts/base/frameworks/sumstats/sample-cluster.bro @@ -18,7 +18,7 @@ redef Cluster::nodes = { redef Log::default_rotation_interval = 0secs; -event bro_init() &priority=5 +event zeek_init() &priority=5 { local r1: SumStats::Reducer = [$stream="test", $apply=set(SumStats::SAMPLE), $num_samples=5]; SumStats::create([$name="test", @@ -47,7 +47,7 @@ event Broker::peer_lost(endpoint: Broker::EndpointInfo, msg: string) global ready_for_data: event(); -event bro_init() +event zeek_init() { Broker::auto_publish(Cluster::worker_topic, ready_for_data); diff --git a/testing/btest/scripts/base/frameworks/sumstats/sample.bro b/testing/btest/scripts/base/frameworks/sumstats/sample.bro index 4ba395b463..30e80b1b49 100644 --- a/testing/btest/scripts/base/frameworks/sumstats/sample.bro +++ b/testing/btest/scripts/base/frameworks/sumstats/sample.bro @@ -1,7 +1,7 @@ # @TEST-EXEC: bro %INPUT # @TEST-EXEC: btest-diff .stdout -event bro_init() &priority=5 +event zeek_init() &priority=5 { local r1: SumStats::Reducer = [$stream="test.metric", $apply=set(SumStats::SAMPLE), $num_samples=2]; diff --git a/testing/btest/scripts/base/frameworks/sumstats/thresholding.bro b/testing/btest/scripts/base/frameworks/sumstats/thresholding.bro index b7bb826446..f751a85e98 100644 --- a/testing/btest/scripts/base/frameworks/sumstats/thresholding.bro +++ b/testing/btest/scripts/base/frameworks/sumstats/thresholding.bro @@ -5,7 +5,7 @@ redef enum Notice::Type += { Test_Notice, }; -event bro_init() &priority=5 +event zeek_init() &priority=5 { local r1: SumStats::Reducer = [$stream="test.metric", $apply=set(SumStats::SUM)]; SumStats::create([$name="test1", diff --git a/testing/btest/scripts/base/frameworks/sumstats/topk-cluster.bro b/testing/btest/scripts/base/frameworks/sumstats/topk-cluster.bro index 8a3a9bcf1b..d3ced7f692 100644 --- a/testing/btest/scripts/base/frameworks/sumstats/topk-cluster.bro +++ b/testing/btest/scripts/base/frameworks/sumstats/topk-cluster.bro @@ -20,7 +20,7 @@ redef Cluster::nodes = { redef Log::default_rotation_interval = 0secs; -event bro_init() &priority=5 +event zeek_init() &priority=5 { local r1: SumStats::Reducer = [$stream="test.metric", $apply=set(SumStats::TOPK)]; @@ -53,7 +53,7 @@ event Broker::peer_lost(endpoint: Broker::EndpointInfo, msg: string) global ready_for_data: event(); -event bro_init() +event zeek_init() { Broker::auto_publish(Cluster::worker_topic, ready_for_data); } diff --git a/testing/btest/scripts/base/frameworks/sumstats/topk.bro b/testing/btest/scripts/base/frameworks/sumstats/topk.bro index 99c301c669..1a1ef7870a 100644 --- a/testing/btest/scripts/base/frameworks/sumstats/topk.bro +++ b/testing/btest/scripts/base/frameworks/sumstats/topk.bro @@ -1,7 +1,7 @@ # @TEST-EXEC: bro %INPUT # @TEST-EXEC: btest-diff .stdout -event bro_init() &priority=5 +event zeek_init() &priority=5 { local r1: SumStats::Reducer = [$stream="test.metric", $apply=set(SumStats::TOPK)]; diff --git a/testing/btest/scripts/base/protocols/http/content-range-gap-skip.bro b/testing/btest/scripts/base/protocols/http/content-range-gap-skip.bro index b96b8f02a6..74ce213505 100644 --- a/testing/btest/scripts/base/protocols/http/content-range-gap-skip.bro +++ b/testing/btest/scripts/base/protocols/http/content-range-gap-skip.bro @@ -19,7 +19,7 @@ event content_gap(c: connection, is_orig: bool, seq: count, length: count) got_gap = T; } -event bro_done() +event zeek_done() { if ( ! got_data_after_gap ) exit(1); diff --git a/testing/btest/scripts/base/protocols/http/http-pipelining.bro b/testing/btest/scripts/base/protocols/http/http-pipelining.bro index bb392b1c4b..afb1a7f33e 100644 --- a/testing/btest/scripts/base/protocols/http/http-pipelining.bro +++ b/testing/btest/scripts/base/protocols/http/http-pipelining.bro @@ -2,7 +2,7 @@ # @TEST-EXEC: btest-diff http.log # mime type is irrelevant to this test, so filter it out -event bro_init() +event zeek_init() { Log::remove_default_filter(HTTP::LOG); Log::add_filter(HTTP::LOG, [$name="less-mime-types", $exclude=set("mime_type")]); diff --git a/testing/btest/scripts/base/protocols/irc/basic.test b/testing/btest/scripts/base/protocols/irc/basic.test index 618f4d9079..d4fb893e2c 100644 --- a/testing/btest/scripts/base/protocols/irc/basic.test +++ b/testing/btest/scripts/base/protocols/irc/basic.test @@ -6,7 +6,7 @@ # @TEST-EXEC: btest-diff conn.log # dcc mime types are irrelevant to this test, so filter it out -event bro_init() +event zeek_init() { Log::remove_default_filter(IRC::LOG); Log::add_filter(IRC::LOG, [$name="remove-mime", $exclude=set("dcc_mime_type")]); diff --git a/testing/btest/scripts/base/protocols/krb/smb2_krb.test b/testing/btest/scripts/base/protocols/krb/smb2_krb.test index 08c05d83f1..32c2a6e58d 100644 --- a/testing/btest/scripts/base/protocols/krb/smb2_krb.test +++ b/testing/btest/scripts/base/protocols/krb/smb2_krb.test @@ -11,7 +11,7 @@ redef KRB::keytab = "smb2_krb.keytab"; global monitor_ports: set[port] = { 445/tcp, 139/tcp } &redef; -event bro_init() &priority=5{ +event zeek_init() &priority=5{ Analyzer::register_for_ports(Analyzer::ANALYZER_SMB, monitor_ports); } diff --git a/testing/btest/scripts/base/protocols/krb/smb2_krb_nokeytab.test b/testing/btest/scripts/base/protocols/krb/smb2_krb_nokeytab.test index 0d2c68d142..d08543a0fb 100644 --- a/testing/btest/scripts/base/protocols/krb/smb2_krb_nokeytab.test +++ b/testing/btest/scripts/base/protocols/krb/smb2_krb_nokeytab.test @@ -10,7 +10,7 @@ global monitor_ports: set[port] = { 445/tcp, 139/tcp } &redef; -event bro_init() &priority=5{ +event zeek_init() &priority=5{ Analyzer::register_for_ports(Analyzer::ANALYZER_SMB, monitor_ports); } diff --git a/testing/btest/scripts/base/protocols/mount/basic.test b/testing/btest/scripts/base/protocols/mount/basic.test index 8576874ce3..bd6fd5d5db 100644 --- a/testing/btest/scripts/base/protocols/mount/basic.test +++ b/testing/btest/scripts/base/protocols/mount/basic.test @@ -4,7 +4,7 @@ global mount_ports: set[port] = { 635/tcp, 635/udp, 20048/tcp, 20048/udp } &redef; redef ignore_checksums = T; -event bro_init() +event zeek_init() { Analyzer::register_for_ports(Analyzer::ANALYZER_MOUNT, mount_ports); Analyzer::enable_analyzer(Analyzer::ANALYZER_MOUNT); diff --git a/testing/btest/scripts/base/protocols/ncp/event.bro b/testing/btest/scripts/base/protocols/ncp/event.bro index acb4bf0a0c..2333544b05 100644 --- a/testing/btest/scripts/base/protocols/ncp/event.bro +++ b/testing/btest/scripts/base/protocols/ncp/event.bro @@ -3,7 +3,7 @@ redef likely_server_ports += { 524/tcp }; -event bro_init() +event zeek_init() { const ports = { 524/tcp }; Analyzer::register_for_ports(Analyzer::ANALYZER_NCP, ports); diff --git a/testing/btest/scripts/base/protocols/ncp/frame_size_tuning.bro b/testing/btest/scripts/base/protocols/ncp/frame_size_tuning.bro index 46ad87e752..cc4a5799f2 100644 --- a/testing/btest/scripts/base/protocols/ncp/frame_size_tuning.bro +++ b/testing/btest/scripts/base/protocols/ncp/frame_size_tuning.bro @@ -3,7 +3,7 @@ redef likely_server_ports += { 524/tcp }; -event bro_init() +event zeek_init() { const ports = { 524/tcp }; Analyzer::register_for_ports(Analyzer::ANALYZER_NCP, ports); diff --git a/testing/btest/scripts/base/protocols/nfs/basic.test b/testing/btest/scripts/base/protocols/nfs/basic.test index f2d2b1862a..9b7ae91910 100755 --- a/testing/btest/scripts/base/protocols/nfs/basic.test +++ b/testing/btest/scripts/base/protocols/nfs/basic.test @@ -4,7 +4,7 @@ global nfs_ports: set[port] = { 2049/tcp, 2049/udp } &redef; redef ignore_checksums = T; -event bro_init() +event zeek_init() { Analyzer::register_for_ports(Analyzer::ANALYZER_NFS, nfs_ports); Analyzer::enable_analyzer(Analyzer::ANALYZER_NFS); diff --git a/testing/btest/scripts/base/protocols/pop3/starttls.bro b/testing/btest/scripts/base/protocols/pop3/starttls.bro index 8e0d1ab5ef..d2bfee6449 100644 --- a/testing/btest/scripts/base/protocols/pop3/starttls.bro +++ b/testing/btest/scripts/base/protocols/pop3/starttls.bro @@ -14,7 +14,7 @@ const ports = { }; redef likely_server_ports += { ports }; -event bro_init() &priority=5 +event zeek_init() &priority=5 { Analyzer::register_for_ports(Analyzer::ANALYZER_POP3, ports); } diff --git a/testing/btest/scripts/base/protocols/smb/disabled-dce-rpc.test b/testing/btest/scripts/base/protocols/smb/disabled-dce-rpc.test index 627e396517..d65ee81c41 100644 --- a/testing/btest/scripts/base/protocols/smb/disabled-dce-rpc.test +++ b/testing/btest/scripts/base/protocols/smb/disabled-dce-rpc.test @@ -6,7 +6,7 @@ # The DCE_RPC analyzer is a little weird since it's instantiated # by the SMB analyzer directly in some cases. Care needs to be # taken to handle a disabled analyzer correctly. -event bro_init() +event zeek_init() { Analyzer::disable_analyzer(Analyzer::ANALYZER_DCE_RPC); } diff --git a/testing/btest/scripts/base/protocols/ssl/dpd.test b/testing/btest/scripts/base/protocols/ssl/dpd.test index 1a16a10db4..20b6ab6b74 100644 --- a/testing/btest/scripts/base/protocols/ssl/dpd.test +++ b/testing/btest/scripts/base/protocols/ssl/dpd.test @@ -9,7 +9,7 @@ @load base/frameworks/signatures @load-sigs base/protocols/ssl/dpd.sig -event bro_init() +event zeek_init() { print "Start test run"; } diff --git a/testing/btest/scripts/base/protocols/ssl/ocsp-http-get.test b/testing/btest/scripts/base/protocols/ssl/ocsp-http-get.test index c8c8acc589..181ee34909 100644 --- a/testing/btest/scripts/base/protocols/ssl/ocsp-http-get.test +++ b/testing/btest/scripts/base/protocols/ssl/ocsp-http-get.test @@ -6,7 +6,7 @@ @load files/x509/log-ocsp -event bro_init() +event zeek_init() { Files::register_for_mime_type(Files::ANALYZER_OCSP_REQUEST, "application/ocsp-request"); Files::register_for_mime_type(Files::ANALYZER_OCSP_REPLY, "application/ocsp-response"); diff --git a/testing/btest/scripts/base/protocols/ssl/ocsp-request-only.test b/testing/btest/scripts/base/protocols/ssl/ocsp-request-only.test index 05483717b0..ff493a62a8 100644 --- a/testing/btest/scripts/base/protocols/ssl/ocsp-request-only.test +++ b/testing/btest/scripts/base/protocols/ssl/ocsp-request-only.test @@ -5,7 +5,7 @@ @load files/x509/log-ocsp -event bro_init() +event zeek_init() { Files::register_for_mime_type(Files::ANALYZER_OCSP_REQUEST, "application/ocsp-request"); Files::register_for_mime_type(Files::ANALYZER_OCSP_REPLY, "application/ocsp-response"); diff --git a/testing/btest/scripts/base/protocols/ssl/ocsp-request-response.test b/testing/btest/scripts/base/protocols/ssl/ocsp-request-response.test index b95203dfd8..cfa5b99375 100644 --- a/testing/btest/scripts/base/protocols/ssl/ocsp-request-response.test +++ b/testing/btest/scripts/base/protocols/ssl/ocsp-request-response.test @@ -6,7 +6,7 @@ @load files/x509/log-ocsp -event bro_init() +event zeek_init() { Files::register_for_mime_type(Files::ANALYZER_OCSP_REQUEST, "application/ocsp-request"); Files::register_for_mime_type(Files::ANALYZER_OCSP_REPLY, "application/ocsp-response"); diff --git a/testing/btest/scripts/base/protocols/ssl/ocsp-response-only.test b/testing/btest/scripts/base/protocols/ssl/ocsp-response-only.test index 43dbf82583..3b8c4a2d57 100644 --- a/testing/btest/scripts/base/protocols/ssl/ocsp-response-only.test +++ b/testing/btest/scripts/base/protocols/ssl/ocsp-response-only.test @@ -6,7 +6,7 @@ @load files/x509/log-ocsp -event bro_init() +event zeek_init() { Files::register_for_mime_type(Files::ANALYZER_OCSP_REQUEST, "application/ocsp-request"); Files::register_for_mime_type(Files::ANALYZER_OCSP_REPLY, "application/ocsp-response"); diff --git a/testing/btest/scripts/base/protocols/ssl/ocsp-revoked.test b/testing/btest/scripts/base/protocols/ssl/ocsp-revoked.test index e4378135ad..3ee0e96776 100644 --- a/testing/btest/scripts/base/protocols/ssl/ocsp-revoked.test +++ b/testing/btest/scripts/base/protocols/ssl/ocsp-revoked.test @@ -6,7 +6,7 @@ @load files/x509/log-ocsp -event bro_init() +event zeek_init() { Files::register_for_mime_type(Files::ANALYZER_OCSP_REQUEST, "application/ocsp-request"); Files::register_for_mime_type(Files::ANALYZER_OCSP_REPLY, "application/ocsp-response"); diff --git a/testing/btest/scripts/base/utils/active-http.test b/testing/btest/scripts/base/utils/active-http.test index 97d06448ca..9f94a14c7f 100644 --- a/testing/btest/scripts/base/utils/active-http.test +++ b/testing/btest/scripts/base/utils/active-http.test @@ -35,7 +35,7 @@ function test_request(label: string, req: ActiveHTTP::Request) } } -event bro_init() +event zeek_init() { test_request("test1", [$url="127.0.0.1:32123"]); test_request("test2", [$url="127.0.0.1:32123/empty", $method="POST"]); diff --git a/testing/btest/scripts/base/utils/addrs.test b/testing/btest/scripts/base/utils/addrs.test index 224fd9dc62..8e5580d3e5 100644 --- a/testing/btest/scripts/base/utils/addrs.test +++ b/testing/btest/scripts/base/utils/addrs.test @@ -3,7 +3,7 @@ @load base/utils/addrs -event bro_init() +event zeek_init() { local ip = "0.0.0.0"; diff --git a/testing/btest/scripts/base/utils/decompose_uri.bro b/testing/btest/scripts/base/utils/decompose_uri.bro index 6ed30e7889..074e782474 100644 --- a/testing/btest/scripts/base/utils/decompose_uri.bro +++ b/testing/btest/scripts/base/utils/decompose_uri.bro @@ -10,7 +10,7 @@ function dc(s: string) print ""; } -event bro_init() +event zeek_init() { dc("https://www.bro.org:42/documentation/faq.html?k1=v1&k2=v2"); dc(""); diff --git a/testing/btest/scripts/base/utils/dir.test b/testing/btest/scripts/base/utils/dir.test index 4cbb4a3c89..ccb56b4276 100644 --- a/testing/btest/scripts/base/utils/dir.test +++ b/testing/btest/scripts/base/utils/dir.test @@ -47,7 +47,7 @@ function new_file(fname: string) terminate(); } -event bro_init() +event zeek_init() { Dir::monitor("../testdir", new_file, .25sec); } diff --git a/testing/btest/scripts/base/utils/directions-and-hosts.test b/testing/btest/scripts/base/utils/directions-and-hosts.test index 92d1b48d3a..a955053d4a 100644 --- a/testing/btest/scripts/base/utils/directions-and-hosts.test +++ b/testing/btest/scripts/base/utils/directions-and-hosts.test @@ -40,7 +40,7 @@ function test_dir(id: conn_id, d: Direction, expect: bool) result == expect ? "SUCCESS" : "FAIL"); } -event bro_init() +event zeek_init() { test_host(local_ip, LOCAL_HOSTS, T); test_host(local_ip, REMOTE_HOSTS, F); diff --git a/testing/btest/scripts/base/utils/exec.test b/testing/btest/scripts/base/utils/exec.test index 0b926df402..b8fbe474aa 100644 --- a/testing/btest/scripts/base/utils/exec.test +++ b/testing/btest/scripts/base/utils/exec.test @@ -26,7 +26,7 @@ function test_cmd(label: string, cmd: Exec::Command) } } -event bro_init() +event zeek_init() { test_cmd("test1", [$cmd="bash ../somescript.sh", $read_files=set("out1", "out2")]); diff --git a/testing/btest/scripts/base/utils/files.test b/testing/btest/scripts/base/utils/files.test index 3324522030..402da96bed 100644 --- a/testing/btest/scripts/base/utils/files.test +++ b/testing/btest/scripts/base/utils/files.test @@ -12,9 +12,9 @@ event connection_established(c: connection) print generate_extraction_filename("", c, ""); } -event bro_init() +event zeek_init() { print extract_filename_from_content_disposition("attachment; filename=Economy"); print extract_filename_from_content_disposition("attachment; name=\"US-$ rates\""); print extract_filename_from_content_disposition("attachment; filename*=iso-8859-1'en'%A3%20rates"); - } \ No newline at end of file + } diff --git a/testing/btest/scripts/base/utils/json.test b/testing/btest/scripts/base/utils/json.test index 264151136a..968db1cefe 100644 --- a/testing/btest/scripts/base/utils/json.test +++ b/testing/btest/scripts/base/utils/json.test @@ -16,7 +16,7 @@ type myrec2: record { m: myrec1 &log; }; -event bro_init() +event zeek_init() { # ##################################### # Test the basic (non-container) types: diff --git a/testing/btest/scripts/base/utils/queue.test b/testing/btest/scripts/base/utils/queue.test index 344ea73f45..b11cac233f 100644 --- a/testing/btest/scripts/base/utils/queue.test +++ b/testing/btest/scripts/base/utils/queue.test @@ -4,7 +4,7 @@ # This is loaded by default @load base/utils/queue -event bro_init() +event zeek_init() { local q = Queue::init([$max_len=2]); Queue::put(q, 1); @@ -30,4 +30,4 @@ event bro_init() Queue::get_vector(q2, test3); for ( i in test3 ) print fmt("String queue value: %s", test3[i]); - } \ No newline at end of file + } diff --git a/testing/btest/scripts/base/utils/site.test b/testing/btest/scripts/base/utils/site.test index cfd7dd2ceb..50438a0b9c 100644 --- a/testing/btest/scripts/base/utils/site.test +++ b/testing/btest/scripts/base/utils/site.test @@ -12,7 +12,7 @@ redef Site::local_admins += { [141.142.100.0/24] = b, }; -event bro_init() +event zeek_init() { print Site::get_emails(141.142.1.1); print Site::get_emails(141.142.100.100); diff --git a/testing/btest/scripts/policy/frameworks/intel/seen/certs.bro b/testing/btest/scripts/policy/frameworks/intel/seen/certs.bro index 8571784d9a..c90c5e41f4 100644 --- a/testing/btest/scripts/policy/frameworks/intel/seen/certs.bro +++ b/testing/btest/scripts/policy/frameworks/intel/seen/certs.bro @@ -17,7 +17,7 @@ www.dresdner-privat.de Intel::DOMAIN source1 test entry http://some-data-distrib redef Intel::read_files += { "intel.dat" }; -event bro_init() +event zeek_init() { suspend_processing(); } diff --git a/testing/btest/scripts/policy/frameworks/intel/seen/smtp.bro b/testing/btest/scripts/policy/frameworks/intel/seen/smtp.bro index fd21e0f73a..6ad04e95bd 100644 --- a/testing/btest/scripts/policy/frameworks/intel/seen/smtp.bro +++ b/testing/btest/scripts/policy/frameworks/intel/seen/smtp.bro @@ -16,7 +16,7 @@ name-addr@example.com Intel::EMAIL source1 test entry http://some-data-distribut redef Intel::read_files += { "intel.dat" }; -event bro_init() +event zeek_init() { suspend_processing(); } diff --git a/testing/btest/scripts/policy/frameworks/intel/whitelisting.bro b/testing/btest/scripts/policy/frameworks/intel/whitelisting.bro index 53acd49aa9..560ba35c0a 100644 --- a/testing/btest/scripts/policy/frameworks/intel/whitelisting.bro +++ b/testing/btest/scripts/policy/frameworks/intel/whitelisting.bro @@ -23,7 +23,7 @@ redef Intel::read_files += { global total_files_read = 0; -event bro_init() +event zeek_init() { suspend_processing(); } diff --git a/testing/btest/scripts/policy/frameworks/software/version-changes.bro b/testing/btest/scripts/policy/frameworks/software/version-changes.bro index c6d2433236..493bc1d354 100644 --- a/testing/btest/scripts/policy/frameworks/software/version-changes.bro +++ b/testing/btest/scripts/policy/frameworks/software/version-changes.bro @@ -34,7 +34,7 @@ event new_software() event new_software(); } -event bro_init() +event zeek_init() { event new_software(); } diff --git a/testing/btest/scripts/policy/frameworks/software/vulnerable.bro b/testing/btest/scripts/policy/frameworks/software/vulnerable.bro index 2ea7009a21..dd233a6ffc 100644 --- a/testing/btest/scripts/policy/frameworks/software/vulnerable.bro +++ b/testing/btest/scripts/policy/frameworks/software/vulnerable.bro @@ -11,7 +11,7 @@ redef Software::vulnerable_versions += { ["Java"] = set(java_1_6_vuln, java_1_7_vuln) }; -event bro_init() +event zeek_init() { Software::found([$orig_h=1.2.3.4, $orig_p=1234/tcp, $resp_h=4.3.2.1, $resp_p=80/tcp], [$name="Java", $host=1.2.3.4, $version=[$major=1, $minor=7, $minor2=0, $minor3=15]]); diff --git a/testing/btest/scripts/policy/misc/weird-stats.bro b/testing/btest/scripts/policy/misc/weird-stats.bro index b26fce8e47..b5f7c0901b 100644 --- a/testing/btest/scripts/policy/misc/weird-stats.bro +++ b/testing/btest/scripts/policy/misc/weird-stats.bro @@ -24,7 +24,7 @@ event gen_weirds(n: count, done: bool &default = F) schedule 5sec { die() }; } -event bro_init() +event zeek_init() { event gen_weirds(1000); schedule 7.5sec { gen_weirds(2000) } ; diff --git a/testing/btest/scripts/policy/protocols/http/test-sql-injection-regex.bro b/testing/btest/scripts/policy/protocols/http/test-sql-injection-regex.bro index 2e82eb9dfb..3041abab75 100644 --- a/testing/btest/scripts/policy/protocols/http/test-sql-injection-regex.bro +++ b/testing/btest/scripts/policy/protocols/http/test-sql-injection-regex.bro @@ -3,8 +3,8 @@ @load protocols/http/detect-sqli -event bro_init () -{ +event zeek_init() + { local positive_matches: set[string]; local negative_matches: set[string]; diff --git a/testing/btest/signatures/dpd.bro b/testing/btest/signatures/dpd.bro index 39f1b01294..b6d58fb3a3 100644 --- a/testing/btest/signatures/dpd.bro +++ b/testing/btest/signatures/dpd.bro @@ -30,7 +30,7 @@ signature my_ftp_server { @load base/utils/addrs -event bro_init() +event zeek_init() { # no analyzer attached to any port by default, depends entirely on sigs print "|Analyzer::all_registered_ports()|", |Analyzer::all_registered_ports()|; diff --git a/testing/scripts/file-analysis-test.bro b/testing/scripts/file-analysis-test.bro index aa7d158b55..337bf3c1c0 100644 --- a/testing/scripts/file-analysis-test.bro +++ b/testing/scripts/file-analysis-test.bro @@ -108,7 +108,7 @@ event file_state_remove(f: fa_file) print fmt("SHA256: %s", f$info$sha256); } -event bro_init() +event zeek_init() { add test_file_analyzers[Files::ANALYZER_MD5]; add test_file_analyzers[Files::ANALYZER_SHA1]; From 9d676d368ba3cdb69215fd8d6741ac1adbc39b6f Mon Sep 17 00:00:00 2001 From: Seth Hall Date: Sun, 14 Apr 2019 09:58:30 -0400 Subject: [PATCH 70/88] Some more testing fixes. --- testing/btest/Baseline/bifs.global_sizes/out | 2 +- .../btest/Baseline/core.plugins.hooks/output | 24 ++++++------ .../bro.output | 2 +- .../Baseline/language.common-mistakes/1.out | 2 +- testing/btest/Baseline/language.event/out | 4 +- .../language.index-assignment-invalid/out | 2 +- .../Baseline/language.returnwhen/bro..stdout | 6 +-- testing/btest/Baseline/plugins.hooks/output | 38 +++++++++---------- testing/btest/bifs/global_ids.bro | 2 +- testing/btest/bifs/global_sizes.bro | 4 +- testing/btest/bifs/lookup_ID.bro | 2 +- testing/btest/bifs/lstrip.bro | 2 +- testing/btest/bifs/rstrip.bro | 2 +- testing/btest/bifs/safe_shell_quote.bro | 2 +- testing/btest/bifs/type_name.bro | 2 +- testing/btest/core/init-error.bro | 6 +-- testing/btest/core/leaks/returnwhen.bro | 6 +-- .../core/when-interpreter-exceptions.bro | 2 +- testing/btest/coverage/broxygen.sh | 2 +- testing/btest/language/common-mistakes.bro | 16 ++++---- testing/btest/language/eof-parse-errors.bro | 4 +- testing/btest/language/event.bro | 4 +- testing/btest/language/invalid_index.bro | 6 +-- testing/btest/language/key-value-for.bro | 2 +- testing/btest/language/returnwhen.bro | 6 +-- testing/btest/language/subnet-errors.bro | 6 +-- .../language/ternary-record-mismatch.bro | 2 +- .../language/type-cast-error-dynamic.bro | 4 +- .../base/frameworks/input/config/spaces.bro | 2 +- .../input/path-prefix/absolute-prefix.bro | 6 +-- .../input/path-prefix/absolute-source.bro | 6 +-- .../frameworks/input/path-prefix/no-paths.bro | 6 +-- .../input/path-prefix/relative-prefix.bro | 6 +-- .../base/frameworks/intel/filter-item.bro | 2 +- .../base/protocols/ssl/dtls-no-dtls.test | 2 +- .../policy/frameworks/intel/removal.bro | 4 +- .../policy/frameworks/intel/seen/smb.bro | 2 +- 37 files changed, 99 insertions(+), 99 deletions(-) diff --git a/testing/btest/Baseline/bifs.global_sizes/out b/testing/btest/Baseline/bifs.global_sizes/out index 76c40b297a..fe0e737de0 100644 --- a/testing/btest/Baseline/bifs.global_sizes/out +++ b/testing/btest/Baseline/bifs.global_sizes/out @@ -1 +1 @@ -found bro_init +found zeek_init diff --git a/testing/btest/Baseline/core.plugins.hooks/output b/testing/btest/Baseline/core.plugins.hooks/output index 87f20f8512..f030cb0af2 100644 --- a/testing/btest/Baseline/core.plugins.hooks/output +++ b/testing/btest/Baseline/core.plugins.hooks/output @@ -188,7 +188,7 @@ 0.000000 MetaHookPost CallFunction(SumStats::register_observe_plugin, (SumStats::UNIQUE, anonymous-function{ if (!SumStats::rv?$unique_vals) SumStats::rv$unique_vals = (coerce set() to set[SumStats::Observation])if (SumStats::r?$unique_max) SumStats::rv$unique_max = SumStats::r$unique_maxif (!SumStats::r?$unique_max || flattenSumStats::rv$unique_vals <= SumStats::r$unique_max) add SumStats::rv$unique_vals[SumStats::obs]SumStats::rv$unique = flattenSumStats::rv$unique_vals})) -> 0.000000 MetaHookPost CallFunction(SumStats::register_observe_plugin, (SumStats::VARIANCE, anonymous-function{ if (1 < SumStats::rv$num) SumStats::rv$var_s += ((SumStats::val - SumStats::rv$prev_avg) * (SumStats::val - SumStats::rv$average))SumStats::calc_variance(SumStats::rv)SumStats::rv$prev_avg = SumStats::rv$average})) -> 0.000000 MetaHookPost CallFunction(SumStats::register_observe_plugins, ()) -> -0.000000 MetaHookPost CallFunction(bro_init, ()) -> +0.000000 MetaHookPost CallFunction(zeek_init, ()) -> 0.000000 MetaHookPost CallFunction(filter_change_tracking, ()) -> 0.000000 MetaHookPost CallFunction(set_to_regex, ({}, (^\.?|\.)(~~)$)) -> 0.000000 MetaHookPost CallFunction(set_to_regex, ({}, (^\.?|\.)(~~)$)) -> @@ -576,7 +576,7 @@ 0.000000 MetaHookPost LoadFile(base/utils/thresholds) -> -1 0.000000 MetaHookPost LoadFile(base/utils/time) -> -1 0.000000 MetaHookPost LoadFile(base/utils/urls) -> -1 -0.000000 MetaHookPost QueueEvent(bro_init()) -> false +0.000000 MetaHookPost QueueEvent(zeek_init()) -> false 0.000000 MetaHookPost QueueEvent(filter_change_tracking()) -> false 0.000000 MetaHookPre CallFunction(Analyzer::disable_analyzer, (Analyzer::ANALYZER_BACKDOOR)) 0.000000 MetaHookPre CallFunction(Analyzer::disable_analyzer, (Analyzer::ANALYZER_INTERCONN)) @@ -768,7 +768,7 @@ 0.000000 MetaHookPre CallFunction(SumStats::register_observe_plugin, (SumStats::UNIQUE, anonymous-function{ if (!SumStats::rv?$unique_vals) SumStats::rv$unique_vals = (coerce set() to set[SumStats::Observation])if (SumStats::r?$unique_max) SumStats::rv$unique_max = SumStats::r$unique_maxif (!SumStats::r?$unique_max || flattenSumStats::rv$unique_vals <= SumStats::r$unique_max) add SumStats::rv$unique_vals[SumStats::obs]SumStats::rv$unique = flattenSumStats::rv$unique_vals})) 0.000000 MetaHookPre CallFunction(SumStats::register_observe_plugin, (SumStats::VARIANCE, anonymous-function{ if (1 < SumStats::rv$num) SumStats::rv$var_s += ((SumStats::val - SumStats::rv$prev_avg) * (SumStats::val - SumStats::rv$average))SumStats::calc_variance(SumStats::rv)SumStats::rv$prev_avg = SumStats::rv$average})) 0.000000 MetaHookPre CallFunction(SumStats::register_observe_plugins, ()) -0.000000 MetaHookPre CallFunction(bro_init, ()) +0.000000 MetaHookPre CallFunction(zeek_init, ()) 0.000000 MetaHookPre CallFunction(filter_change_tracking, ()) 0.000000 MetaHookPre CallFunction(set_to_regex, ({}, (^\.?|\.)(~~)$)) 0.000000 MetaHookPre CallFunction(set_to_regex, ({}, (^\.?|\.)(~~)$)) @@ -1156,7 +1156,7 @@ 0.000000 MetaHookPre LoadFile(base/utils/thresholds) 0.000000 MetaHookPre LoadFile(base/utils/time) 0.000000 MetaHookPre LoadFile(base/utils/urls) -0.000000 MetaHookPre QueueEvent(bro_init()) +0.000000 MetaHookPre QueueEvent(zeek_init()) 0.000000 MetaHookPre QueueEvent(filter_change_tracking()) 0.000000 | HookCallFunction Analyzer::disable_analyzer(Analyzer::ANALYZER_BACKDOOR) 0.000000 | HookCallFunction Analyzer::disable_analyzer(Analyzer::ANALYZER_INTERCONN) @@ -1348,7 +1348,7 @@ 0.000000 | HookCallFunction SumStats::register_observe_plugin(SumStats::UNIQUE, anonymous-function{ if (!SumStats::rv?$unique_vals) SumStats::rv$unique_vals = (coerce set() to set[SumStats::Observation])if (SumStats::r?$unique_max) SumStats::rv$unique_max = SumStats::r$unique_maxif (!SumStats::r?$unique_max || flattenSumStats::rv$unique_vals <= SumStats::r$unique_max) add SumStats::rv$unique_vals[SumStats::obs]SumStats::rv$unique = flattenSumStats::rv$unique_vals}) 0.000000 | HookCallFunction SumStats::register_observe_plugin(SumStats::VARIANCE, anonymous-function{ if (1 < SumStats::rv$num) SumStats::rv$var_s += ((SumStats::val - SumStats::rv$prev_avg) * (SumStats::val - SumStats::rv$average))SumStats::calc_variance(SumStats::rv)SumStats::rv$prev_avg = SumStats::rv$average}) 0.000000 | HookCallFunction SumStats::register_observe_plugins() -0.000000 | HookCallFunction bro_init() +0.000000 | HookCallFunction zeek_init() 0.000000 | HookCallFunction filter_change_tracking() 0.000000 | HookCallFunction set_to_regex({}, (^\.?|\.)(~~)$) 0.000000 | HookCallFunction set_to_regex({}, (^\.?|\.)(~~)$) @@ -1736,7 +1736,7 @@ 0.000000 | HookLoadFile base/utils/thresholds.bro/bro 0.000000 | HookLoadFile base/utils/time.bro/bro 0.000000 | HookLoadFile base/utils/urls.bro/bro -0.000000 | HookQueueEvent bro_init() +0.000000 | HookQueueEvent zeek_init() 0.000000 | HookQueueEvent filter_change_tracking() 1362692526.869344 MetaHookPost CallFunction(ChecksumOffloading::check, ()) -> 1362692526.869344 MetaHookPost CallFunction(filter_change_tracking, ()) -> @@ -2193,7 +2193,7 @@ 1362692527.080972 MetaHookPost CallFunction(HTTP::get_file_handle, ([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=5, num_pkts=7, num_bytes_ip=512, flow_label=0], resp=[size=5007, state=5, num_pkts=7, num_bytes_ip=5379, flow_label=0], start_time=1362692526.869344, duration=0.211484, service={HTTP}, addl=, hot=0, history=ShADadFf, uid=CXWv6p3arKYeMETxOg, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=[ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=4705, status_code=200, status_msg=OK, info_code=, info_msg=, filename=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_mime_types=, resp_fuids=[FakNcS1Jfe01uljb3], resp_mime_types=[text/plain], current_entity=, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1], irc=, modbus=, radius=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=], T)) -> 1362692527.080972 MetaHookPost CallFunction(Log::default_path_func, (Conn::LOG, , [ts=1362692526.869344, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], proto=tcp, service=http, duration=0.211484, orig_bytes=136, resp_bytes=5007, conn_state=SF, local_orig=, missed_bytes=0, history=ShADadFf, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents={}])) -> 1362692527.080972 MetaHookPost CallFunction(Log::write, (Conn::LOG, [ts=1362692526.869344, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], proto=tcp, service=http, duration=0.211484, orig_bytes=136, resp_bytes=5007, conn_state=SF, local_orig=, missed_bytes=0, history=ShADadFf, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents={}])) -> -1362692527.080972 MetaHookPost CallFunction(bro_done, ()) -> +1362692527.080972 MetaHookPost CallFunction(zeek_done, ()) -> 1362692527.080972 MetaHookPost CallFunction(connection_state_remove, ([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=5, num_pkts=7, num_bytes_ip=512, flow_label=0], resp=[size=5007, state=5, num_pkts=7, num_bytes_ip=5379, flow_label=0], start_time=1362692526.869344, duration=0.211484, service={HTTP}, addl=, hot=0, history=ShADadFf, uid=CXWv6p3arKYeMETxOg, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=[ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=4705, status_code=200, status_msg=OK, info_code=, info_msg=, filename=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_mime_types=, resp_fuids=[FakNcS1Jfe01uljb3], resp_mime_types=[text/plain], current_entity=, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1], irc=, modbus=, radius=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=])) -> 1362692527.080972 MetaHookPost CallFunction(filter_change_tracking, ()) -> 1362692527.080972 MetaHookPost CallFunction(get_file_handle, (Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=5, num_pkts=7, num_bytes_ip=512, flow_label=0], resp=[size=5007, state=5, num_pkts=7, num_bytes_ip=5379, flow_label=0], start_time=1362692526.869344, duration=0.211484, service={HTTP}, addl=, hot=0, history=ShADadFf, uid=CXWv6p3arKYeMETxOg, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=[ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=4705, status_code=200, status_msg=OK, info_code=, info_msg=, filename=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_mime_types=, resp_fuids=[FakNcS1Jfe01uljb3], resp_mime_types=[text/plain], current_entity=, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1], irc=, modbus=, radius=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=], T)) -> @@ -2214,7 +2214,7 @@ 1362692527.080972 MetaHookPost DrainEvents() -> 1362692527.080972 MetaHookPost QueueEvent(ChecksumOffloading::check()) -> false 1362692527.080972 MetaHookPost QueueEvent(ChecksumOffloading::check()) -> false -1362692527.080972 MetaHookPost QueueEvent(bro_done()) -> false +1362692527.080972 MetaHookPost QueueEvent(zeek_done()) -> false 1362692527.080972 MetaHookPost QueueEvent(connection_state_remove([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=5, num_pkts=7, num_bytes_ip=512, flow_label=0], resp=[size=5007, state=5, num_pkts=7, num_bytes_ip=5379, flow_label=0], start_time=1362692526.869344, duration=0.211484, service={HTTP}, addl=, hot=0, history=ShADadFf, uid=CXWv6p3arKYeMETxOg, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=[ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=4705, status_code=200, status_msg=OK, info_code=, info_msg=, filename=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_mime_types=, resp_fuids=[FakNcS1Jfe01uljb3], resp_mime_types=[text/plain], current_entity=, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1], irc=, modbus=, radius=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=])) -> false 1362692527.080972 MetaHookPost QueueEvent(filter_change_tracking()) -> false 1362692527.080972 MetaHookPost QueueEvent(get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=5, num_pkts=7, num_bytes_ip=512, flow_label=0], resp=[size=5007, state=5, num_pkts=7, num_bytes_ip=5379, flow_label=0], start_time=1362692526.869344, duration=0.211484, service={HTTP}, addl=, hot=0, history=ShADadFf, uid=CXWv6p3arKYeMETxOg, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=[ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=4705, status_code=200, status_msg=OK, info_code=, info_msg=, filename=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_mime_types=, resp_fuids=[FakNcS1Jfe01uljb3], resp_mime_types=[text/plain], current_entity=, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1], irc=, modbus=, radius=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=], T)) -> false @@ -2227,7 +2227,7 @@ 1362692527.080972 MetaHookPre CallFunction(HTTP::get_file_handle, ([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=5, num_pkts=7, num_bytes_ip=512, flow_label=0], resp=[size=5007, state=5, num_pkts=7, num_bytes_ip=5379, flow_label=0], start_time=1362692526.869344, duration=0.211484, service={HTTP}, addl=, hot=0, history=ShADadFf, uid=CXWv6p3arKYeMETxOg, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=[ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=4705, status_code=200, status_msg=OK, info_code=, info_msg=, filename=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_mime_types=, resp_fuids=[FakNcS1Jfe01uljb3], resp_mime_types=[text/plain], current_entity=, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1], irc=, modbus=, radius=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=], T)) 1362692527.080972 MetaHookPre CallFunction(Log::default_path_func, (Conn::LOG, , [ts=1362692526.869344, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], proto=tcp, service=http, duration=0.211484, orig_bytes=136, resp_bytes=5007, conn_state=SF, local_orig=, missed_bytes=0, history=ShADadFf, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents={}])) 1362692527.080972 MetaHookPre CallFunction(Log::write, (Conn::LOG, [ts=1362692526.869344, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], proto=tcp, service=http, duration=0.211484, orig_bytes=136, resp_bytes=5007, conn_state=SF, local_orig=, missed_bytes=0, history=ShADadFf, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents={}])) -1362692527.080972 MetaHookPre CallFunction(bro_done, ()) +1362692527.080972 MetaHookPre CallFunction(zeek_done, ()) 1362692527.080972 MetaHookPre CallFunction(connection_state_remove, ([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=5, num_pkts=7, num_bytes_ip=512, flow_label=0], resp=[size=5007, state=5, num_pkts=7, num_bytes_ip=5379, flow_label=0], start_time=1362692526.869344, duration=0.211484, service={HTTP}, addl=, hot=0, history=ShADadFf, uid=CXWv6p3arKYeMETxOg, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=[ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=4705, status_code=200, status_msg=OK, info_code=, info_msg=, filename=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_mime_types=, resp_fuids=[FakNcS1Jfe01uljb3], resp_mime_types=[text/plain], current_entity=, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1], irc=, modbus=, radius=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=])) 1362692527.080972 MetaHookPre CallFunction(filter_change_tracking, ()) 1362692527.080972 MetaHookPre CallFunction(get_file_handle, (Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=5, num_pkts=7, num_bytes_ip=512, flow_label=0], resp=[size=5007, state=5, num_pkts=7, num_bytes_ip=5379, flow_label=0], start_time=1362692526.869344, duration=0.211484, service={HTTP}, addl=, hot=0, history=ShADadFf, uid=CXWv6p3arKYeMETxOg, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=[ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=4705, status_code=200, status_msg=OK, info_code=, info_msg=, filename=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_mime_types=, resp_fuids=[FakNcS1Jfe01uljb3], resp_mime_types=[text/plain], current_entity=, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1], irc=, modbus=, radius=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=], T)) @@ -2248,7 +2248,7 @@ 1362692527.080972 MetaHookPre DrainEvents() 1362692527.080972 MetaHookPre QueueEvent(ChecksumOffloading::check()) 1362692527.080972 MetaHookPre QueueEvent(ChecksumOffloading::check()) -1362692527.080972 MetaHookPre QueueEvent(bro_done()) +1362692527.080972 MetaHookPre QueueEvent(zeek_done()) 1362692527.080972 MetaHookPre QueueEvent(connection_state_remove([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=5, num_pkts=7, num_bytes_ip=512, flow_label=0], resp=[size=5007, state=5, num_pkts=7, num_bytes_ip=5379, flow_label=0], start_time=1362692526.869344, duration=0.211484, service={HTTP}, addl=, hot=0, history=ShADadFf, uid=CXWv6p3arKYeMETxOg, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=[ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=4705, status_code=200, status_msg=OK, info_code=, info_msg=, filename=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_mime_types=, resp_fuids=[FakNcS1Jfe01uljb3], resp_mime_types=[text/plain], current_entity=, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1], irc=, modbus=, radius=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=])) 1362692527.080972 MetaHookPre QueueEvent(filter_change_tracking()) 1362692527.080972 MetaHookPre QueueEvent(get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=5, num_pkts=7, num_bytes_ip=512, flow_label=0], resp=[size=5007, state=5, num_pkts=7, num_bytes_ip=5379, flow_label=0], start_time=1362692526.869344, duration=0.211484, service={HTTP}, addl=, hot=0, history=ShADadFf, uid=CXWv6p3arKYeMETxOg, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=[ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=4705, status_code=200, status_msg=OK, info_code=, info_msg=, filename=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_mime_types=, resp_fuids=[FakNcS1Jfe01uljb3], resp_mime_types=[text/plain], current_entity=, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1], irc=, modbus=, radius=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=], T)) @@ -2262,7 +2262,7 @@ 1362692527.080972 | HookCallFunction HTTP::get_file_handle([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=5, num_pkts=7, num_bytes_ip=512, flow_label=0], resp=[size=5007, state=5, num_pkts=7, num_bytes_ip=5379, flow_label=0], start_time=1362692526.869344, duration=0.211484, service={HTTP}, addl=, hot=0, history=ShADadFf, uid=CXWv6p3arKYeMETxOg, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=[ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=4705, status_code=200, status_msg=OK, info_code=, info_msg=, filename=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_mime_types=, resp_fuids=[FakNcS1Jfe01uljb3], resp_mime_types=[text/plain], current_entity=, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1], irc=, modbus=, radius=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=], T) 1362692527.080972 | HookCallFunction Log::default_path_func(Conn::LOG, , [ts=1362692526.869344, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], proto=tcp, service=http, duration=0.211484, orig_bytes=136, resp_bytes=5007, conn_state=SF, local_orig=, missed_bytes=0, history=ShADadFf, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents={}]) 1362692527.080972 | HookCallFunction Log::write(Conn::LOG, [ts=1362692526.869344, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], proto=tcp, service=http, duration=0.211484, orig_bytes=136, resp_bytes=5007, conn_state=SF, local_orig=, missed_bytes=0, history=ShADadFf, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents={}]) -1362692527.080972 | HookCallFunction bro_done() +1362692527.080972 | HookCallFunction zeek_done() 1362692527.080972 | HookCallFunction connection_state_remove([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=5, num_pkts=7, num_bytes_ip=512, flow_label=0], resp=[size=5007, state=5, num_pkts=7, num_bytes_ip=5379, flow_label=0], start_time=1362692526.869344, duration=0.211484, service={HTTP}, addl=, hot=0, history=ShADadFf, uid=CXWv6p3arKYeMETxOg, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=[ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=4705, status_code=200, status_msg=OK, info_code=, info_msg=, filename=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_mime_types=, resp_fuids=[FakNcS1Jfe01uljb3], resp_mime_types=[text/plain], current_entity=, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1], irc=, modbus=, radius=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=]) 1362692527.080972 | HookCallFunction filter_change_tracking() 1362692527.080972 | HookCallFunction get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=5, num_pkts=7, num_bytes_ip=512, flow_label=0], resp=[size=5007, state=5, num_pkts=7, num_bytes_ip=5379, flow_label=0], start_time=1362692526.869344, duration=0.211484, service={HTTP}, addl=, hot=0, history=ShADadFf, uid=CXWv6p3arKYeMETxOg, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=[ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=4705, status_code=200, status_msg=OK, info_code=, info_msg=, filename=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_mime_types=, resp_fuids=[FakNcS1Jfe01uljb3], resp_mime_types=[text/plain], current_entity=, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1], irc=, modbus=, radius=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=], T) @@ -2283,7 +2283,7 @@ 1362692527.080972 | HookDrainEvents 1362692527.080972 | HookQueueEvent ChecksumOffloading::check() 1362692527.080972 | HookQueueEvent ChecksumOffloading::check() -1362692527.080972 | HookQueueEvent bro_done() +1362692527.080972 | HookQueueEvent zeek_done() 1362692527.080972 | HookQueueEvent connection_state_remove([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=5, num_pkts=7, num_bytes_ip=512, flow_label=0], resp=[size=5007, state=5, num_pkts=7, num_bytes_ip=5379, flow_label=0], start_time=1362692526.869344, duration=0.211484, service={HTTP}, addl=, hot=0, history=ShADadFf, uid=CXWv6p3arKYeMETxOg, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=[ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=4705, status_code=200, status_msg=OK, info_code=, info_msg=, filename=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_mime_types=, resp_fuids=[FakNcS1Jfe01uljb3], resp_mime_types=[text/plain], current_entity=, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1], irc=, modbus=, radius=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=]) 1362692527.080972 | HookQueueEvent filter_change_tracking() 1362692527.080972 | HookQueueEvent get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=5, num_pkts=7, num_bytes_ip=512, flow_label=0], resp=[size=5007, state=5, num_pkts=7, num_bytes_ip=5379, flow_label=0], start_time=1362692526.869344, duration=0.211484, service={HTTP}, addl=, hot=0, history=ShADadFf, uid=CXWv6p3arKYeMETxOg, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=[ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=4705, status_code=200, status_msg=OK, info_code=, info_msg=, filename=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_mime_types=, resp_fuids=[FakNcS1Jfe01uljb3], resp_mime_types=[text/plain], current_entity=, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1], irc=, modbus=, radius=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=], T) diff --git a/testing/btest/Baseline/core.when-interpreter-exceptions/bro.output b/testing/btest/Baseline/core.when-interpreter-exceptions/bro.output index 27a90d137c..555983a868 100644 --- a/testing/btest/Baseline/core.when-interpreter-exceptions/bro.output +++ b/testing/btest/Baseline/core.when-interpreter-exceptions/bro.output @@ -6,7 +6,7 @@ received termination signal [f(F)] f() done, no exception, T [f(T)] -[bro_init()] +[zeek_init()] timeout g(), T timeout timeout g(), F diff --git a/testing/btest/Baseline/language.common-mistakes/1.out b/testing/btest/Baseline/language.common-mistakes/1.out index 8070f84644..bae5aeef7b 100644 --- a/testing/btest/Baseline/language.common-mistakes/1.out +++ b/testing/btest/Baseline/language.common-mistakes/1.out @@ -1,4 +1,4 @@ expression error in ./1.bro, line 9: field value missing (mr$f) bar start foo start -other bro_init +other zeek_init diff --git a/testing/btest/Baseline/language.event/out b/testing/btest/Baseline/language.event/out index 14fa9c1e8a..66f0ada96f 100644 --- a/testing/btest/Baseline/language.event/out +++ b/testing/btest/Baseline/language.event/out @@ -2,6 +2,6 @@ event statement event part1 event part2 assign event variable (6) -schedule statement in bro_init +schedule statement in zeek_init schedule statement in global -schedule statement another in bro_init +schedule statement another in zeek_init diff --git a/testing/btest/Baseline/language.index-assignment-invalid/out b/testing/btest/Baseline/language.index-assignment-invalid/out index 3972a9f10e..e36f611e43 100644 --- a/testing/btest/Baseline/language.index-assignment-invalid/out +++ b/testing/btest/Baseline/language.index-assignment-invalid/out @@ -2,4 +2,4 @@ runtime error in /home/jon/pro/zeek/zeek/scripts/base/utils/queue.bro, line 152: #0 Queue::get_vector([initialized=T, vals={[2] = test,[6] = jkl;,[4] = asdf,[1] = goodbye,[5] = 3,[0] = hello,[3] = [a=T, b=hi, c=]}, settings=[max_len=], top=7, bottom=0, size=0], [hello, goodbye, test]) at /home/jon/pro/zeek/zeek/testing/btest/.tmp/language.index-assignment-invalid/index-assignment-invalid.bro:19 #1 bar(55) at /home/jon/pro/zeek/zeek/testing/btest/.tmp/language.index-assignment-invalid/index-assignment-invalid.bro:27 #2 foo(hi, 13) at /home/jon/pro/zeek/zeek/testing/btest/.tmp/language.index-assignment-invalid/index-assignment-invalid.bro:39 - #3 bro_init() + #3 zeek_init() diff --git a/testing/btest/Baseline/language.returnwhen/bro..stdout b/testing/btest/Baseline/language.returnwhen/bro..stdout index d213d7bd02..969b6715af 100644 --- a/testing/btest/Baseline/language.returnwhen/bro..stdout +++ b/testing/btest/Baseline/language.returnwhen/bro..stdout @@ -1,6 +1,6 @@ -dummy from async_func() from bro_init() -async_func() return result in bro_init(), flag in my_set -dummy from bro_init() when block +dummy from async_func() from zeek_init() +async_func() return result in zeek_init(), flag in my_set +dummy from zeek_init() when block hi! dummy from async_func() from do_another() async_func() return result in do_another(), flag in my_set diff --git a/testing/btest/Baseline/plugins.hooks/output b/testing/btest/Baseline/plugins.hooks/output index 1fb96d9d3c..329868ba9f 100644 --- a/testing/btest/Baseline/plugins.hooks/output +++ b/testing/btest/Baseline/plugins.hooks/output @@ -277,7 +277,7 @@ 0.000000 MetaHookPost CallFunction(Log::__create_stream, , (Weird::LOG, [columns=Weird::Info, ev=Weird::log_weird, path=weird])) -> 0.000000 MetaHookPost CallFunction(Log::__create_stream, , (X509::LOG, [columns=X509::Info, ev=X509::log_x509, path=x509])) -> 0.000000 MetaHookPost CallFunction(Log::__create_stream, , (mysql::LOG, [columns=MySQL::Info, ev=MySQL::log_mysql, path=mysql])) -> -0.000000 MetaHookPost CallFunction(Log::__write, , (PacketFilter::LOG, [ts=1554405757.770254, node=bro, filter=ip or not ip, init=T, success=T])) -> +0.000000 MetaHookPost CallFunction(Log::__write, , (PacketFilter::LOG, [ts=1555250203.059926, node=bro, filter=ip or not ip, init=T, success=T])) -> 0.000000 MetaHookPost CallFunction(Log::add_default_filter, , (Broker::LOG)) -> 0.000000 MetaHookPost CallFunction(Log::add_default_filter, , (Cluster::LOG)) -> 0.000000 MetaHookPost CallFunction(Log::add_default_filter, , (Config::LOG)) -> @@ -462,7 +462,7 @@ 0.000000 MetaHookPost CallFunction(Log::create_stream, , (Weird::LOG, [columns=Weird::Info, ev=Weird::log_weird, path=weird])) -> 0.000000 MetaHookPost CallFunction(Log::create_stream, , (X509::LOG, [columns=X509::Info, ev=X509::log_x509, path=x509])) -> 0.000000 MetaHookPost CallFunction(Log::create_stream, , (mysql::LOG, [columns=MySQL::Info, ev=MySQL::log_mysql, path=mysql])) -> -0.000000 MetaHookPost CallFunction(Log::write, , (PacketFilter::LOG, [ts=1554405757.770254, node=bro, filter=ip or not ip, init=T, success=T])) -> +0.000000 MetaHookPost CallFunction(Log::write, , (PacketFilter::LOG, [ts=1555250203.059926, node=bro, filter=ip or not ip, init=T, success=T])) -> 0.000000 MetaHookPost CallFunction(NetControl::check_plugins, , ()) -> 0.000000 MetaHookPost CallFunction(NetControl::init, , ()) -> 0.000000 MetaHookPost CallFunction(Notice::want_pp, , ()) -> @@ -562,7 +562,6 @@ 0.000000 MetaHookPost CallFunction(SumStats::register_observe_plugins, , ()) -> 0.000000 MetaHookPost CallFunction(Unified2::mappings_initialized, , ()) -> 0.000000 MetaHookPost CallFunction(Unified2::start_watching, , ()) -> -0.000000 MetaHookPost CallFunction(zeek_init, , ()) -> 0.000000 MetaHookPost CallFunction(current_time, , ()) -> 0.000000 MetaHookPost CallFunction(filter_change_tracking, , ()) -> 0.000000 MetaHookPost CallFunction(getenv, , (BRO_DEFAULT_LISTEN_ADDRESS)) -> @@ -574,6 +573,7 @@ 0.000000 MetaHookPost CallFunction(set_to_regex, , ({}, (^\.?|\.)(~~)$)) -> 0.000000 MetaHookPost CallFunction(string_to_pattern, , ((^\.?|\.)()$, F)) -> 0.000000 MetaHookPost CallFunction(sub, , ((^\.?|\.)(~~)$, <...>/, )) -> +0.000000 MetaHookPost CallFunction(zeek_init, , ()) -> 0.000000 MetaHookPost DrainEvents() -> 0.000000 MetaHookPost LoadFile(0, ..<...>/main.bro) -> -1 0.000000 MetaHookPost LoadFile(0, ..<...>/plugin.bro) -> -1 @@ -899,8 +899,8 @@ 0.000000 MetaHookPost LogInit(Log::WRITER_ASCII, default, true, true, packet_filter(0.0,0.0,0.0), 5, {ts (time), node (string), filter (string), init (bool), success (bool)}) -> 0.000000 MetaHookPost LogWrite(Log::WRITER_ASCII, default, packet_filter(0.0,0.0,0.0), 5, {ts (time), node (string), filter (string), init (bool), success (bool)}, ) -> true 0.000000 MetaHookPost QueueEvent(NetControl::init()) -> false -0.000000 MetaHookPost QueueEvent(zeek_init()) -> false 0.000000 MetaHookPost QueueEvent(filter_change_tracking()) -> false +0.000000 MetaHookPost QueueEvent(zeek_init()) -> false 0.000000 MetaHookPre CallFunction(Analyzer::__disable_analyzer, , (Analyzer::ANALYZER_BACKDOOR)) 0.000000 MetaHookPre CallFunction(Analyzer::__disable_analyzer, , (Analyzer::ANALYZER_INTERCONN)) 0.000000 MetaHookPre CallFunction(Analyzer::__disable_analyzer, , (Analyzer::ANALYZER_STEPPINGSTONE)) @@ -1180,7 +1180,7 @@ 0.000000 MetaHookPre CallFunction(Log::__create_stream, , (Weird::LOG, [columns=Weird::Info, ev=Weird::log_weird, path=weird])) 0.000000 MetaHookPre CallFunction(Log::__create_stream, , (X509::LOG, [columns=X509::Info, ev=X509::log_x509, path=x509])) 0.000000 MetaHookPre CallFunction(Log::__create_stream, , (mysql::LOG, [columns=MySQL::Info, ev=MySQL::log_mysql, path=mysql])) -0.000000 MetaHookPre CallFunction(Log::__write, , (PacketFilter::LOG, [ts=1554405757.770254, node=bro, filter=ip or not ip, init=T, success=T])) +0.000000 MetaHookPre CallFunction(Log::__write, , (PacketFilter::LOG, [ts=1555250203.059926, node=bro, filter=ip or not ip, init=T, success=T])) 0.000000 MetaHookPre CallFunction(Log::add_default_filter, , (Broker::LOG)) 0.000000 MetaHookPre CallFunction(Log::add_default_filter, , (Cluster::LOG)) 0.000000 MetaHookPre CallFunction(Log::add_default_filter, , (Config::LOG)) @@ -1365,7 +1365,7 @@ 0.000000 MetaHookPre CallFunction(Log::create_stream, , (Weird::LOG, [columns=Weird::Info, ev=Weird::log_weird, path=weird])) 0.000000 MetaHookPre CallFunction(Log::create_stream, , (X509::LOG, [columns=X509::Info, ev=X509::log_x509, path=x509])) 0.000000 MetaHookPre CallFunction(Log::create_stream, , (mysql::LOG, [columns=MySQL::Info, ev=MySQL::log_mysql, path=mysql])) -0.000000 MetaHookPre CallFunction(Log::write, , (PacketFilter::LOG, [ts=1554405757.770254, node=bro, filter=ip or not ip, init=T, success=T])) +0.000000 MetaHookPre CallFunction(Log::write, , (PacketFilter::LOG, [ts=1555250203.059926, node=bro, filter=ip or not ip, init=T, success=T])) 0.000000 MetaHookPre CallFunction(NetControl::check_plugins, , ()) 0.000000 MetaHookPre CallFunction(NetControl::init, , ()) 0.000000 MetaHookPre CallFunction(Notice::want_pp, , ()) @@ -1465,7 +1465,6 @@ 0.000000 MetaHookPre CallFunction(SumStats::register_observe_plugins, , ()) 0.000000 MetaHookPre CallFunction(Unified2::mappings_initialized, , ()) 0.000000 MetaHookPre CallFunction(Unified2::start_watching, , ()) -0.000000 MetaHookPre CallFunction(zeek_init, , ()) 0.000000 MetaHookPre CallFunction(current_time, , ()) 0.000000 MetaHookPre CallFunction(filter_change_tracking, , ()) 0.000000 MetaHookPre CallFunction(getenv, , (BRO_DEFAULT_LISTEN_ADDRESS)) @@ -1477,6 +1476,7 @@ 0.000000 MetaHookPre CallFunction(set_to_regex, , ({}, (^\.?|\.)(~~)$)) 0.000000 MetaHookPre CallFunction(string_to_pattern, , ((^\.?|\.)()$, F)) 0.000000 MetaHookPre CallFunction(sub, , ((^\.?|\.)(~~)$, <...>/, )) +0.000000 MetaHookPre CallFunction(zeek_init, , ()) 0.000000 MetaHookPre DrainEvents() 0.000000 MetaHookPre LoadFile(0, ..<...>/main.bro) 0.000000 MetaHookPre LoadFile(0, ..<...>/plugin.bro) @@ -1802,8 +1802,8 @@ 0.000000 MetaHookPre LogInit(Log::WRITER_ASCII, default, true, true, packet_filter(0.0,0.0,0.0), 5, {ts (time), node (string), filter (string), init (bool), success (bool)}) 0.000000 MetaHookPre LogWrite(Log::WRITER_ASCII, default, packet_filter(0.0,0.0,0.0), 5, {ts (time), node (string), filter (string), init (bool), success (bool)}, ) 0.000000 MetaHookPre QueueEvent(NetControl::init()) -0.000000 MetaHookPre QueueEvent(zeek_init()) 0.000000 MetaHookPre QueueEvent(filter_change_tracking()) +0.000000 MetaHookPre QueueEvent(zeek_init()) 0.000000 | HookCallFunction Analyzer::__disable_analyzer(Analyzer::ANALYZER_BACKDOOR) 0.000000 | HookCallFunction Analyzer::__disable_analyzer(Analyzer::ANALYZER_INTERCONN) 0.000000 | HookCallFunction Analyzer::__disable_analyzer(Analyzer::ANALYZER_STEPPINGSTONE) @@ -2082,7 +2082,7 @@ 0.000000 | HookCallFunction Log::__create_stream(Weird::LOG, [columns=Weird::Info, ev=Weird::log_weird, path=weird]) 0.000000 | HookCallFunction Log::__create_stream(X509::LOG, [columns=X509::Info, ev=X509::log_x509, path=x509]) 0.000000 | HookCallFunction Log::__create_stream(mysql::LOG, [columns=MySQL::Info, ev=MySQL::log_mysql, path=mysql]) -0.000000 | HookCallFunction Log::__write(PacketFilter::LOG, [ts=1554405757.770254, node=bro, filter=ip or not ip, init=T, success=T]) +0.000000 | HookCallFunction Log::__write(PacketFilter::LOG, [ts=1555250203.059926, node=bro, filter=ip or not ip, init=T, success=T]) 0.000000 | HookCallFunction Log::add_default_filter(Broker::LOG) 0.000000 | HookCallFunction Log::add_default_filter(Cluster::LOG) 0.000000 | HookCallFunction Log::add_default_filter(Config::LOG) @@ -2267,7 +2267,7 @@ 0.000000 | HookCallFunction Log::create_stream(Weird::LOG, [columns=Weird::Info, ev=Weird::log_weird, path=weird]) 0.000000 | HookCallFunction Log::create_stream(X509::LOG, [columns=X509::Info, ev=X509::log_x509, path=x509]) 0.000000 | HookCallFunction Log::create_stream(mysql::LOG, [columns=MySQL::Info, ev=MySQL::log_mysql, path=mysql]) -0.000000 | HookCallFunction Log::write(PacketFilter::LOG, [ts=1554405757.770254, node=bro, filter=ip or not ip, init=T, success=T]) +0.000000 | HookCallFunction Log::write(PacketFilter::LOG, [ts=1555250203.059926, node=bro, filter=ip or not ip, init=T, success=T]) 0.000000 | HookCallFunction NetControl::check_plugins() 0.000000 | HookCallFunction NetControl::init() 0.000000 | HookCallFunction Notice::want_pp() @@ -2367,7 +2367,6 @@ 0.000000 | HookCallFunction SumStats::register_observe_plugins() 0.000000 | HookCallFunction Unified2::mappings_initialized() 0.000000 | HookCallFunction Unified2::start_watching() -0.000000 | HookCallFunction zeek_init() 0.000000 | HookCallFunction current_time() 0.000000 | HookCallFunction filter_change_tracking() 0.000000 | HookCallFunction getenv(BRO_DEFAULT_LISTEN_ADDRESS) @@ -2379,6 +2378,7 @@ 0.000000 | HookCallFunction set_to_regex({}, (^\.?|\.)(~~)$) 0.000000 | HookCallFunction string_to_pattern((^\.?|\.)()$, F) 0.000000 | HookCallFunction sub((^\.?|\.)(~~)$, <...>/, ) +0.000000 | HookCallFunction zeek_init() 0.000000 | HookDrainEvents 0.000000 | HookLoadFile ..<...>/main.bro 0.000000 | HookLoadFile ..<...>/plugin.bro @@ -2702,10 +2702,10 @@ 0.000000 | HookLoadFile base<...>/x509 0.000000 | HookLoadFile base<...>/xmpp 0.000000 | HookLogInit packet_filter 1/1 {ts (time), node (string), filter (string), init (bool), success (bool)} -0.000000 | HookLogWrite packet_filter [ts=1554405757.770254, node=bro, filter=ip or not ip, init=T, success=T] +0.000000 | HookLogWrite packet_filter [ts=1555250203.059926, node=bro, filter=ip or not ip, init=T, success=T] 0.000000 | HookQueueEvent NetControl::init() -0.000000 | HookQueueEvent zeek_init() 0.000000 | HookQueueEvent filter_change_tracking() +0.000000 | HookQueueEvent zeek_init() 1362692526.869344 MetaHookPost BroObjDtor() -> 1362692526.869344 MetaHookPost CallFunction(ChecksumOffloading::check, , ()) -> 1362692526.869344 MetaHookPost CallFunction(NetControl::catch_release_seen, , (141.142.228.5)) -> @@ -3154,7 +3154,6 @@ 1362692527.080972 MetaHookPost CallFunction(KRB::fill_in_subjects, , ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=])) -> 1362692527.080972 MetaHookPost CallFunction(Log::__write, , (Conn::LOG, [ts=1362692526.869344, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], proto=tcp, service=http, duration=0.211484, orig_bytes=136, resp_bytes=5007, conn_state=SF, local_orig=, local_resp=, missed_bytes=0, history=ShADadFf, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents=])) -> 1362692527.080972 MetaHookPost CallFunction(Log::write, , (Conn::LOG, [ts=1362692526.869344, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], proto=tcp, service=http, duration=0.211484, orig_bytes=136, resp_bytes=5007, conn_state=SF, local_orig=, local_resp=, missed_bytes=0, history=ShADadFf, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents=])) -> -1362692527.080972 MetaHookPost CallFunction(bro_done, , ()) -> 1362692527.080972 MetaHookPost CallFunction(cat, , (Analyzer::ANALYZER_HTTP, 1362692526.869344, T, 1, 1, 141.142.228.5:59856 > 192.150.187.43:80)) -> 1362692527.080972 MetaHookPost CallFunction(connection_state_remove, , ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=])) -> 1362692527.080972 MetaHookPost CallFunction(filter_change_tracking, , ()) -> @@ -3169,14 +3168,15 @@ 1362692527.080972 MetaHookPost CallFunction(set_file_handle, , (Analyzer::ANALYZER_HTTP1362692526.869344T11141.142.228.5:59856 > 192.150.187.43:80)) -> 1362692527.080972 MetaHookPost CallFunction(sub_bytes, , (HTTP, 0, 1)) -> 1362692527.080972 MetaHookPost CallFunction(to_lower, , (HTTP)) -> +1362692527.080972 MetaHookPost CallFunction(zeek_done, , ()) -> 1362692527.080972 MetaHookPost DrainEvents() -> 1362692527.080972 MetaHookPost LogInit(Log::WRITER_ASCII, default, true, true, conn(1362692527.080972,0.0,0.0), 21, {ts (time), uid (string), id.orig_h (addr), id.orig_p (port), id.resp_h (addr), id.resp_p (port), proto (enum), service (string), duration (interval), orig_bytes (count), resp_bytes (count), conn_state (string), local_orig (bool), local_resp (bool), missed_bytes (count), history (string), orig_pkts (count), orig_ip_bytes (count), resp_pkts (count), resp_ip_bytes (count), tunnel_parents (set[string])}) -> 1362692527.080972 MetaHookPost LogWrite(Log::WRITER_ASCII, default, conn(1362692527.080972,0.0,0.0), 21, {ts (time), uid (string), id.orig_h (addr), id.orig_p (port), id.resp_h (addr), id.resp_p (port), proto (enum), service (string), duration (interval), orig_bytes (count), resp_bytes (count), conn_state (string), local_orig (bool), local_resp (bool), missed_bytes (count), history (string), orig_pkts (count), orig_ip_bytes (count), resp_pkts (count), resp_ip_bytes (count), tunnel_parents (set[string])}, ) -> true 1362692527.080972 MetaHookPost QueueEvent(ChecksumOffloading::check()) -> false -1362692527.080972 MetaHookPost QueueEvent(bro_done()) -> false 1362692527.080972 MetaHookPost QueueEvent(connection_state_remove([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=])) -> false 1362692527.080972 MetaHookPost QueueEvent(filter_change_tracking()) -> false 1362692527.080972 MetaHookPost QueueEvent(get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=], T)) -> false +1362692527.080972 MetaHookPost QueueEvent(zeek_done()) -> false 1362692527.080972 MetaHookPost UpdateNetworkTime(1362692527.080972) -> 1362692527.080972 MetaHookPre CallFunction(ChecksumOffloading::check, , ()) 1362692527.080972 MetaHookPre CallFunction(Conn::conn_state, , ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=], tcp)) @@ -3187,7 +3187,6 @@ 1362692527.080972 MetaHookPre CallFunction(KRB::fill_in_subjects, , ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=])) 1362692527.080972 MetaHookPre CallFunction(Log::__write, , (Conn::LOG, [ts=1362692526.869344, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], proto=tcp, service=http, duration=0.211484, orig_bytes=136, resp_bytes=5007, conn_state=SF, local_orig=, local_resp=, missed_bytes=0, history=ShADadFf, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents=])) 1362692527.080972 MetaHookPre CallFunction(Log::write, , (Conn::LOG, [ts=1362692526.869344, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], proto=tcp, service=http, duration=0.211484, orig_bytes=136, resp_bytes=5007, conn_state=SF, local_orig=, local_resp=, missed_bytes=0, history=ShADadFf, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents=])) -1362692527.080972 MetaHookPre CallFunction(bro_done, , ()) 1362692527.080972 MetaHookPre CallFunction(cat, , (Analyzer::ANALYZER_HTTP, 1362692526.869344, T, 1, 1, 141.142.228.5:59856 > 192.150.187.43:80)) 1362692527.080972 MetaHookPre CallFunction(connection_state_remove, , ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=])) 1362692527.080972 MetaHookPre CallFunction(filter_change_tracking, , ()) @@ -3202,14 +3201,15 @@ 1362692527.080972 MetaHookPre CallFunction(set_file_handle, , (Analyzer::ANALYZER_HTTP1362692526.869344T11141.142.228.5:59856 > 192.150.187.43:80)) 1362692527.080972 MetaHookPre CallFunction(sub_bytes, , (HTTP, 0, 1)) 1362692527.080972 MetaHookPre CallFunction(to_lower, , (HTTP)) +1362692527.080972 MetaHookPre CallFunction(zeek_done, , ()) 1362692527.080972 MetaHookPre DrainEvents() 1362692527.080972 MetaHookPre LogInit(Log::WRITER_ASCII, default, true, true, conn(1362692527.080972,0.0,0.0), 21, {ts (time), uid (string), id.orig_h (addr), id.orig_p (port), id.resp_h (addr), id.resp_p (port), proto (enum), service (string), duration (interval), orig_bytes (count), resp_bytes (count), conn_state (string), local_orig (bool), local_resp (bool), missed_bytes (count), history (string), orig_pkts (count), orig_ip_bytes (count), resp_pkts (count), resp_ip_bytes (count), tunnel_parents (set[string])}) 1362692527.080972 MetaHookPre LogWrite(Log::WRITER_ASCII, default, conn(1362692527.080972,0.0,0.0), 21, {ts (time), uid (string), id.orig_h (addr), id.orig_p (port), id.resp_h (addr), id.resp_p (port), proto (enum), service (string), duration (interval), orig_bytes (count), resp_bytes (count), conn_state (string), local_orig (bool), local_resp (bool), missed_bytes (count), history (string), orig_pkts (count), orig_ip_bytes (count), resp_pkts (count), resp_ip_bytes (count), tunnel_parents (set[string])}, ) 1362692527.080972 MetaHookPre QueueEvent(ChecksumOffloading::check()) -1362692527.080972 MetaHookPre QueueEvent(bro_done()) 1362692527.080972 MetaHookPre QueueEvent(connection_state_remove([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=])) 1362692527.080972 MetaHookPre QueueEvent(filter_change_tracking()) 1362692527.080972 MetaHookPre QueueEvent(get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=], T)) +1362692527.080972 MetaHookPre QueueEvent(zeek_done()) 1362692527.080972 MetaHookPre UpdateNetworkTime(1362692527.080972) 1362692527.080972 | HookUpdateNetworkTime 1362692527.080972 1362692527.080972 | HookCallFunction ChecksumOffloading::check() @@ -3221,7 +3221,6 @@ 1362692527.080972 | HookCallFunction KRB::fill_in_subjects([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=]) 1362692527.080972 | HookCallFunction Log::__write(Conn::LOG, [ts=1362692526.869344, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], proto=tcp, service=http, duration=0.211484, orig_bytes=136, resp_bytes=5007, conn_state=SF, local_orig=, local_resp=, missed_bytes=0, history=ShADadFf, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents=]) 1362692527.080972 | HookCallFunction Log::write(Conn::LOG, [ts=1362692526.869344, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], proto=tcp, service=http, duration=0.211484, orig_bytes=136, resp_bytes=5007, conn_state=SF, local_orig=, local_resp=, missed_bytes=0, history=ShADadFf, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents=]) -1362692527.080972 | HookCallFunction bro_done() 1362692527.080972 | HookCallFunction cat(Analyzer::ANALYZER_HTTP, 1362692526.869344, T, 1, 1, 141.142.228.5:59856 > 192.150.187.43:80) 1362692527.080972 | HookCallFunction connection_state_remove([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=]) 1362692527.080972 | HookCallFunction filter_change_tracking() @@ -3236,11 +3235,12 @@ 1362692527.080972 | HookCallFunction set_file_handle(Analyzer::ANALYZER_HTTP1362692526.869344T11141.142.228.5:59856 > 192.150.187.43:80) 1362692527.080972 | HookCallFunction sub_bytes(HTTP, 0, 1) 1362692527.080972 | HookCallFunction to_lower(HTTP) +1362692527.080972 | HookCallFunction zeek_done() 1362692527.080972 | HookDrainEvents 1362692527.080972 | HookLogInit conn 1/1 {ts (time), uid (string), id.orig_h (addr), id.orig_p (port), id.resp_h (addr), id.resp_p (port), proto (enum), service (string), duration (interval), orig_bytes (count), resp_bytes (count), conn_state (string), local_orig (bool), local_resp (bool), missed_bytes (count), history (string), orig_pkts (count), orig_ip_bytes (count), resp_pkts (count), resp_ip_bytes (count), tunnel_parents (set[string])} 1362692527.080972 | HookLogWrite conn [ts=1362692526.869344, uid=CHhAvVGS1DHFjwGM9, id.orig_h=141.142.228.5, id.orig_p=59856, id.resp_h=192.150.187.43, id.resp_p=80, proto=tcp, service=http, duration=0.211484, orig_bytes=136, resp_bytes=5007, conn_state=SF, local_orig=, local_resp=, missed_bytes=0, history=ShADadFf, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents=] 1362692527.080972 | HookQueueEvent ChecksumOffloading::check() -1362692527.080972 | HookQueueEvent zeek_done() 1362692527.080972 | HookQueueEvent connection_state_remove([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=]) 1362692527.080972 | HookQueueEvent filter_change_tracking() 1362692527.080972 | HookQueueEvent get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=], T) +1362692527.080972 | HookQueueEvent zeek_done() diff --git a/testing/btest/bifs/global_ids.bro b/testing/btest/bifs/global_ids.bro index a6d7b306cb..8875065b3b 100644 --- a/testing/btest/bifs/global_ids.bro +++ b/testing/btest/bifs/global_ids.bro @@ -8,7 +8,7 @@ event zeek_init() for ( i in a ) { # the table is quite large, so just print one item we expect - if ( i == "bro_init" ) + if ( i == "zeek_init" ) print a[i]$type_name; } diff --git a/testing/btest/bifs/global_sizes.bro b/testing/btest/bifs/global_sizes.bro index 1eb2abbd87..5705ae5e95 100644 --- a/testing/btest/bifs/global_sizes.bro +++ b/testing/btest/bifs/global_sizes.bro @@ -8,8 +8,8 @@ event zeek_init() for ( i in a ) { # the table is quite large, so just look for one item we expect - if ( i == "bro_init" ) - print "found bro_init"; + if ( i == "zeek_init" ) + print "found zeek_init"; } diff --git a/testing/btest/bifs/lookup_ID.bro b/testing/btest/bifs/lookup_ID.bro index 94e7bf0180..1d11d1a8cb 100644 --- a/testing/btest/bifs/lookup_ID.bro +++ b/testing/btest/bifs/lookup_ID.bro @@ -12,5 +12,5 @@ event zeek_init() print lookup_ID(""); print lookup_ID("xyz"); print lookup_ID("b"); - print type_name( lookup_ID("bro_init") ); + print type_name( lookup_ID("zeek_init") ); } diff --git a/testing/btest/bifs/lstrip.bro b/testing/btest/bifs/lstrip.bro index f382b06e23..850ec90d3f 100644 --- a/testing/btest/bifs/lstrip.bro +++ b/testing/btest/bifs/lstrip.bro @@ -2,7 +2,7 @@ # @TEST-EXEC: bro -b %INPUT >out # @TEST-EXEC: btest-diff out -event bro_init() +event zeek_init() { local link_test = "https://www.zeek.org"; local one_side = "abcdcab"; diff --git a/testing/btest/bifs/rstrip.bro b/testing/btest/bifs/rstrip.bro index a0695b8107..f99ebd5f8d 100644 --- a/testing/btest/bifs/rstrip.bro +++ b/testing/btest/bifs/rstrip.bro @@ -2,7 +2,7 @@ # @TEST-EXEC: bro -b %INPUT >out # @TEST-EXEC: btest-diff out -event bro_init() +event zeek_init() { local link_test = "https://www.zeek.org"; local one_side = "abcdcab"; diff --git a/testing/btest/bifs/safe_shell_quote.bro b/testing/btest/bifs/safe_shell_quote.bro index 490952c79b..9f43fe4089 100644 --- a/testing/btest/bifs/safe_shell_quote.bro +++ b/testing/btest/bifs/safe_shell_quote.bro @@ -2,7 +2,7 @@ # @TEST-EXEC: bro -b %INPUT >out # @TEST-EXEC: btest-diff out -event bro_init() +event zeek_init() { local a = "echo `pwd` ${TEST} > \"my file\"; echo -e \"\\n\""; print a; diff --git a/testing/btest/bifs/type_name.bro b/testing/btest/bifs/type_name.bro index 7377558db2..6f9f9c6f32 100644 --- a/testing/btest/bifs/type_name.bro +++ b/testing/btest/bifs/type_name.bro @@ -69,5 +69,5 @@ event zeek_init() print type_name(y); # result is "file of string" which is a bit odd; # we should remove the (apparently unused) type argument # from files. - print type_name(bro_init); + print type_name(zeek_init); } diff --git a/testing/btest/core/init-error.bro b/testing/btest/core/init-error.bro index c415ca16b1..858fad4eb1 100644 --- a/testing/btest/core/init-error.bro +++ b/testing/btest/core/init-error.bro @@ -3,19 +3,19 @@ # @TEST-EXEC-FAIL: unset ZEEK_ALLOW_INIT_ERRORS && bro -b %INPUT >out 2>&1 # @TEST-EXEC: TEST_DIFF_CANONIFIER=$SCRIPTS/diff-remove-abspath btest-diff out -event bro_init() &priority=10 +event zeek_init() &priority=10 { print "1st event"; } -event bro_init() &priority=10 +event zeek_init() &priority=10 { print "2nd event"; local v = vector(1, 2, 3); print v[10]; } -event bro_init() &priority=-10 +event zeek_init() &priority=-10 { print "3rd event"; } diff --git a/testing/btest/core/leaks/returnwhen.bro b/testing/btest/core/leaks/returnwhen.bro index cf1115a738..1220a3c371 100644 --- a/testing/btest/core/leaks/returnwhen.bro +++ b/testing/btest/core/leaks/returnwhen.bro @@ -71,10 +71,10 @@ event zeek_init() schedule 1sec { set_flag() }; - when ( local result = async_func("from bro_init()") ) + when ( local result = async_func("from zeek_init()") ) { - print "async_func() return result in bro_init()", result; - print local_dummy("from bro_init() when block"); + print "async_func() return result in zeek_init()", result; + print local_dummy("from zeek_init() when block"); print anon("hi"); if ( result == "timeout" ) terminate(); schedule 10msec { do_another() }; diff --git a/testing/btest/core/when-interpreter-exceptions.bro b/testing/btest/core/when-interpreter-exceptions.bro index f6a1d8a73b..41f2374c2f 100644 --- a/testing/btest/core/when-interpreter-exceptions.bro +++ b/testing/btest/core/when-interpreter-exceptions.bro @@ -81,7 +81,7 @@ function g(do_exception: bool): bool event zeek_init() { - local cmd = Exec::Command($cmd="echo 'bro_init()'"); + local cmd = Exec::Command($cmd="echo 'zeek_init()'"); local stall = Exec::Command($cmd="sleep 30"); when ( local result = Exec::run(cmd) ) diff --git a/testing/btest/coverage/broxygen.sh b/testing/btest/coverage/broxygen.sh index 13bf24bce3..eee4575738 100644 --- a/testing/btest/coverage/broxygen.sh +++ b/testing/btest/coverage/broxygen.sh @@ -2,7 +2,7 @@ # loadable script is referenced there. The only additional check here is # that the broxygen package should even load scripts that are commented # out in test-all-policy.bro because the broxygen package is only loaded -# when generated documentation and will terminate has soon as bro_init +# when generated documentation and will terminate has soon as zeek_init # is handled, even if a script will e.g. put Bro into listen mode or otherwise # cause it to not terminate after scripts are parsed. diff --git a/testing/btest/language/common-mistakes.bro b/testing/btest/language/common-mistakes.bro index 361aae0ff4..bff40f1617 100644 --- a/testing/btest/language/common-mistakes.bro +++ b/testing/btest/language/common-mistakes.bro @@ -33,17 +33,17 @@ function bar() print "bar done"; } -event bro_init() +event zeek_init() { bar(); # Unreachable - print "bro_init done"; + print "zeek_init done"; } -event bro_init() &priority=-10 +event zeek_init() &priority=-10 { # Reachable - print "other bro_init"; + print "other zeek_init"; } @TEST-END-FILE @@ -65,11 +65,11 @@ function foo() print "foo done"; } -event bro_init() +event zeek_init() { foo(); # Unreachable - print "bro_init done"; + print "zeek_init done"; } @TEST-END-FILE @@ -84,12 +84,12 @@ function foo(v: vector of any) print "foo done"; } -event bro_init() +event zeek_init() { local v: vector of count; v += 1; foo(v); # Unreachable - print "bro_init done", v; + print "zeek_init done", v; } @TEST-END-FILE diff --git a/testing/btest/language/eof-parse-errors.bro b/testing/btest/language/eof-parse-errors.bro index a2c6edc66d..fbe857fc17 100644 --- a/testing/btest/language/eof-parse-errors.bro +++ b/testing/btest/language/eof-parse-errors.bro @@ -6,7 +6,7 @@ @TEST-START-FILE a.bro module A; -event bro_init() +event zeek_init() { print "a"; @TEST-END-FILE @@ -14,7 +14,7 @@ event bro_init() @TEST-START-FILE b.bro module B; -event bro_init() +event zeek_init() { print "b"; } diff --git a/testing/btest/language/event.bro b/testing/btest/language/event.bro index 5f9f552e0d..664bff49ef 100644 --- a/testing/btest/language/event.bro +++ b/testing/btest/language/event.bro @@ -38,8 +38,8 @@ event zeek_init() event e1(); # Test calling an event with "schedule" statement - schedule 1 sec { e2("in bro_init") }; - schedule 3 sec { e2("another in bro_init") }; + schedule 1 sec { e2("in zeek_init") }; + schedule 3 sec { e2("another in zeek_init") }; # Test calling an event that has two separate definitions event e3("foo"); diff --git a/testing/btest/language/invalid_index.bro b/testing/btest/language/invalid_index.bro index 23fdb50d06..399865ba23 100644 --- a/testing/btest/language/invalid_index.bro +++ b/testing/btest/language/invalid_index.bro @@ -4,19 +4,19 @@ global foo: vector of count = { 42 }; global foo2: table[count] of count = { [0] = 13 }; -event bro_init() +event zeek_init() { print "foo[0]", foo[0]; print "foo[1]", foo[1]; } -event bro_init() +event zeek_init() { print "foo2[0]", foo2[0]; print "foo2[1]", foo2[1]; } -event bro_done() +event zeek_done() { print "done"; } diff --git a/testing/btest/language/key-value-for.bro b/testing/btest/language/key-value-for.bro index 97591dcacf..396c1d0bab 100644 --- a/testing/btest/language/key-value-for.bro +++ b/testing/btest/language/key-value-for.bro @@ -2,7 +2,7 @@ # @TEST-EXEC: btest-diff out -event bro_init() +event zeek_init() { # Test single keys diff --git a/testing/btest/language/returnwhen.bro b/testing/btest/language/returnwhen.bro index 79f55fbfc2..c3d5f17661 100644 --- a/testing/btest/language/returnwhen.bro +++ b/testing/btest/language/returnwhen.bro @@ -66,10 +66,10 @@ event zeek_init() schedule 1sec { set_flag() }; - when ( local result = async_func("from bro_init()") ) + when ( local result = async_func("from zeek_init()") ) { - print "async_func() return result in bro_init()", result; - print local_dummy("from bro_init() when block"); + print "async_func() return result in zeek_init()", result; + print local_dummy("from zeek_init() when block"); print anon("hi"); if ( result == "timeout" ) terminate(); schedule 10msec { do_another() }; diff --git a/testing/btest/language/subnet-errors.bro b/testing/btest/language/subnet-errors.bro index fa98dcec48..499a6fb552 100644 --- a/testing/btest/language/subnet-errors.bro +++ b/testing/btest/language/subnet-errors.bro @@ -1,7 +1,7 @@ # @TEST-EXEC: bro -b %INPUT >out 2>&1 # @TEST-EXEC: TEST_DIFF_CANONIFIER=$SCRIPTS/diff-remove-abspath btest-diff out -event bro_init() +event zeek_init() { local i = 32; print 1.2.3.4/i; @@ -10,7 +10,7 @@ event bro_init() print "init 1"; } -event bro_init() +event zeek_init() { local i = 128; print [::]/i; @@ -19,7 +19,7 @@ event bro_init() print "init 1"; } -event bro_init() &priority=-10 +event zeek_init() &priority=-10 { print "init last"; } diff --git a/testing/btest/language/ternary-record-mismatch.bro b/testing/btest/language/ternary-record-mismatch.bro index 068952a69f..3c0c4ab95e 100644 --- a/testing/btest/language/ternary-record-mismatch.bro +++ b/testing/btest/language/ternary-record-mismatch.bro @@ -7,7 +7,7 @@ type MyRecord: record { c: bool &default = T; }; -event bro_init() +event zeek_init() { local rec: MyRecord = record($a = "a string", $b = 6); local rec2: MyRecord = (F) ? MyRecord($a = "a string", $b = 6) : diff --git a/testing/btest/language/type-cast-error-dynamic.bro b/testing/btest/language/type-cast-error-dynamic.bro index fb0605b196..21f51bc8d8 100644 --- a/testing/btest/language/type-cast-error-dynamic.bro +++ b/testing/btest/language/type-cast-error-dynamic.bro @@ -16,14 +16,14 @@ event zeek_init() cast_to_string(42); } -event bro_init() +event zeek_init() { local x: X; x = [$a = 1.2.3.4, $b=1947/tcp]; cast_to_string(x); } -event bro_init() +event zeek_init() { print "data is string", Broker::Data() is string; cast_to_string(Broker::Data()); diff --git a/testing/btest/scripts/base/frameworks/input/config/spaces.bro b/testing/btest/scripts/base/frameworks/input/config/spaces.bro index 90afa20b13..00bc64888e 100644 --- a/testing/btest/scripts/base/frameworks/input/config/spaces.bro +++ b/testing/btest/scripts/base/frameworks/input/config/spaces.bro @@ -51,7 +51,7 @@ event Input::end_of_data(name: string, source:string) terminate(); } -event bro_init() +event zeek_init() { outfile = open("../out"); Input::add_table([$reader=Input::READER_CONFIG, $source="../configfile", $name="configuration", $idx=Idx, $val=Val, $destination=currconfig, $want_record=F]); diff --git a/testing/btest/scripts/base/frameworks/input/path-prefix/absolute-prefix.bro b/testing/btest/scripts/base/frameworks/input/path-prefix/absolute-prefix.bro index df8a68613d..d0433649f3 100644 --- a/testing/btest/scripts/base/frameworks/input/path-prefix/absolute-prefix.bro +++ b/testing/btest/scripts/base/frameworks/input/path-prefix/absolute-prefix.bro @@ -22,7 +22,7 @@ @load path-prefix-common-table.bro redef InputAscii::path_prefix = "@path_prefix@"; -event bro_init() +event zeek_init() { Input::add_table([$source="input.data", $name="input", $idx=Idx, $val=Val, $destination=destination, $want_record=F]); @@ -35,7 +35,7 @@ event bro_init() @load path-prefix-common-event.bro redef InputAscii::path_prefix = "@path_prefix@"; -event bro_init() +event zeek_init() { Input::add_event([$source="input.data", $name="input", $fields=Val, $ev=inputev]); @@ -48,7 +48,7 @@ event bro_init() @load path-prefix-common-analysis.bro redef InputBinary::path_prefix = "@path_prefix@"; -event bro_init() +event zeek_init() { Input::add_analysis([$source="input.data", $name="input"]); } diff --git a/testing/btest/scripts/base/frameworks/input/path-prefix/absolute-source.bro b/testing/btest/scripts/base/frameworks/input/path-prefix/absolute-source.bro index 06d711a5e8..b21b8ec9a4 100644 --- a/testing/btest/scripts/base/frameworks/input/path-prefix/absolute-source.bro +++ b/testing/btest/scripts/base/frameworks/input/path-prefix/absolute-source.bro @@ -16,7 +16,7 @@ @load path-prefix-common-table.bro redef InputAscii::path_prefix = "/this/does/not/exist"; -event bro_init() +event zeek_init() { Input::add_table([$source="@path_prefix@/input.data", $name="input", $idx=Idx, $val=Val, $destination=destination, $want_record=F]); @@ -29,7 +29,7 @@ event bro_init() @load path-prefix-common-event.bro redef InputAscii::path_prefix = "/this/does/not/exist"; -event bro_init() +event zeek_init() { Input::add_event([$source="@path_prefix@/input.data", $name="input", $fields=Val, $ev=inputev]); @@ -42,7 +42,7 @@ event bro_init() @load path-prefix-common-analysis.bro redef InputBinary::path_prefix = "/this/does/not/exist"; -event bro_init() +event zeek_init() { Input::add_analysis([$source="@path_prefix@/input.data", $name="input"]); } diff --git a/testing/btest/scripts/base/frameworks/input/path-prefix/no-paths.bro b/testing/btest/scripts/base/frameworks/input/path-prefix/no-paths.bro index dd38fd7796..394ba2c8d1 100644 --- a/testing/btest/scripts/base/frameworks/input/path-prefix/no-paths.bro +++ b/testing/btest/scripts/base/frameworks/input/path-prefix/no-paths.bro @@ -13,7 +13,7 @@ @load path-prefix-common-table.bro -event bro_init() +event zeek_init() { Input::add_table([$source="input.data", $name="input", $idx=Idx, $val=Val, $destination=destination, $want_record=F]); @@ -25,7 +25,7 @@ event bro_init() @load path-prefix-common-event.bro -event bro_init() +event zeek_init() { Input::add_event([$source="input.data", $name="input", $fields=Val, $ev=inputev]); @@ -37,7 +37,7 @@ event bro_init() @load path-prefix-common-analysis.bro -event bro_init() +event zeek_init() { Input::add_analysis([$source="input.data", $name="input"]); } diff --git a/testing/btest/scripts/base/frameworks/input/path-prefix/relative-prefix.bro b/testing/btest/scripts/base/frameworks/input/path-prefix/relative-prefix.bro index 52ae233289..7676b50e43 100644 --- a/testing/btest/scripts/base/frameworks/input/path-prefix/relative-prefix.bro +++ b/testing/btest/scripts/base/frameworks/input/path-prefix/relative-prefix.bro @@ -16,7 +16,7 @@ @load path-prefix-common-table.bro redef InputAscii::path_prefix = "alternative"; -event bro_init() +event zeek_init() { Input::add_table([$source="input.data", $name="input", $idx=Idx, $val=Val, $destination=destination, $want_record=F]); @@ -29,7 +29,7 @@ event bro_init() @load path-prefix-common-event.bro redef InputAscii::path_prefix = "alternative"; -event bro_init() +event zeek_init() { Input::add_event([$source="input.data", $name="input", $fields=Val, $ev=inputev]); @@ -42,7 +42,7 @@ event bro_init() @load path-prefix-common-analysis.bro redef InputBinary::path_prefix = "alternative"; -event bro_init() +event zeek_init() { Input::add_analysis([$source="input.data", $name="input"]); } diff --git a/testing/btest/scripts/base/frameworks/intel/filter-item.bro b/testing/btest/scripts/base/frameworks/intel/filter-item.bro index c598664996..81353ce7fc 100644 --- a/testing/btest/scripts/base/frameworks/intel/filter-item.bro +++ b/testing/btest/scripts/base/frameworks/intel/filter-item.bro @@ -37,7 +37,7 @@ event Intel::log_intel(rec: Intel::Info) terminate(); } -event bro_init() &priority=-10 +event zeek_init() &priority=-10 { schedule 1sec { do_it() }; } diff --git a/testing/btest/scripts/base/protocols/ssl/dtls-no-dtls.test b/testing/btest/scripts/base/protocols/ssl/dtls-no-dtls.test index c8721529c9..e8731bb1be 100644 --- a/testing/btest/scripts/base/protocols/ssl/dtls-no-dtls.test +++ b/testing/btest/scripts/base/protocols/ssl/dtls-no-dtls.test @@ -3,7 +3,7 @@ # @TEST-EXEC: bro -C -r $TRACES/dns-txt-multiple.trace %INPUT # @TEST-EXEC: btest-diff .stdout -event bro_init() +event zeek_init() { const add_ports = { 53/udp }; Analyzer::register_for_ports(Analyzer::ANALYZER_DTLS, add_ports); diff --git a/testing/btest/scripts/policy/frameworks/intel/removal.bro b/testing/btest/scripts/policy/frameworks/intel/removal.bro index 4d7e450da4..41c87bc6fb 100644 --- a/testing/btest/scripts/policy/frameworks/intel/removal.bro +++ b/testing/btest/scripts/policy/frameworks/intel/removal.bro @@ -38,9 +38,9 @@ event Intel::log_intel(rec: Intel::Info) terminate(); } -event bro_init() &priority=-10 +event zeek_init() &priority=-10 { Intel::insert([$indicator="10.0.0.1", $indicator_type=Intel::ADDR, $meta=[$source="source1"]]); Intel::insert([$indicator="10.0.0.2", $indicator_type=Intel::ADDR, $meta=[$source="source1"]]); schedule 1sec { do_it() }; - } \ No newline at end of file + } diff --git a/testing/btest/scripts/policy/frameworks/intel/seen/smb.bro b/testing/btest/scripts/policy/frameworks/intel/seen/smb.bro index 5dd594953b..5e0024ec7c 100644 --- a/testing/btest/scripts/policy/frameworks/intel/seen/smb.bro +++ b/testing/btest/scripts/policy/frameworks/intel/seen/smb.bro @@ -11,7 +11,7 @@ pythonfile Intel::FILE_NAME source1 test entry http://some-data-distributor.com/ redef Intel::read_files += { "intel.dat" }; -event bro_init() +event zeek_init() { suspend_processing(); } From 93d384adeb483dd831982eca7b080c23ee5ec0c5 Mon Sep 17 00:00:00 2001 From: Jon Siwek Date: Tue, 16 Apr 2019 12:43:44 -0700 Subject: [PATCH 71/88] Updating submodule(s). [nomail] --- aux/broker | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/aux/broker b/aux/broker index d1d0a8bb5c..12a22c295c 160000 --- a/aux/broker +++ b/aux/broker @@ -1 +1 @@ -Subproject commit d1d0a8bb5c7999d81ad0de8b4474fc36ba6431dc +Subproject commit 12a22c295c31ec58009680b2babb111daf8b8e3c From 1e57e3f02644ae4de64567a6fc4b0a66ec967eb6 Mon Sep 17 00:00:00 2001 From: Jon Siwek Date: Tue, 16 Apr 2019 16:07:49 -0700 Subject: [PATCH 72/88] Use .zeek file suffix in unit tests --- CHANGES | 4 ++ VERSION | 2 +- .../Baseline/bifs.to_double_from_string/error | 4 +- testing/btest/Baseline/core.div-by-zero/out | 10 ++-- .../Baseline/core.expr-exception/reporter.log | 18 ++++---- testing/btest/Baseline/core.init-error/out | 2 +- .../btest/Baseline/core.old_comm_usage/out | 2 +- .../Baseline/core.option-errors-2/.stderr | 2 +- .../Baseline/core.option-errors-3/.stderr | 2 +- .../btest/Baseline/core.option-errors/.stderr | 2 +- .../core.option-runtime-errors-10/.stderr | 2 +- .../core.option-runtime-errors-11/.stderr | 2 +- .../core.option-runtime-errors-12/.stderr | 2 +- .../core.option-runtime-errors-13/.stderr | 2 +- .../core.option-runtime-errors-2/.stderr | 2 +- .../core.option-runtime-errors-3/.stderr | 2 +- .../core.option-runtime-errors-4/.stderr | 2 +- .../core.option-runtime-errors-5/.stderr | 2 +- .../core.option-runtime-errors-6/.stderr | 2 +- .../core.option-runtime-errors-7/.stderr | 2 +- .../core.option-runtime-errors-8/.stderr | 2 +- .../core.option-runtime-errors-9/.stderr | 2 +- .../core.option-runtime-errors/.stderr | 2 +- .../core.reporter-error-in-handler/output | 4 +- .../Baseline/core.reporter-fmt-strings/output | 2 +- .../Baseline/core.reporter-parse-error/output | 2 +- .../core.reporter-runtime-error/output | 2 +- .../core.reporter-type-mismatch/output | 6 +-- .../Baseline/core.reporter/logger-test.log | 12 ++--- testing/btest/Baseline/core.reporter/output | 18 ++++---- .../bro.output | 8 ++-- .../coverage.coverage-blacklist/output | 10 ++-- .../Baseline/language.at-deprecated/.stderr | 6 +-- .../btest/Baseline/language.at-filename/out | 2 +- .../btest/Baseline/language.at-if-invalid/out | 8 ++-- .../out | 4 +- .../Baseline/language.common-mistakes/1.out | 2 +- .../Baseline/language.common-mistakes/2.out | 2 +- .../Baseline/language.common-mistakes/3.out | 2 +- .../Baseline/language.const/invalid.stderr | 26 +++++------ .../btest/Baseline/language.deprecated/out | 38 +++++++-------- .../language.eof-parse-errors/output1 | 2 +- .../language.eof-parse-errors/output2 | 2 +- .../Baseline/language.event-local-var/out | 2 +- .../language.expire-expr-error/output | 2 +- .../language.expire-func-undef/output | 38 +++++++-------- .../Baseline/language.expire-type-error/out | 2 +- .../Baseline/language.hook_calls/invalid.out | 20 ++++---- .../language.index-assignment-invalid/out | 6 +-- .../btest/Baseline/language.invalid_index/out | 4 +- .../Baseline/language.outer_param_binding/out | 6 +-- .../Baseline/language.record-bad-ctor/out | 4 +- .../Baseline/language.record-bad-ctor2/out | 2 +- .../language.record-ceorce-orphan/out | 4 +- .../Baseline/language.record-coerce-clash/out | 2 +- .../language.record-default-set-mismatch/out | 2 +- .../language.record-type-checking/out | 22 ++++----- .../Baseline/language.set-type-checking/out | 46 +++++++++---------- .../btest/Baseline/language.subnet-errors/out | 4 +- .../Baseline/language.switch-error-mixed/out | 2 +- .../Baseline/language.switch-incomplete/out | 2 +- .../language.switch-types-error-duplicate/out | 2 +- .../out | 6 +-- .../Baseline/language.table-type-checking/out | 28 +++++------ .../language.ternary-record-mismatch/out | 2 +- .../language.type-cast-error-dynamic/output | 6 +-- .../language.type-cast-error-static/output | 4 +- .../Baseline/language.type-type-error/.stderr | 2 +- .../language.undefined-delete-field/output | 2 +- .../Baseline/language.uninitialized-local/out | 2 +- .../language.uninitialized-local2/out | 2 +- .../language.vector-type-checking/out | 38 +++++++-------- .../language.when-unitialized-rhs/out | 4 +- .../language.wrong-delete-field/output | 2 +- testing/btest/Baseline/plugins.hooks/output | 6 +-- .../Baseline/plugins.reporter-hook/output | 20 ++++---- .../plugins.reporter-hook/reporter.log | 8 ++-- .../manager-reporter.log | 4 +- .../.stderr | 4 +- .../reporter.log | 2 +- .../.stderr | 2 +- .../reporter.log | 2 +- ...version.bro => addr_count_conversion.zeek} | 0 ..._to_ptr_name.bro => addr_to_ptr_name.zeek} | 0 .../{addr_version.bro => addr_version.zeek} | 0 .../btest/bifs/{all_set.bro => all_set.zeek} | 0 .../{analyzer_name.bro => analyzer_name.zeek} | 0 .../btest/bifs/{any_set.bro => any_set.zeek} | 0 ...mfilter-seed.bro => bloomfilter-seed.zeek} | 0 .../{bloomfilter.bro => bloomfilter.zeek} | 0 .../{bro_version.bro => bro_version.zeek} | 0 ..._to_count.bro => bytestring_to_count.zeek} | 0 ...o_double.bro => bytestring_to_double.zeek} | 0 ...o_hexstr.bro => bytestring_to_hexstr.zeek} | 0 ...updates.bro => capture_state_updates.zeek} | 0 testing/btest/bifs/{cat.bro => cat.zeek} | 0 ...string_array.bro => cat_string_array.zeek} | 0 .../{check_subnet.bro => check_subnet.zeek} | 0 ...kpoint_state.bro => checkpoint_state.zeek} | 0 .../{clear_table.bro => clear_table.zeek} | 0 ...r_pattern.bro => convert_for_pattern.zeek} | 0 .../{count_to_addr.bro => count_to_addr.zeek} | 0 .../{create_file.bro => create_file.zeek} | 0 ...ent_analyzer.bro => current_analyzer.zeek} | 0 .../{current_time.bro => current_time.zeek} | 0 .../{decode_base64.bro => decode_base64.zeek} | 0 ...ase64_conn.bro => decode_base64_conn.zeek} | 0 ...erations.bro => directory_operations.zeek} | 0 ...nt_packet.bro => dump_current_packet.zeek} | 0 testing/btest/bifs/{edit.bro => edit.zeek} | 0 .../{encode_base64.bro => encode_base64.zeek} | 0 .../{entropy_test.bro => entropy_test.zeek} | 0 .../{enum_to_int.bro => enum_to_int.zeek} | 0 .../{escape_string.bro => escape_string.zeek} | 0 testing/btest/bifs/{exit.bro => exit.zeek} | 0 .../bifs/{file_mode.bro => file_mode.zeek} | 0 ...net_table.bro => filter_subnet_table.zeek} | 0 .../bifs/{find_all.bro => find_all.zeek} | 0 .../{find_entropy.bro => find_entropy.zeek} | 0 .../bifs/{find_last.bro => find_last.zeek} | 0 testing/btest/bifs/{fmt.bro => fmt.zeek} | 0 .../{fmt_ftp_port.bro => fmt_ftp_port.zeek} | 0 ...der.bro => get_current_packet_header.zeek} | 0 ...tcher_stats.bro => get_matcher_stats.zeek} | 0 ...roto.bro => get_port_transport_proto.zeek} | 0 .../{gethostname.bro => gethostname.zeek} | 0 .../btest/bifs/{getpid.bro => getpid.zeek} | 0 .../bifs/{getsetenv.bro => getsetenv.zeek} | 0 .../bifs/{global_ids.bro => global_ids.zeek} | 0 .../{global_sizes.bro => global_sizes.zeek} | 0 ...e_distance.bro => haversine_distance.zeek} | 0 .../btest/bifs/{hexdump.bro => hexdump.zeek} | 0 ...testring.bro => hexstr_to_bytestring.zeek} | 0 ...l_cardinality.bro => hll_cardinality.zeek} | 0 ...e_estimate.bro => hll_large_estimate.zeek} | 0 .../{identify_data.bro => identify_data.zeek} | 0 .../bifs/{is_ascii.bro => is_ascii.zeek} | 0 ..._interface.bro => is_local_interface.zeek} | 0 .../btest/bifs/{is_port.bro => is_port.zeek} | 0 .../{join_string.bro => join_string.zeek} | 0 ...distance.bro => levenshtein_distance.zeek} | 0 .../bifs/{lookup_ID.bro => lookup_ID.zeek} | 0 .../bifs/{lowerupper.bro => lowerupper.zeek} | 0 .../btest/bifs/{lstrip.bro => lstrip.zeek} | 0 .../bifs/{mask_addr.bro => mask_addr.zeek} | 0 ...hing_subnets.bro => matching_subnets.zeek} | 0 testing/btest/bifs/{math.bro => math.zeek} | 0 .../{merge_pattern.bro => merge_pattern.zeek} | 0 ...s-functions.bro => netbios-functions.zeek} | 0 testing/btest/bifs/{order.bro => order.zeek} | 0 .../bifs/{parse_ftp.bro => parse_ftp.zeek} | 0 .../bifs/{piped_exec.bro => piped_exec.zeek} | 0 ...name_to_addr.bro => ptr_name_to_addr.zeek} | 0 testing/btest/bifs/{rand.bro => rand.zeek} | 0 ..._v4_addr.bro => raw_bytes_to_v4_addr.zeek} | 0 ...reading_traces.bro => reading_traces.zeek} | 0 ..._vector.bro => record_type_to_vector.zeek} | 0 ...records_fields.bro => records_fields.zeek} | 0 .../{remask_addr.bro => remask_addr.zeek} | 0 .../btest/bifs/{resize.bro => resize.zeek} | 0 .../btest/bifs/{reverse.bro => reverse.zeek} | 0 .../{rotate_file.bro => rotate_file.zeek} | 0 ...e_by_name.bro => rotate_file_by_name.zeek} | 0 .../btest/bifs/{rstrip.bro => rstrip.zeek} | 0 ..._shell_quote.bro => safe_shell_quote.zeek} | 0 .../{same_object.bro => same_object.zeek} | 0 testing/btest/bifs/{sort.bro => sort.zeek} | 0 ...tring_array.bro => sort_string_array.zeek} | 0 testing/btest/bifs/{split.bro => split.zeek} | 0 .../{split_string.bro => split_string.zeek} | 0 ...shell_escape.bro => str_shell_escape.zeek} | 0 .../btest/bifs/{strcmp.bro => strcmp.zeek} | 0 .../bifs/{strftime.bro => strftime.zeek} | 0 .../{string_fill.bro => string_fill.zeek} | 0 ..._to_pattern.bro => string_to_pattern.zeek} | 0 testing/btest/bifs/{strip.bro => strip.zeek} | 0 .../bifs/{strptime.bro => strptime.zeek} | 0 .../btest/bifs/{strstr.bro => strstr.zeek} | 0 testing/btest/bifs/{sub.bro => sub.zeek} | 0 ...subnet_to_addr.bro => subnet_to_addr.zeek} | 0 ...subnet_version.bro => subnet_version.zeek} | 0 .../{subst_string.bro => subst_string.zeek} | 0 .../btest/bifs/{system.bro => system.zeek} | 0 .../bifs/{system_env.bro => system_env.zeek} | 0 .../btest/bifs/{to_addr.bro => to_addr.zeek} | 0 .../bifs/{to_count.bro => to_count.zeek} | 0 .../bifs/{to_double.bro => to_double.zeek} | 0 ..._string.bro => to_double_from_string.zeek} | 0 .../btest/bifs/{to_int.bro => to_int.zeek} | 0 .../{to_interval.bro => to_interval.zeek} | 0 .../btest/bifs/{to_port.bro => to_port.zeek} | 0 .../bifs/{to_subnet.bro => to_subnet.zeek} | 0 .../btest/bifs/{to_time.bro => to_time.zeek} | 0 testing/btest/bifs/{topk.bro => topk.zeek} | 0 .../bifs/{type_name.bro => type_name.zeek} | 0 ...ique_id-pools.bro => unique_id-pools.zeek} | 4 +- .../{unique_id-rnd.bro => unique_id-rnd.zeek} | 0 .../bifs/{unique_id.bro => unique_id.zeek} | 0 ...uuid_to_string.bro => uuid_to_string.zeek} | 0 .../bifs/{val_size.bro => val_size.zeek} | 0 .../{x509_verify.bro => x509_verify.zeek} | 0 ...ect-on-retry.bro => connect-on-retry.zeek} | 8 ++-- .../{disconnect.bro => disconnect.zeek} | 10 ++-- .../btest/broker/{error.bro => error.zeek} | 4 +- .../{remote_event.bro => remote_event.zeek} | 8 ++-- ...te_event_any.bro => remote_event_any.zeek} | 8 ++-- ..._event_auto.bro => remote_event_auto.zeek} | 8 ++-- ...sl_auth.bro => remote_event_ssl_auth.zeek} | 8 ++-- ...r_any.bro => remote_event_vector_any.zeek} | 8 ++-- .../broker/{remote_id.bro => remote_id.zeek} | 8 ++-- .../{remote_log.bro => remote_log.zeek} | 14 +++--- ...ate_join.bro => remote_log_late_join.zeek} | 14 +++--- ...te_log_types.bro => remote_log_types.zeek} | 14 +++--- ...auth_failure.bro => ssl_auth_failure.zeek} | 8 ++-- .../broker/store/{clone.bro => clone.zeek} | 8 ++-- .../broker/store/{local.bro => local.zeek} | 0 .../btest/broker/store/{ops.bro => ops.zeek} | 0 .../broker/store/{record.bro => record.zeek} | 0 .../btest/broker/store/{set.bro => set.zeek} | 0 .../broker/store/{sqlite.bro => sqlite.zeek} | 0 .../broker/store/{table.bro => table.zeek} | 0 ...pe-conversion.bro => type-conversion.zeek} | 0 .../broker/store/{vector.bro => vector.zeek} | 0 .../btest/broker/{unpeer.bro => unpeer.zeek} | 8 ++-- .../{bits_per_uid.bro => bits_per_uid.zeek} | 0 ...fabric-path.bro => cisco-fabric-path.zeek} | 0 ...threshold.bro => conn-size-threshold.zeek} | 0 .../core/{conn-uid.bro => conn-uid.zeek} | 0 ...p_roles.bro => connection_flip_roles.zeek} | 0 .../core/{discarder.bro => discarder.zeek} | 16 +++---- .../{div-by-zero.bro => div-by-zero.zeek} | 0 .../core/{dns-init.bro => dns-init.zeek} | 0 .../{embedded-null.bro => embedded-null.zeek} | 0 ...edef-exists.bro => enum-redef-exists.zeek} | 0 .../btest/core/{erspan.bro => erspan.zeek} | 0 .../core/{erspanII.bro => erspanII.zeek} | 0 .../core/{erspanIII.bro => erspanIII.zeek} | 0 .../{ether-addrs.bro => ether-addrs.zeek} | 0 ...ent-arg-reuse.bro => event-arg-reuse.zeek} | 0 ...expr-exception.bro => expr-exception.zeek} | 0 .../core/{fake_dns.bro => fake_dns.zeek} | 0 ..._opaque_val.bro => global_opaque_val.zeek} | 0 .../{history-flip.bro => history-flip.zeek} | 0 .../icmp/{icmp_sent.bro => icmp_sent.zeek} | 0 .../core/{init-error.bro => init-error.zeek} | 0 ...roken-header.bro => ip-broken-header.zeek} | 0 .../{basic-cluster.bro => basic-cluster.zeek} | 2 +- .../{bloomfilter.bro => bloomfilter.zeek} | 0 .../{clone_store.bro => clone_store.zeek} | 8 ++-- .../core/leaks/broker/{data.bro => data.zeek} | 0 .../{master_store.bro => master_store.zeek} | 0 .../btest/core/leaks/broker/remote_event.test | 8 ++-- .../btest/core/leaks/broker/remote_log.test | 14 +++--- .../leaks/{dns-nsec3.bro => dns-nsec3.zeek} | 0 .../core/leaks/{dns-txt.bro => dns-txt.zeek} | 0 .../btest/core/leaks/{dns.bro => dns.zeek} | 0 .../btest/core/leaks/{dtls.bro => dtls.zeek} | 0 testing/btest/core/leaks/exec.test | 4 +- ...tp-get.bro => file-analysis-http-get.zeek} | 2 +- .../{hll_cluster.bro => hll_cluster.zeek} | 2 +- .../btest/core/leaks/{hook.bro => hook.zeek} | 0 .../{http-connect.bro => http-connect.zeek} | 0 .../{input-basic.bro => input-basic.zeek} | 0 .../{input-errors.bro => input-errors.zeek} | 0 ...ssing-enum.bro => input-missing-enum.zeek} | 0 ...al-event.bro => input-optional-event.zeek} | 0 ...al-table.bro => input-optional-table.zeek} | 0 .../leaks/{input-raw.bro => input-raw.zeek} | 0 .../{input-reread.bro => input-reread.zeek} | 0 .../{input-sqlite.bro => input-sqlite.zeek} | 0 ...with-remove.bro => input-with-remove.zeek} | 0 .../{kv-iteration.bro => kv-iteration.zeek} | 0 .../core/leaks/{pattern.bro => pattern.zeek} | 0 .../leaks/{returnwhen.bro => returnwhen.zeek} | 0 .../btest/core/leaks/{set.bro => set.zeek} | 0 testing/btest/core/leaks/snmp.test | 2 +- .../core/leaks/{stats.bro => stats.zeek} | 2 +- ...ring-indexing.bro => string-indexing.zeek} | 0 ...ch-statement.bro => switch-statement.zeek} | 0 .../core/leaks/{teredo.bro => teredo.zeek} | 0 .../leaks/{test-all.bro => test-all.zeek} | 0 .../core/leaks/{while.bro => while.zeek} | 0 ..._ocsp_verify.bro => x509_ocsp_verify.zeek} | 0 .../{x509_verify.bro => x509_verify.zeek} | 0 ...ad-duplicates.bro => load-duplicates.zeek} | 0 ...extension.bro => load-file-extension.zeek} | 0 .../core/{load-pkg.bro => load-pkg.zeek} | 0 .../{load-prefixes.bro => load-prefixes.zeek} | 2 +- .../{load-relative.bro => load-relative.zeek} | 6 +-- .../{load-unload.bro => load-unload.zeek} | 0 .../{mpls-in-vlan.bro => mpls-in-vlan.zeek} | 0 testing/btest/core/{nflog.bro => nflog.zeek} | 0 testing/btest/core/{nop.bro => nop.zeek} | 0 ...old_comm_usage.bro => old_comm_usage.zeek} | 0 .../{option-errors.bro => option-errors.zeek} | 0 ...-priorities.bro => option-priorities.zeek} | 0 .../{option-redef.bro => option-redef.zeek} | 0 ...-errors.bro => option-runtime-errors.zeek} | 0 .../core/pcap/{dumper.bro => dumper.zeek} | 0 ...dynamic-filter.bro => dynamic-filter.zeek} | 0 .../{filter-error.bro => filter-error.zeek} | 0 .../{input-error.bro => input-error.zeek} | 0 ...eudo-realtime.bro => pseudo-realtime.zeek} | 0 ...filter.bro => read-trace-with-filter.zeek} | 0 ...poe-over-qinq.bro => pppoe-over-qinq.zeek} | 0 ...bpf-filters.bro => print-bpf-filters.zeek} | 0 .../btest/core/{q-in-q.bro => q-in-q.zeek} | 0 .../core/{radiotap.bro => radiotap.zeek} | 0 .../core/{raw_packet.bro => raw_packet.zeek} | 0 .../core/{reassembly.bro => reassembly.zeek} | 0 ...cursive-event.bro => recursive-event.zeek} | 0 ...ler.bro => reporter-error-in-handler.zeek} | 0 ...-strings.bro => reporter-fmt-strings.zeek} | 0 ...se-error.bro => reporter-parse-error.zeek} | 0 ...-error.bro => reporter-runtime-error.zeek} | 0 ...ro => reporter-shutdown-order-errors.zeek} | 0 ...smatch.bro => reporter-type-mismatch.zeek} | 0 ...o => reporter-weird-sampling-disable.zeek} | 0 ...pling.bro => reporter-weird-sampling.zeek} | 0 .../core/{reporter.bro => reporter.zeek} | 0 ...fin-retransmit.bro => fin-retransmit.zeek} | 0 ...ssembly.bro => large-file-reassembly.zeek} | 0 .../{miss-end-data.bro => miss-end-data.zeek} | 0 .../tcp/{missing-syn.bro => missing-syn.zeek} | 0 ...quantum-insert.bro => quantum-insert.zeek} | 0 .../{rst-after-syn.bro => rst-after-syn.zeek} | 0 .../{rxmit-history.bro => rxmit-history.zeek} | 0 ...cated-header.bro => truncated-header.zeek} | 0 .../{false-teredo.bro => false-teredo.zeek} | 0 ...n-ip-version.bro => ip-in-ip-version.zeek} | 0 .../core/tunnels/{teredo.bro => teredo.zeek} | 0 .../core/tunnels/{vxlan.bro => vxlan.zeek} | 0 ...-assignment.bro => vector-assignment.zeek} | 0 .../core/{vlan-mpls.bro => vlan-mpls.zeek} | 0 ...s.bro => when-interpreter-exceptions.zeek} | 0 .../btest/core/{wlanmon.bro => wlanmon.zeek} | 0 ...izedtime.bro => x509-generalizedtime.zeek} | 0 ...-blacklist.bro => coverage-blacklist.zeek} | 0 .../{command_line.bro => command_line.zeek} | 0 ...l_bifs.bro => comment_retrieval_bifs.zeek} | 0 .../doc/broxygen/{enums.bro => enums.zeek} | 0 .../broxygen/{example.bro => example.zeek} | 0 .../{func-params.bro => func-params.zeek} | 0 .../{identifier.bro => identifier.zeek} | 0 .../broxygen/{package.bro => package.zeek} | 0 .../{package_index.bro => package_index.zeek} | 0 .../broxygen/{records.bro => records.zeek} | 0 .../{script_index.bro => script_index.zeek} | 0 ...script_summary.bro => script_summary.zeek} | 0 .../{type-aliases.bro => type-aliases.zeek} | 0 .../broxygen/{vectors.bro => vectors.zeek} | 0 .../doc/{record-add.bro => record-add.zeek} | 0 ...-attr-check.bro => record-attr-check.zeek} | 0 .../btest/language/{addr.bro => addr.zeek} | 0 testing/btest/language/{any.bro => any.zeek} | 0 .../{at-deprecated.bro => at-deprecated.zeek} | 8 ++-- .../language/{at-dir.bro => at-dir.zeek} | 4 +- .../{at-filename.bro => at-filename.zeek} | 0 .../{at-if-event.bro => at-if-event.zeek} | 0 .../{at-if-invalid.bro => at-if-invalid.zeek} | 0 .../btest/language/{at-if.bro => at-if.zeek} | 0 .../language/{at-ifdef.bro => at-ifdef.zeek} | 0 .../{at-ifndef.bro => at-ifndef.zeek} | 0 .../language/{at-load.bro => at-load.zeek} | 0 ...oercion.bro => attr-default-coercion.zeek} | 0 ...bro => attr-default-global-set-error.zeek} | 0 .../btest/language/{bool.bro => bool.zeek} | 0 ...mmon-mistakes.bro => common-mistakes.zeek} | 12 ++--- ...ession.bro => conditional-expression.zeek} | 0 .../btest/language/{const.bro => const.zeek} | 8 ++-- ...or-scope.bro => container-ctor-scope.zeek} | 0 .../btest/language/{copy.bro => copy.zeek} | 0 .../btest/language/{count.bro => count.zeek} | 0 ...oduct-init.bro => cross-product-init.zeek} | 0 ...default-params.bro => default-params.zeek} | 0 ...te-field-set.bro => delete-field-set.zeek} | 0 .../{delete-field.bro => delete-field.zeek} | 0 .../{deprecated.bro => deprecated.zeek} | 0 .../language/{double.bro => double.zeek} | 0 .../{enum-desc.bro => enum-desc.zeek} | 0 .../{enum-scope.bro => enum-scope.zeek} | 0 .../btest/language/{enum.bro => enum.zeek} | 0 ...parse-errors.bro => eof-parse-errors.zeek} | 8 ++-- ...ent-local-var.bro => event-local-var.zeek} | 0 .../btest/language/{event.bro => event.zeek} | 0 ...-expr-error.bro => expire-expr-error.zeek} | 0 ...-func-undef.bro => expire-func-undef.zeek} | 0 .../{expire-redef.bro => expire-redef.zeek} | 0 ...-type-error.bro => expire-type-error.zeek} | 0 ...pire_func_mod.bro => expire_func_mod.zeek} | 0 .../btest/language/{file.bro => file.zeek} | 0 testing/btest/language/{for.bro => for.zeek} | 0 ...nc-assignment.bro => func-assignment.zeek} | 0 .../language/{function.bro => function.zeek} | 0 .../btest/language/{hook.bro => hook.zeek} | 0 .../{hook_calls.bro => hook_calls.zeek} | 8 ++-- testing/btest/language/{if.bro => if.zeek} | 0 ...alid.bro => index-assignment-invalid.zeek} | 0 ...unction.bro => init-in-anon-function.zeek} | 0 testing/btest/language/{int.bro => int.zeek} | 0 .../language/{interval.bro => interval.zeek} | 0 .../{invalid_index.bro => invalid_index.zeek} | 0 .../{ipv6-literals.bro => ipv6-literals.zeek} | 0 .../{key-value-for.bro => key-value-for.zeek} | 0 .../language/{module.bro => module.zeek} | 0 ...cord-ctors.bro => named-record-ctors.zeek} | 0 ...med-set-ctors.bro => named-set-ctors.zeek} | 0 ...table-ctors.bro => named-table-ctors.zeek} | 0 ...ctor-ctors.bro => named-vector-ctors.zeek} | 0 .../{nested-sets.bro => nested-sets.zeek} | 0 .../{next-test.bro => next-test.zeek} | 0 .../{no-module.bro => no-module.zeek} | 0 ...null-statement.bro => null-statement.zeek} | 0 ...m_binding.bro => outer_param_binding.zeek} | 0 .../language/{pattern.bro => pattern.zeek} | 0 .../btest/language/{port.bro => port.zeek} | 0 .../{precedence.bro => precedence.zeek} | 0 .../{rec-comp-init.bro => rec-comp-init.zeek} | 0 ...rec-nested-opt.bro => rec-nested-opt.zeek} | 0 .../{rec-of-tbl.bro => rec-of-tbl.zeek} | 0 ...ble-default.bro => rec-table-default.zeek} | 0 ...cord-bad-ctor.bro => record-bad-ctor.zeek} | 0 ...rd-bad-ctor2.bro => record-bad-ctor2.zeek} | 0 ...e-orphan.bro => record-ceorce-orphan.zeek} | 0 ...rce-clash.bro => record-coerce-clash.zeek} | 0 ...rcion.bro => record-default-coercion.zeek} | 0 ...h.bro => record-default-set-mismatch.zeek} | 0 ...rd-extension.bro => record-extension.zeek} | 0 ...ion.bro => record-function-recursion.zeek} | 0 ...s.bro => record-index-complex-fields.zeek} | 0 ...ion.bro => record-recursive-coercion.zeek} | 0 ...-init.bro => record-redef-after-init.zeek} | 0 ...-ref-assign.bro => record-ref-assign.zeek} | 0 ...checking.bro => record-type-checking.zeek} | 0 ...dx.bro => redef-same-prefixtable-idx.zeek} | 0 .../{redef-vector.bro => redef-vector.zeek} | 0 .../{returnwhen.bro => returnwhen.zeek} | 0 ...rd-index.bro => set-opt-record-index.zeek} | 0 ...pe-checking.bro => set-type-checking.zeek} | 0 testing/btest/language/{set.bro => set.zeek} | 0 .../{short-circuit.bro => short-circuit.zeek} | 0 .../language/{sizeof.bro => sizeof.zeek} | 0 ...rman-test.bro => smith-waterman-test.zeek} | 0 ...ring-indexing.bro => string-indexing.zeek} | 0 .../language/{string.bro => string.zeek} | 0 .../language/{strings.bro => strings.zeek} | 0 .../{subnet-errors.bro => subnet-errors.zeek} | 0 .../language/{subnet.bro => subnet.zeek} | 0 ...rror-mixed.bro => switch-error-mixed.zeek} | 0 ...-incomplete.bro => switch-incomplete.zeek} | 0 ...ch-statement.bro => switch-statement.zeek} | 0 ....bro => switch-types-error-duplicate.zeek} | 0 ...ro => switch-types-error-unsupported.zeek} | 0 ...-types-vars.bro => switch-types-vars.zeek} | 0 .../{switch-types.bro => switch-types.zeek} | 0 ...t-record.bro => table-default-record.zeek} | 0 ...e-init-attrs.bro => table-init-attrs.zeek} | 0 ...rs.bro => table-init-container-ctors.zeek} | 0 ...ord-idx.bro => table-init-record-idx.zeek} | 0 .../{table-init.bro => table-init.zeek} | 0 .../{table-redef.bro => table-redef.zeek} | 0 ...-checking.bro => table-type-checking.zeek} | 0 .../btest/language/{table.bro => table.zeek} | 0 ...match.bro => ternary-record-mismatch.zeek} | 0 .../btest/language/{time.bro => time.zeek} | 0 .../language/{timeout.bro => timeout.zeek} | 0 .../{type-cast-any.bro => type-cast-any.zeek} | 0 ...namic.bro => type-cast-error-dynamic.zeek} | 0 ...static.bro => type-cast-error-static.zeek} | 0 ...type-cast-same.bro => type-cast-same.zeek} | 0 ...type-check-any.bro => type-check-any.zeek} | 0 ...heck-vector.bro => type-check-vector.zeek} | 0 ...pe-type-error.bro => type-type-error.zeek} | 0 ...-field.bro => undefined-delete-field.zeek} | 0 ...zed-local.bro => uninitialized-local.zeek} | 0 ...d-local2.bro => uninitialized-local2.zeek} | 0 ...-any-append.bro => vector-any-append.zeek} | 0 ...oerce-expr.bro => vector-coerce-expr.zeek} | 0 ...n-operator.bro => vector-in-operator.zeek} | 0 ...ords.bro => vector-list-init-records.zeek} | 0 ...checking.bro => vector-type-checking.zeek} | 0 ...nspecified.bro => vector-unspecified.zeek} | 0 .../language/{vector.bro => vector.zeek} | 0 ...ized-rhs.bro => when-unitialized-rhs.zeek} | 0 .../btest/language/{when.bro => when.zeek} | 0 .../btest/language/{while.bro => while.zeek} | 0 ...lete-field.bro => wrong-delete-field.zeek} | 0 ...ension.bro => wrong-record-extension.zeek} | 0 testing/btest/plugins/{file.bro => file.zeek} | 0 .../btest/plugins/{hooks.bro => hooks.zeek} | 0 .../{init-plugin.bro => init-plugin.zeek} | 0 .../{logging-hooks.bro => logging-hooks.zeek} | 0 .../plugins/{pktdumper.bro => pktdumper.zeek} | 0 .../btest/plugins/{pktsrc.bro => pktsrc.zeek} | 0 ...version.bro => plugin-nopatchversion.zeek} | 0 ...rsion.bro => plugin-withpatchversion.zeek} | 0 .../Demo/Foo/base/{main.bro => main.zeek} | 0 .../plugins/{protocol.bro => protocol.zeek} | 0 .../btest/plugins/{reader.bro => reader.zeek} | 0 .../{reporter-hook.bro => reporter-hook.zeek} | 0 .../btest/plugins/{writer.bro => writer.zeek} | 0 .../data_event/{basic.bro => basic.zeek} | 0 .../files/extract/{limit.bro => limit.zeek} | 0 .../files/unified2/{alert.bro => alert.zeek} | 0 ...ble-analyzer.bro => disable-analyzer.zeek} | 0 ...able-analyzer.bro => enable-analyzer.zeek} | 0 ...er-for-port.bro => register-for-port.zeek} | 0 ...le-analyzer.bro => schedule-analyzer.zeek} | 0 ...ivity.bro => custom_pool_exclusivity.zeek} | 2 +- ...ool_limits.bro => custom_pool_limits.zeek} | 2 +- .../{forwarding.bro => forwarding.zeek} | 2 +- ...distribution.bro => log_distribution.zeek} | 2 +- ...-up-logger.bro => start-it-up-logger.zeek} | 2 +- .../{start-it-up.bro => start-it-up.zeek} | 2 +- ...stribution.bro => topic_distribution.zeek} | 2 +- ..._bifs.bro => topic_distribution_bifs.zeek} | 2 +- .../config/{basic.bro => basic.zeek} | 0 .../{basic_cluster.bro => basic_cluster.zeek} | 2 +- ...cluster_resend.bro => cluster_resend.zeek} | 2 +- .../{read_config.bro => read_config.zeek} | 0 ...g_cluster.bro => read_config_cluster.zeek} | 2 +- .../{several-files.bro => several-files.zeek} | 0 .../config/{updates.bro => updates.zeek} | 0 .../config/{weird.bro => weird.zeek} | 0 ...n_update.bro => configuration_update.zeek} | 2 +- .../control/{id_value.bro => id_value.zeek} | 2 +- .../control/{shutdown.bro => shutdown.zeek} | 0 .../{data_event.bro => data_event.zeek} | 2 +- ..._file.bro => file_exists_lookup_file.zeek} | 0 ..._mime_type.bro => register_mime_type.zeek} | 0 .../{remove_action.bro => remove_action.zeek} | 2 +- ...interval.bro => set_timeout_interval.zeek} | 2 +- .../bifs/{stop.bro => stop.zeek} | 2 +- ...big-bof-buffer.bro => big-bof-buffer.zeek} | 0 .../{byteranges.bro => byteranges.zeek} | 0 .../file-analysis/{ftp.bro => ftp.zeek} | 2 +- .../file-analysis/http/{get.bro => get.zeek} | 4 +- .../http/{multipart.bro => multipart.zeek} | 2 +- ...rtial-content.bro => partial-content.zeek} | 6 +-- .../http/{pipeline.bro => pipeline.zeek} | 2 +- .../http/{post.bro => post.zeek} | 2 +- .../input/{basic.bro => basic.zeek} | 2 +- .../file-analysis/{irc.bro => irc.zeek} | 2 +- .../{logging.bro => logging.zeek} | 2 +- .../file-analysis/{smtp.bro => smtp.zeek} | 2 +- .../input/{basic.bro => basic.zeek} | 0 .../input/{bignumber.bro => bignumber.zeek} | 0 .../input/{binary.bro => binary.zeek} | 0 .../input/config/{basic.bro => basic.zeek} | 0 .../input/config/{errors.bro => errors.zeek} | 0 .../input/config/{spaces.bro => spaces.zeek} | 0 .../input/{default.bro => default.zeek} | 0 ...-hashing.bro => empty-values-hashing.zeek} | 0 .../input/{emptyvals.bro => emptyvals.zeek} | 0 .../input/{errors.bro => errors.zeek} | 0 .../input/{event.bro => event.zeek} | 0 .../{invalid-lines.bro => invalid-lines.zeek} | 0 ...invalidnumbers.bro => invalidnumbers.zeek} | 0 .../input/{invalidset.bro => invalidset.zeek} | 0 .../{invalidtext.bro => invalidtext.zeek} | 0 .../{missing-enum.bro => missing-enum.zeek} | 0 ...tially.bro => missing-file-initially.zeek} | 0 .../{missing-file.bro => missing-file.zeek} | 0 ...n-norecord.bro => onecolumn-norecord.zeek} | 0 ...olumn-record.bro => onecolumn-record.zeek} | 0 .../input/{optional.bro => optional.zeek} | 0 ...solute-prefix.bro => absolute-prefix.zeek} | 6 +-- ...solute-source.bro => absolute-source.zeek} | 6 +-- .../{no-paths.bro => no-paths.zeek} | 6 +-- ...s.bro => path-prefix-common-analysis.zeek} | 0 ...vent.bro => path-prefix-common-event.zeek} | 0 ...able.bro => path-prefix-common-table.zeek} | 0 ...lative-prefix.bro => relative-prefix.zeek} | 6 +-- .../{port-embedded.bro => port-embedded.zeek} | 0 .../frameworks/input/{port.bro => port.zeek} | 0 ...icate-stream.bro => predicate-stream.zeek} | 0 .../input/{predicate.bro => predicate.zeek} | 0 ...edicatemodify.bro => predicatemodify.zeek} | 0 ...read.bro => predicatemodifyandreread.zeek} | 0 ...o => predicaterefusesecondsamerecord.zeek} | 0 .../input/raw/{basic.bro => basic.zeek} | 0 .../input/raw/{execute.bro => execute.zeek} | 0 .../{executestdin.bro => executestdin.zeek} | 0 .../{executestream.bro => executestream.zeek} | 0 .../input/raw/{long.bro => long.zeek} | 0 .../input/raw/{offset.bro => offset.zeek} | 0 .../raw/{rereadraw.bro => rereadraw.zeek} | 0 .../input/raw/{stderr.bro => stderr.zeek} | 0 .../raw/{streamraw.bro => streamraw.zeek} | 0 .../input/{repeat.bro => repeat.zeek} | 0 .../input/{reread.bro => reread.zeek} | 0 .../frameworks/input/{set.bro => set.zeek} | 0 .../{setseparator.bro => setseparator.zeek} | 0 ...tspecialcases.bro => setspecialcases.zeek} | 0 .../input/sqlite/{basic.bro => basic.zeek} | 0 .../input/sqlite/{error.bro => error.zeek} | 0 .../input/sqlite/{port.bro => port.zeek} | 0 .../input/sqlite/{types.bro => types.zeek} | 0 .../input/{stream.bro => stream.zeek} | 0 ...brecord-event.bro => subrecord-event.zeek} | 0 .../input/{subrecord.bro => subrecord.zeek} | 0 .../input/{tableevent.bro => tableevent.zeek} | 0 .../input/{twotables.bro => twotables.zeek} | 0 ...orted_types.bro => unsupported_types.zeek} | 0 .../input/{windows.bro => windows.zeek} | 0 ...o => cluster-transparency-with-proxy.zeek} | 2 +- ...sparency.bro => cluster-transparency.zeek} | 2 +- .../{expire-item.bro => expire-item.zeek} | 0 .../{filter-item.bro => filter-item.zeek} | 0 ...put-and-match.bro => input-and-match.zeek} | 0 .../{match-subnet.bro => match-subnet.zeek} | 0 ...bro => input-intel-absolute-prefixes.zeek} | 2 +- ...bro => input-intel-relative-prefixes.zeek} | 2 +- .../{input-prefix.bro => input-prefix.zeek} | 2 +- .../{no-paths.bro => no-paths.zeek} | 2 +- ...fix-common.bro => path-prefix-common.zeek} | 0 ...luster.bro => read-file-dist-cluster.zeek} | 2 +- ...m-cluster.bro => remove-item-cluster.zeek} | 2 +- ...-existing.bro => remove-non-existing.zeek} | 0 .../{updated-match.bro => updated-match.zeek} | 0 .../{adapt-filter.bro => adapt-filter.zeek} | 0 .../{ascii-binary.bro => ascii-binary.zeek} | 0 .../{ascii-double.bro => ascii-double.zeek} | 4 +- .../{ascii-empty.bro => ascii-empty.zeek} | 0 ...pe-binary.bro => ascii-escape-binary.zeek} | 0 ...ty-str.bro => ascii-escape-empty-str.zeek} | 0 ...t-str.bro => ascii-escape-notset-str.zeek} | 0 ...-odd-url.bro => ascii-escape-odd-url.zeek} | 0 ...or.bro => ascii-escape-set-separator.zeek} | 0 .../{ascii-escape.bro => ascii-escape.zeek} | 0 ...cii-gz-rotate.bro => ascii-gz-rotate.zeek} | 0 .../logging/{ascii-gz.bro => ascii-gz.zeek} | 0 ...mps.bro => ascii-json-iso-timestamps.zeek} | 0 ...-optional.bro => ascii-json-optional.zeek} | 0 .../{ascii-json.bro => ascii-json.zeek} | 0 ...mment.bro => ascii-line-like-comment.zeek} | 0 .../{ascii-options.bro => ascii-options.zeek} | 0 ...i-timestamps.bro => ascii-timestamps.zeek} | 0 .../logging/{ascii-tsv.bro => ascii-tsv.zeek} | 0 .../{attr-extend.bro => attr-extend.zeek} | 0 .../logging/{attr.bro => attr.zeek} | 0 ...disable-stream.bro => disable-stream.zeek} | 0 .../{empty-event.bro => empty-event.zeek} | 0 .../{enable-stream.bro => enable-stream.zeek} | 0 .../logging/{events.bro => events.zeek} | 0 .../logging/{exclude.bro => exclude.zeek} | 0 ...bro => field-extension-cluster-error.zeek} | 6 +-- ...uster.bro => field-extension-cluster.zeek} | 6 +-- ...mplex.bro => field-extension-complex.zeek} | 0 ...valid.bro => field-extension-invalid.zeek} | 0 ...onal.bro => field-extension-optional.zeek} | 0 ...n-table.bro => field-extension-table.zeek} | 0 ...eld-extension.bro => field-extension.zeek} | 0 ...field-name-map.bro => field-name-map.zeek} | 0 ...eld-name-map2.bro => field-name-map2.zeek} | 0 .../logging/{file.bro => file.zeek} | 0 .../logging/{include.bro => include.zeek} | 0 .../logging/{no-local.bro => no-local.zeek} | 0 .../{none-debug.bro => none-debug.zeek} | 0 ...emote.bro => path-func-column-demote.zeek} | 0 .../logging/{path-func.bro => path-func.zeek} | 0 .../logging/{pred.bro => pred.zeek} | 0 .../logging/{remove.bro => remove.zeek} | 0 .../{rotate-custom.bro => rotate-custom.zeek} | 0 .../logging/{rotate.bro => rotate.zeek} | 0 .../logging/{scope_sep.bro => scope_sep.zeek} | 0 ....bro => scope_sep_and_field_name_map.zeek} | 0 .../logging/sqlite/{error.bro => error.zeek} | 0 .../logging/sqlite/{set.bro => set.zeek} | 0 ...us-writes.bro => simultaneous-writes.zeek} | 0 .../logging/sqlite/{types.bro => types.zeek} | 0 .../sqlite/{wikipedia.bro => wikipedia.zeek} | 0 .../logging/{stdout.bro => stdout.zeek} | 0 .../{test-logging.bro => test-logging.zeek} | 0 .../logging/{types.bro => types.zeek} | 0 .../{unset-record.bro => unset-record.zeek} | 0 .../frameworks/logging/{vec.bro => vec.zeek} | 0 ...conflict.bro => writer-path-conflict.zeek} | 0 .../{acld-hook.bro => acld-hook.zeek} | 8 ++-- .../netcontrol/{acld.bro => acld.zeek} | 8 ++-- .../{basic-cluster.bro => basic-cluster.zeek} | 8 ++-- .../netcontrol/{basic.bro => basic.zeek} | 0 .../netcontrol/{broker.bro => broker.zeek} | 8 ++-- ...n.bro => catch-and-release-forgotten.zeek} | 0 ...and-release.bro => catch-and-release.zeek} | 0 ...l-state.bro => delete-internal-state.zeek} | 0 .../{duplicate.bro => duplicate.zeek} | 0 .../{find-rules.bro => find-rules.zeek} | 0 .../netcontrol/{hook.bro => hook.zeek} | 0 .../{multiple.bro => multiple.zeek} | 0 .../{openflow.bro => openflow.zeek} | 0 .../{packetfilter.bro => packetfilter.zeek} | 0 ...-openflow.bro => quarantine-openflow.zeek} | 0 .../netcontrol/{timeout.bro => timeout.zeek} | 0 .../notice/{cluster.bro => cluster.zeek} | 2 +- .../{mail-alarms.bro => mail-alarms.zeek} | 0 ...n-cluster.bro => suppression-cluster.zeek} | 2 +- ...n-disable.bro => suppression-disable.zeek} | 0 .../{suppression.bro => suppression.zeek} | 0 .../{broker-basic.bro => broker-basic.zeek} | 8 ++-- .../{log-basic.bro => log-basic.zeek} | 0 .../{log-cluster.bro => log-cluster.zeek} | 6 +-- .../{ryu-basic.bro => ryu-basic.zeek} | 0 ...disable-stderr.bro => disable-stderr.zeek} | 0 .../reporter/{stderr.bro => stderr.zeek} | 0 ...rsion-parsing.bro => version-parsing.zeek} | 0 .../{basic-cluster.bro => basic-cluster.zeek} | 2 +- .../sumstats/{basic.bro => basic.zeek} | 0 ...e.bro => cluster-intermediate-update.zeek} | 2 +- .../{last-cluster.bro => last-cluster.zeek} | 2 +- ...and-cluster.bro => on-demand-cluster.zeek} | 2 +- .../{on-demand.bro => on-demand.zeek} | 0 ...sample-cluster.bro => sample-cluster.zeek} | 2 +- .../sumstats/{sample.bro => sample.zeek} | 0 .../{thresholding.bro => thresholding.zeek} | 0 .../{topk-cluster.bro => topk-cluster.zeek} | 2 +- .../sumstats/{topk.bro => topk.zeek} | 0 .../base/misc/{version.bro => version.zeek} | 0 ...tents.bro => new_connection_contents.zeek} | 0 .../conn/{threshold.bro => threshold.zeek} | 0 .../dce-rpc/{context.bro => context.zeek} | 0 ..._del_measure.bro => dnp3_del_measure.zeek} | 2 +- .../{dnp3_en_spon.bro => dnp3_en_spon.zeek} | 2 +- .../{dnp3_file_del.bro => dnp3_file_del.zeek} | 2 +- ...dnp3_file_read.bro => dnp3_file_read.zeek} | 2 +- ...p3_file_write.bro => dnp3_file_write.zeek} | 2 +- ...dnp3_link_only.bro => dnp3_link_only.zeek} | 2 +- .../dnp3/{dnp3_write.bro => dnp3_read.zeek} | 2 +- .../{dnp3_rec_time.bro => dnp3_rec_time.zeek} | 2 +- ...t_operate.bro => dnp3_select_operate.zeek} | 2 +- ..._udp_en_spon.bro => dnp3_udp_en_spon.zeek} | 2 +- .../{dnp3_udp_read.bro => dnp3_udp_read.zeek} | 2 +- ...erate.bro => dnp3_udp_select_operate.zeek} | 2 +- ...dnp3_udp_write.bro => dnp3_udp_write.zeek} | 2 +- .../dnp3/{dnp3_read.bro => dnp3_write.zeek} | 2 +- .../dnp3/{events.bro => events.zeek} | 0 .../base/protocols/dns/{caa.bro => caa.zeek} | 0 .../dns/{dns-key.bro => dns-key.zeek} | 0 .../protocols/dns/{dnskey.bro => dnskey.zeek} | 0 .../base/protocols/dns/{ds.bro => ds.zeek} | 0 ...e-reponses.bro => duplicate-reponses.zeek} | 0 .../protocols/dns/{flip.bro => flip.zeek} | 0 .../dns/{huge-ttl.bro => huge-ttl.zeek} | 0 ...-strings.bro => multiple-txt-strings.zeek} | 0 .../protocols/dns/{nsec.bro => nsec.zeek} | 0 .../protocols/dns/{nsec3.bro => nsec3.zeek} | 0 .../protocols/dns/{rrsig.bro => rrsig.zeek} | 0 .../protocols/dns/{tsig.bro => tsig.zeek} | 0 ...zero-responses.bro => zero-responses.zeek} | 0 ...cwd-navigation.bro => cwd-navigation.zeek} | 0 ...t-file-size.bro => ftp-get-file-size.zeek} | 0 .../ftp/{ftp-ipv4.bro => ftp-ipv4.zeek} | 0 .../ftp/{ftp-ipv6.bro => ftp-ipv6.zeek} | 0 .../{100-continue.bro => 100-continue.zeek} | 0 ...ocols.bro => 101-switching-protocols.zeek} | 0 ...p-skip.bro => content-range-gap-skip.zeek} | 0 ...t-range-gap.bro => content-range-gap.zeek} | 0 ...n.bro => content-range-less-than-len.zeek} | 0 .../http/{entity-gap.bro => entity-gap.zeek} | 0 .../{entity-gap2.bro => entity-gap2.zeek} | 0 ...nt-length.bro => fake-content-length.zeek} | 0 ...bro => http-bad-request-with-version.zeek} | 0 ...ader.bro => http-connect-with-header.zeek} | 0 .../{http-connect.bro => http-connect.zeek} | 0 .../{http-filename.bro => http-filename.zeek} | 0 ...-header-crlf.bro => http-header-crlf.zeek} | 0 .../{http-methods.bro => http-methods.zeek} | 0 ...tp-pipelining.bro => http-pipelining.zeek} | 0 ...ib-header.bro => missing-zlib-header.zeek} | 0 ...art-extract.bro => multipart-extract.zeek} | 0 ...le-limit.bro => multipart-file-limit.zeek} | 0 .../http/{no-uri.bro => no-uri.zeek} | 0 .../http/{no-version.bro => no-version.zeek} | 0 ...d-of-line.bro => percent-end-of-line.zeek} | 0 .../http/{x-gzip.bro => x-gzip.zeek} | 0 ...bro => zero-length-bodies-with-drops.zeek} | 0 .../irc/{names-weird.bro => names-weird.zeek} | 0 ..._parsing_big.bro => coil_parsing_big.zeek} | 0 ...sing_small.bro => coil_parsing_small.zeek} | 0 .../modbus/{events.bro => events.zeek} | 0 ...ngth_mismatch.bro => length_mismatch.zeek} | 0 .../modbus/{policy.bro => policy.zeek} | 0 ...ster_parsing.bro => register_parsing.zeek} | 0 .../protocols/ncp/{event.bro => event.zeek} | 0 ...size_tuning.bro => frame_size_tuning.zeek} | 0 .../pop3/{starttls.bro => starttls.zeek} | 0 ...on.bro => rdp-proprietary-encryption.zeek} | 0 .../rdp/{rdp-to-ssl.bro => rdp-to-ssl.zeek} | 0 .../rdp/{rdp-x509.bro => rdp-x509.zeek} | 0 ...b2-read-write.bro => smb2-read-write.zeek} | 0 .../snmp/{snmp-addr.bro => snmp-addr.zeek} | 0 .../base/protocols/snmp/{v1.bro => v1.zeek} | 8 ++-- .../base/protocols/snmp/{v2.bro => v2.zeek} | 6 +-- .../base/protocols/snmp/{v3.bro => v3.zeek} | 2 +- .../socks/{socks-auth.bro => socks-auth.zeek} | 0 .../{missing-pri.bro => missing-pri.zeek} | 0 .../tcp/{pending.bro => pending.zeek} | 0 .../{decompose_uri.bro => decompose_uri.zeek} | 0 testing/btest/scripts/base/utils/dir.test | 4 +- testing/btest/scripts/base/utils/exec.test | 4 +- .../utils/{hash_hrw.bro => hash_hrw.zeek} | 0 ...-policy.bro => check-test-all-policy.zeek} | 0 .../{extract-all.bro => extract-all.zeek} | 0 .../intel/{removal.bro => removal.zeek} | 0 .../intel/seen/{certs.bro => certs.zeek} | 0 .../intel/seen/{smb.bro => smb.zeek} | 0 .../intel/seen/{smtp.bro => smtp.zeek} | 0 .../{whitelisting.bro => whitelisting.zeek} | 0 ...rsion-changes.bro => version-changes.zeek} | 0 .../{vulnerable.bro => vulnerable.zeek} | 0 .../{dump-events.bro => dump-events.zeek} | 0 ...s-cluster.bro => weird-stats-cluster.zeek} | 2 +- .../{weird-stats.bro => weird-stats.zeek} | 0 .../{known-hosts.bro => known-hosts.zeek} | 0 ...known-services.bro => known-services.zeek} | 0 .../{mac-logging.bro => mac-logging.zeek} | 0 .../{vlan-logging.bro => vlan-logging.zeek} | 0 ...verse-request.bro => inverse-request.zeek} | 0 .../{flash-version.bro => flash-version.zeek} | 0 .../{header-names.bro => header-names.zeek} | 0 ...egex.bro => test-sql-injection-regex.zeek} | 0 ...ticket-logging.bro => ticket-logging.zeek} | 0 ...teforcing.bro => detect-bruteforcing.zeek} | 0 ...expiring-certs.bro => expiring-certs.zeek} | 0 ...t-certs-pem.bro => extract-certs-pem.zeek} | 0 .../ssl/{heartbleed.bro => heartbleed.zeek} | 0 .../ssl/{known-certs.bro => known-certs.zeek} | 0 ...certs-only.bro => log-hostcerts-only.zeek} | 0 ...cache.bro => validate-certs-no-cache.zeek} | 2 +- ...validate-certs.bro => validate-certs.zeek} | 4 +- .../{validate-ocsp.bro => validate-ocsp.zeek} | 6 +-- .../{validate-sct.bro => validate-sct.zeek} | 4 +- .../ssl/{weak-keys.bro => weak-keys.zeek} | 0 ...-condition.bro => bad-eval-condition.zeek} | 0 .../btest/signatures/{dpd.bro => dpd.zeek} | 0 ...dst-ip-cidr-v4.bro => dst-ip-cidr-v4.zeek} | 0 ... => dst-ip-header-condition-v4-masks.zeek} | 0 ...v4.bro => dst-ip-header-condition-v4.zeek} | 0 ... => dst-ip-header-condition-v6-masks.zeek} | 0 ...v6.bro => dst-ip-header-condition-v6.zeek} | 0 ...ion.bro => dst-port-header-condition.zeek} | 0 ...ro => eval-condition-no-return-value.zeek} | 0 ...eval-condition.bro => eval-condition.zeek} | 0 ...ition.bro => header-header-condition.zeek} | 0 .../{id-lookup.bro => id-lookup.zeek} | 0 ...ion.bro => ip-proto-header-condition.zeek} | 0 .../{load-sigs.bro => load-sigs.zeek} | 0 ... => src-ip-header-condition-v4-masks.zeek} | 0 ...v4.bro => src-ip-header-condition-v4.zeek} | 0 ... => src-ip-header-condition-v6-masks.zeek} | 0 ...v6.bro => src-ip-header-condition-v6.zeek} | 0 ...ion.bro => src-port-header-condition.zeek} | 0 ...se-match.bro => udp-packetwise-match.zeek} | 0 ...payload-size.bro => udp-payload-size.zeek} | 0 testing/external/commit-hash.zeek-testing | 2 +- .../external/commit-hash.zeek-testing-private | 2 +- testing/external/scripts/external-ca-list.bro | 1 - .../external/scripts/external-ca-list.zeek | 1 + .../{testing-setup.bro => testing-setup.zeek} | 2 +- ...rnal-ca-list.bro => external-ca-list.zeek} | 0 ...lysis-test.bro => file-analysis-test.zeek} | 0 .../scripts/{snmp-test.bro => snmp-test.zeek} | 0 862 files changed, 533 insertions(+), 529 deletions(-) rename testing/btest/bifs/{addr_count_conversion.bro => addr_count_conversion.zeek} (100%) rename testing/btest/bifs/{addr_to_ptr_name.bro => addr_to_ptr_name.zeek} (100%) rename testing/btest/bifs/{addr_version.bro => addr_version.zeek} (100%) rename testing/btest/bifs/{all_set.bro => all_set.zeek} (100%) rename testing/btest/bifs/{analyzer_name.bro => analyzer_name.zeek} (100%) rename testing/btest/bifs/{any_set.bro => any_set.zeek} (100%) rename testing/btest/bifs/{bloomfilter-seed.bro => bloomfilter-seed.zeek} (100%) rename testing/btest/bifs/{bloomfilter.bro => bloomfilter.zeek} (100%) rename testing/btest/bifs/{bro_version.bro => bro_version.zeek} (100%) rename testing/btest/bifs/{bytestring_to_count.bro => bytestring_to_count.zeek} (100%) rename testing/btest/bifs/{bytestring_to_double.bro => bytestring_to_double.zeek} (100%) rename testing/btest/bifs/{bytestring_to_hexstr.bro => bytestring_to_hexstr.zeek} (100%) rename testing/btest/bifs/{capture_state_updates.bro => capture_state_updates.zeek} (100%) rename testing/btest/bifs/{cat.bro => cat.zeek} (100%) rename testing/btest/bifs/{cat_string_array.bro => cat_string_array.zeek} (100%) rename testing/btest/bifs/{check_subnet.bro => check_subnet.zeek} (100%) rename testing/btest/bifs/{checkpoint_state.bro => checkpoint_state.zeek} (100%) rename testing/btest/bifs/{clear_table.bro => clear_table.zeek} (100%) rename testing/btest/bifs/{convert_for_pattern.bro => convert_for_pattern.zeek} (100%) rename testing/btest/bifs/{count_to_addr.bro => count_to_addr.zeek} (100%) rename testing/btest/bifs/{create_file.bro => create_file.zeek} (100%) rename testing/btest/bifs/{current_analyzer.bro => current_analyzer.zeek} (100%) rename testing/btest/bifs/{current_time.bro => current_time.zeek} (100%) rename testing/btest/bifs/{decode_base64.bro => decode_base64.zeek} (100%) rename testing/btest/bifs/{decode_base64_conn.bro => decode_base64_conn.zeek} (100%) rename testing/btest/bifs/{directory_operations.bro => directory_operations.zeek} (100%) rename testing/btest/bifs/{dump_current_packet.bro => dump_current_packet.zeek} (100%) rename testing/btest/bifs/{edit.bro => edit.zeek} (100%) rename testing/btest/bifs/{encode_base64.bro => encode_base64.zeek} (100%) rename testing/btest/bifs/{entropy_test.bro => entropy_test.zeek} (100%) rename testing/btest/bifs/{enum_to_int.bro => enum_to_int.zeek} (100%) rename testing/btest/bifs/{escape_string.bro => escape_string.zeek} (100%) rename testing/btest/bifs/{exit.bro => exit.zeek} (100%) rename testing/btest/bifs/{file_mode.bro => file_mode.zeek} (100%) rename testing/btest/bifs/{filter_subnet_table.bro => filter_subnet_table.zeek} (100%) rename testing/btest/bifs/{find_all.bro => find_all.zeek} (100%) rename testing/btest/bifs/{find_entropy.bro => find_entropy.zeek} (100%) rename testing/btest/bifs/{find_last.bro => find_last.zeek} (100%) rename testing/btest/bifs/{fmt.bro => fmt.zeek} (100%) rename testing/btest/bifs/{fmt_ftp_port.bro => fmt_ftp_port.zeek} (100%) rename testing/btest/bifs/{get_current_packet_header.bro => get_current_packet_header.zeek} (100%) rename testing/btest/bifs/{get_matcher_stats.bro => get_matcher_stats.zeek} (100%) rename testing/btest/bifs/{get_port_transport_proto.bro => get_port_transport_proto.zeek} (100%) rename testing/btest/bifs/{gethostname.bro => gethostname.zeek} (100%) rename testing/btest/bifs/{getpid.bro => getpid.zeek} (100%) rename testing/btest/bifs/{getsetenv.bro => getsetenv.zeek} (100%) rename testing/btest/bifs/{global_ids.bro => global_ids.zeek} (100%) rename testing/btest/bifs/{global_sizes.bro => global_sizes.zeek} (100%) rename testing/btest/bifs/{haversine_distance.bro => haversine_distance.zeek} (100%) rename testing/btest/bifs/{hexdump.bro => hexdump.zeek} (100%) rename testing/btest/bifs/{hexstr_to_bytestring.bro => hexstr_to_bytestring.zeek} (100%) rename testing/btest/bifs/{hll_cardinality.bro => hll_cardinality.zeek} (100%) rename testing/btest/bifs/{hll_large_estimate.bro => hll_large_estimate.zeek} (100%) rename testing/btest/bifs/{identify_data.bro => identify_data.zeek} (100%) rename testing/btest/bifs/{is_ascii.bro => is_ascii.zeek} (100%) rename testing/btest/bifs/{is_local_interface.bro => is_local_interface.zeek} (100%) rename testing/btest/bifs/{is_port.bro => is_port.zeek} (100%) rename testing/btest/bifs/{join_string.bro => join_string.zeek} (100%) rename testing/btest/bifs/{levenshtein_distance.bro => levenshtein_distance.zeek} (100%) rename testing/btest/bifs/{lookup_ID.bro => lookup_ID.zeek} (100%) rename testing/btest/bifs/{lowerupper.bro => lowerupper.zeek} (100%) rename testing/btest/bifs/{lstrip.bro => lstrip.zeek} (100%) rename testing/btest/bifs/{mask_addr.bro => mask_addr.zeek} (100%) rename testing/btest/bifs/{matching_subnets.bro => matching_subnets.zeek} (100%) rename testing/btest/bifs/{math.bro => math.zeek} (100%) rename testing/btest/bifs/{merge_pattern.bro => merge_pattern.zeek} (100%) rename testing/btest/bifs/{netbios-functions.bro => netbios-functions.zeek} (100%) rename testing/btest/bifs/{order.bro => order.zeek} (100%) rename testing/btest/bifs/{parse_ftp.bro => parse_ftp.zeek} (100%) rename testing/btest/bifs/{piped_exec.bro => piped_exec.zeek} (100%) rename testing/btest/bifs/{ptr_name_to_addr.bro => ptr_name_to_addr.zeek} (100%) rename testing/btest/bifs/{rand.bro => rand.zeek} (100%) rename testing/btest/bifs/{raw_bytes_to_v4_addr.bro => raw_bytes_to_v4_addr.zeek} (100%) rename testing/btest/bifs/{reading_traces.bro => reading_traces.zeek} (100%) rename testing/btest/bifs/{record_type_to_vector.bro => record_type_to_vector.zeek} (100%) rename testing/btest/bifs/{records_fields.bro => records_fields.zeek} (100%) rename testing/btest/bifs/{remask_addr.bro => remask_addr.zeek} (100%) rename testing/btest/bifs/{resize.bro => resize.zeek} (100%) rename testing/btest/bifs/{reverse.bro => reverse.zeek} (100%) rename testing/btest/bifs/{rotate_file.bro => rotate_file.zeek} (100%) rename testing/btest/bifs/{rotate_file_by_name.bro => rotate_file_by_name.zeek} (100%) rename testing/btest/bifs/{rstrip.bro => rstrip.zeek} (100%) rename testing/btest/bifs/{safe_shell_quote.bro => safe_shell_quote.zeek} (100%) rename testing/btest/bifs/{same_object.bro => same_object.zeek} (100%) rename testing/btest/bifs/{sort.bro => sort.zeek} (100%) rename testing/btest/bifs/{sort_string_array.bro => sort_string_array.zeek} (100%) rename testing/btest/bifs/{split.bro => split.zeek} (100%) rename testing/btest/bifs/{split_string.bro => split_string.zeek} (100%) rename testing/btest/bifs/{str_shell_escape.bro => str_shell_escape.zeek} (100%) rename testing/btest/bifs/{strcmp.bro => strcmp.zeek} (100%) rename testing/btest/bifs/{strftime.bro => strftime.zeek} (100%) rename testing/btest/bifs/{string_fill.bro => string_fill.zeek} (100%) rename testing/btest/bifs/{string_to_pattern.bro => string_to_pattern.zeek} (100%) rename testing/btest/bifs/{strip.bro => strip.zeek} (100%) rename testing/btest/bifs/{strptime.bro => strptime.zeek} (100%) rename testing/btest/bifs/{strstr.bro => strstr.zeek} (100%) rename testing/btest/bifs/{sub.bro => sub.zeek} (100%) rename testing/btest/bifs/{subnet_to_addr.bro => subnet_to_addr.zeek} (100%) rename testing/btest/bifs/{subnet_version.bro => subnet_version.zeek} (100%) rename testing/btest/bifs/{subst_string.bro => subst_string.zeek} (100%) rename testing/btest/bifs/{system.bro => system.zeek} (100%) rename testing/btest/bifs/{system_env.bro => system_env.zeek} (100%) rename testing/btest/bifs/{to_addr.bro => to_addr.zeek} (100%) rename testing/btest/bifs/{to_count.bro => to_count.zeek} (100%) rename testing/btest/bifs/{to_double.bro => to_double.zeek} (100%) rename testing/btest/bifs/{to_double_from_string.bro => to_double_from_string.zeek} (100%) rename testing/btest/bifs/{to_int.bro => to_int.zeek} (100%) rename testing/btest/bifs/{to_interval.bro => to_interval.zeek} (100%) rename testing/btest/bifs/{to_port.bro => to_port.zeek} (100%) rename testing/btest/bifs/{to_subnet.bro => to_subnet.zeek} (100%) rename testing/btest/bifs/{to_time.bro => to_time.zeek} (100%) rename testing/btest/bifs/{topk.bro => topk.zeek} (100%) rename testing/btest/bifs/{type_name.bro => type_name.zeek} (100%) rename testing/btest/bifs/{unique_id-pools.bro => unique_id-pools.zeek} (87%) rename testing/btest/bifs/{unique_id-rnd.bro => unique_id-rnd.zeek} (100%) rename testing/btest/bifs/{unique_id.bro => unique_id.zeek} (100%) rename testing/btest/bifs/{uuid_to_string.bro => uuid_to_string.zeek} (100%) rename testing/btest/bifs/{val_size.bro => val_size.zeek} (100%) rename testing/btest/bifs/{x509_verify.bro => x509_verify.zeek} (100%) rename testing/btest/broker/{connect-on-retry.bro => connect-on-retry.zeek} (91%) rename testing/btest/broker/{disconnect.bro => disconnect.zeek} (82%) rename testing/btest/broker/{error.bro => error.zeek} (88%) rename testing/btest/broker/{remote_event.bro => remote_event.zeek} (92%) rename testing/btest/broker/{remote_event_any.bro => remote_event_any.zeek} (92%) rename testing/btest/broker/{remote_event_auto.bro => remote_event_auto.zeek} (92%) rename testing/btest/broker/{remote_event_ssl_auth.bro => remote_event_ssl_auth.zeek} (98%) rename testing/btest/broker/{remote_event_vector_any.bro => remote_event_vector_any.zeek} (88%) rename testing/btest/broker/{remote_id.bro => remote_id.zeek} (83%) rename testing/btest/broker/{remote_log.bro => remote_log.zeek} (83%) rename testing/btest/broker/{remote_log_late_join.bro => remote_log_late_join.zeek} (85%) rename testing/btest/broker/{remote_log_types.bro => remote_log_types.zeek} (90%) rename testing/btest/broker/{ssl_auth_failure.bro => ssl_auth_failure.zeek} (96%) rename testing/btest/broker/store/{clone.bro => clone.zeek} (96%) rename testing/btest/broker/store/{local.bro => local.zeek} (100%) rename testing/btest/broker/store/{ops.bro => ops.zeek} (100%) rename testing/btest/broker/store/{record.bro => record.zeek} (100%) rename testing/btest/broker/store/{set.bro => set.zeek} (100%) rename testing/btest/broker/store/{sqlite.bro => sqlite.zeek} (100%) rename testing/btest/broker/store/{table.bro => table.zeek} (100%) rename testing/btest/broker/store/{type-conversion.bro => type-conversion.zeek} (100%) rename testing/btest/broker/store/{vector.bro => vector.zeek} (100%) rename testing/btest/broker/{unpeer.bro => unpeer.zeek} (89%) rename testing/btest/core/{bits_per_uid.bro => bits_per_uid.zeek} (100%) rename testing/btest/core/{cisco-fabric-path.bro => cisco-fabric-path.zeek} (100%) rename testing/btest/core/{conn-size-threshold.bro => conn-size-threshold.zeek} (100%) rename testing/btest/core/{conn-uid.bro => conn-uid.zeek} (100%) rename testing/btest/core/{connection_flip_roles.bro => connection_flip_roles.zeek} (100%) rename testing/btest/core/{discarder.bro => discarder.zeek} (88%) rename testing/btest/core/{div-by-zero.bro => div-by-zero.zeek} (100%) rename testing/btest/core/{dns-init.bro => dns-init.zeek} (100%) rename testing/btest/core/{embedded-null.bro => embedded-null.zeek} (100%) rename testing/btest/core/{enum-redef-exists.bro => enum-redef-exists.zeek} (100%) rename testing/btest/core/{erspan.bro => erspan.zeek} (100%) rename testing/btest/core/{erspanII.bro => erspanII.zeek} (100%) rename testing/btest/core/{erspanIII.bro => erspanIII.zeek} (100%) rename testing/btest/core/{ether-addrs.bro => ether-addrs.zeek} (100%) rename testing/btest/core/{event-arg-reuse.bro => event-arg-reuse.zeek} (100%) rename testing/btest/core/{expr-exception.bro => expr-exception.zeek} (100%) rename testing/btest/core/{fake_dns.bro => fake_dns.zeek} (100%) rename testing/btest/core/{global_opaque_val.bro => global_opaque_val.zeek} (100%) rename testing/btest/core/{history-flip.bro => history-flip.zeek} (100%) rename testing/btest/core/icmp/{icmp_sent.bro => icmp_sent.zeek} (100%) rename testing/btest/core/{init-error.bro => init-error.zeek} (100%) rename testing/btest/core/{ip-broken-header.bro => ip-broken-header.zeek} (100%) rename testing/btest/core/leaks/{basic-cluster.bro => basic-cluster.zeek} (98%) rename testing/btest/core/leaks/{bloomfilter.bro => bloomfilter.zeek} (100%) rename testing/btest/core/leaks/broker/{clone_store.bro => clone_store.zeek} (93%) rename testing/btest/core/leaks/broker/{data.bro => data.zeek} (100%) rename testing/btest/core/leaks/broker/{master_store.bro => master_store.zeek} (100%) rename testing/btest/core/leaks/{dns-nsec3.bro => dns-nsec3.zeek} (100%) rename testing/btest/core/leaks/{dns-txt.bro => dns-txt.zeek} (100%) rename testing/btest/core/leaks/{dns.bro => dns.zeek} (100%) rename testing/btest/core/leaks/{dtls.bro => dtls.zeek} (100%) rename testing/btest/core/leaks/{file-analysis-http-get.bro => file-analysis-http-get.zeek} (95%) rename testing/btest/core/leaks/{hll_cluster.bro => hll_cluster.zeek} (98%) rename testing/btest/core/leaks/{hook.bro => hook.zeek} (100%) rename testing/btest/core/leaks/{http-connect.bro => http-connect.zeek} (100%) rename testing/btest/core/leaks/{input-basic.bro => input-basic.zeek} (100%) rename testing/btest/core/leaks/{input-errors.bro => input-errors.zeek} (100%) rename testing/btest/core/leaks/{input-missing-enum.bro => input-missing-enum.zeek} (100%) rename testing/btest/core/leaks/{input-optional-event.bro => input-optional-event.zeek} (100%) rename testing/btest/core/leaks/{input-optional-table.bro => input-optional-table.zeek} (100%) rename testing/btest/core/leaks/{input-raw.bro => input-raw.zeek} (100%) rename testing/btest/core/leaks/{input-reread.bro => input-reread.zeek} (100%) rename testing/btest/core/leaks/{input-sqlite.bro => input-sqlite.zeek} (100%) rename testing/btest/core/leaks/{input-with-remove.bro => input-with-remove.zeek} (100%) rename testing/btest/core/leaks/{kv-iteration.bro => kv-iteration.zeek} (100%) rename testing/btest/core/leaks/{pattern.bro => pattern.zeek} (100%) rename testing/btest/core/leaks/{returnwhen.bro => returnwhen.zeek} (100%) rename testing/btest/core/leaks/{set.bro => set.zeek} (100%) rename testing/btest/core/leaks/{stats.bro => stats.zeek} (92%) rename testing/btest/core/leaks/{string-indexing.bro => string-indexing.zeek} (100%) rename testing/btest/core/leaks/{switch-statement.bro => switch-statement.zeek} (100%) rename testing/btest/core/leaks/{teredo.bro => teredo.zeek} (100%) rename testing/btest/core/leaks/{test-all.bro => test-all.zeek} (100%) rename testing/btest/core/leaks/{while.bro => while.zeek} (100%) rename testing/btest/core/leaks/{x509_ocsp_verify.bro => x509_ocsp_verify.zeek} (100%) rename testing/btest/core/leaks/{x509_verify.bro => x509_verify.zeek} (100%) rename testing/btest/core/{load-duplicates.bro => load-duplicates.zeek} (100%) rename testing/btest/core/{load-file-extension.bro => load-file-extension.zeek} (100%) rename testing/btest/core/{load-pkg.bro => load-pkg.zeek} (100%) rename testing/btest/core/{load-prefixes.bro => load-prefixes.zeek} (95%) rename testing/btest/core/{load-relative.bro => load-relative.zeek} (74%) rename testing/btest/core/{load-unload.bro => load-unload.zeek} (100%) rename testing/btest/core/{mpls-in-vlan.bro => mpls-in-vlan.zeek} (100%) rename testing/btest/core/{nflog.bro => nflog.zeek} (100%) rename testing/btest/core/{nop.bro => nop.zeek} (100%) rename testing/btest/core/{old_comm_usage.bro => old_comm_usage.zeek} (100%) rename testing/btest/core/{option-errors.bro => option-errors.zeek} (100%) rename testing/btest/core/{option-priorities.bro => option-priorities.zeek} (100%) rename testing/btest/core/{option-redef.bro => option-redef.zeek} (100%) rename testing/btest/core/{option-runtime-errors.bro => option-runtime-errors.zeek} (100%) rename testing/btest/core/pcap/{dumper.bro => dumper.zeek} (100%) rename testing/btest/core/pcap/{dynamic-filter.bro => dynamic-filter.zeek} (100%) rename testing/btest/core/pcap/{filter-error.bro => filter-error.zeek} (100%) rename testing/btest/core/pcap/{input-error.bro => input-error.zeek} (100%) rename testing/btest/core/pcap/{pseudo-realtime.bro => pseudo-realtime.zeek} (100%) rename testing/btest/core/pcap/{read-trace-with-filter.bro => read-trace-with-filter.zeek} (100%) rename testing/btest/core/{pppoe-over-qinq.bro => pppoe-over-qinq.zeek} (100%) rename testing/btest/core/{print-bpf-filters.bro => print-bpf-filters.zeek} (100%) rename testing/btest/core/{q-in-q.bro => q-in-q.zeek} (100%) rename testing/btest/core/{radiotap.bro => radiotap.zeek} (100%) rename testing/btest/core/{raw_packet.bro => raw_packet.zeek} (100%) rename testing/btest/core/{reassembly.bro => reassembly.zeek} (100%) rename testing/btest/core/{recursive-event.bro => recursive-event.zeek} (100%) rename testing/btest/core/{reporter-error-in-handler.bro => reporter-error-in-handler.zeek} (100%) rename testing/btest/core/{reporter-fmt-strings.bro => reporter-fmt-strings.zeek} (100%) rename testing/btest/core/{reporter-parse-error.bro => reporter-parse-error.zeek} (100%) rename testing/btest/core/{reporter-runtime-error.bro => reporter-runtime-error.zeek} (100%) rename testing/btest/core/{reporter-shutdown-order-errors.bro => reporter-shutdown-order-errors.zeek} (100%) rename testing/btest/core/{reporter-type-mismatch.bro => reporter-type-mismatch.zeek} (100%) rename testing/btest/core/{reporter-weird-sampling-disable.bro => reporter-weird-sampling-disable.zeek} (100%) rename testing/btest/core/{reporter-weird-sampling.bro => reporter-weird-sampling.zeek} (100%) rename testing/btest/core/{reporter.bro => reporter.zeek} (100%) rename testing/btest/core/tcp/{fin-retransmit.bro => fin-retransmit.zeek} (100%) rename testing/btest/core/tcp/{large-file-reassembly.bro => large-file-reassembly.zeek} (100%) rename testing/btest/core/tcp/{miss-end-data.bro => miss-end-data.zeek} (100%) rename testing/btest/core/tcp/{missing-syn.bro => missing-syn.zeek} (100%) rename testing/btest/core/tcp/{quantum-insert.bro => quantum-insert.zeek} (100%) rename testing/btest/core/tcp/{rst-after-syn.bro => rst-after-syn.zeek} (100%) rename testing/btest/core/tcp/{rxmit-history.bro => rxmit-history.zeek} (100%) rename testing/btest/core/tcp/{truncated-header.bro => truncated-header.zeek} (100%) rename testing/btest/core/tunnels/{false-teredo.bro => false-teredo.zeek} (100%) rename testing/btest/core/tunnels/{ip-in-ip-version.bro => ip-in-ip-version.zeek} (100%) rename testing/btest/core/tunnels/{teredo.bro => teredo.zeek} (100%) rename testing/btest/core/tunnels/{vxlan.bro => vxlan.zeek} (100%) rename testing/btest/core/{vector-assignment.bro => vector-assignment.zeek} (100%) rename testing/btest/core/{vlan-mpls.bro => vlan-mpls.zeek} (100%) rename testing/btest/core/{when-interpreter-exceptions.bro => when-interpreter-exceptions.zeek} (100%) rename testing/btest/core/{wlanmon.bro => wlanmon.zeek} (100%) rename testing/btest/core/{x509-generalizedtime.bro => x509-generalizedtime.zeek} (100%) rename testing/btest/coverage/{coverage-blacklist.bro => coverage-blacklist.zeek} (100%) rename testing/btest/doc/broxygen/{command_line.bro => command_line.zeek} (100%) rename testing/btest/doc/broxygen/{comment_retrieval_bifs.bro => comment_retrieval_bifs.zeek} (100%) rename testing/btest/doc/broxygen/{enums.bro => enums.zeek} (100%) rename testing/btest/doc/broxygen/{example.bro => example.zeek} (100%) rename testing/btest/doc/broxygen/{func-params.bro => func-params.zeek} (100%) rename testing/btest/doc/broxygen/{identifier.bro => identifier.zeek} (100%) rename testing/btest/doc/broxygen/{package.bro => package.zeek} (100%) rename testing/btest/doc/broxygen/{package_index.bro => package_index.zeek} (100%) rename testing/btest/doc/broxygen/{records.bro => records.zeek} (100%) rename testing/btest/doc/broxygen/{script_index.bro => script_index.zeek} (100%) rename testing/btest/doc/broxygen/{script_summary.bro => script_summary.zeek} (100%) rename testing/btest/doc/broxygen/{type-aliases.bro => type-aliases.zeek} (100%) rename testing/btest/doc/broxygen/{vectors.bro => vectors.zeek} (100%) rename testing/btest/doc/{record-add.bro => record-add.zeek} (100%) rename testing/btest/doc/{record-attr-check.bro => record-attr-check.zeek} (100%) rename testing/btest/language/{addr.bro => addr.zeek} (100%) rename testing/btest/language/{any.bro => any.zeek} (100%) rename testing/btest/language/{at-deprecated.bro => at-deprecated.zeek} (63%) rename testing/btest/language/{at-dir.bro => at-dir.zeek} (75%) rename testing/btest/language/{at-filename.bro => at-filename.zeek} (100%) rename testing/btest/language/{at-if-event.bro => at-if-event.zeek} (100%) rename testing/btest/language/{at-if-invalid.bro => at-if-invalid.zeek} (100%) rename testing/btest/language/{at-if.bro => at-if.zeek} (100%) rename testing/btest/language/{at-ifdef.bro => at-ifdef.zeek} (100%) rename testing/btest/language/{at-ifndef.bro => at-ifndef.zeek} (100%) rename testing/btest/language/{at-load.bro => at-load.zeek} (100%) rename testing/btest/language/{attr-default-coercion.bro => attr-default-coercion.zeek} (100%) rename testing/btest/language/{attr-default-global-set-error.bro => attr-default-global-set-error.zeek} (100%) rename testing/btest/language/{bool.bro => bool.zeek} (100%) rename testing/btest/language/{common-mistakes.bro => common-mistakes.zeek} (87%) rename testing/btest/language/{conditional-expression.bro => conditional-expression.zeek} (100%) rename testing/btest/language/{const.bro => const.zeek} (84%) rename testing/btest/language/{container-ctor-scope.bro => container-ctor-scope.zeek} (100%) rename testing/btest/language/{copy.bro => copy.zeek} (100%) rename testing/btest/language/{count.bro => count.zeek} (100%) rename testing/btest/language/{cross-product-init.bro => cross-product-init.zeek} (100%) rename testing/btest/language/{default-params.bro => default-params.zeek} (100%) rename testing/btest/language/{delete-field-set.bro => delete-field-set.zeek} (100%) rename testing/btest/language/{delete-field.bro => delete-field.zeek} (100%) rename testing/btest/language/{deprecated.bro => deprecated.zeek} (100%) rename testing/btest/language/{double.bro => double.zeek} (100%) rename testing/btest/language/{enum-desc.bro => enum-desc.zeek} (100%) rename testing/btest/language/{enum-scope.bro => enum-scope.zeek} (100%) rename testing/btest/language/{enum.bro => enum.zeek} (100%) rename testing/btest/language/{eof-parse-errors.bro => eof-parse-errors.zeek} (55%) rename testing/btest/language/{event-local-var.bro => event-local-var.zeek} (100%) rename testing/btest/language/{event.bro => event.zeek} (100%) rename testing/btest/language/{expire-expr-error.bro => expire-expr-error.zeek} (100%) rename testing/btest/language/{expire-func-undef.bro => expire-func-undef.zeek} (100%) rename testing/btest/language/{expire-redef.bro => expire-redef.zeek} (100%) rename testing/btest/language/{expire-type-error.bro => expire-type-error.zeek} (100%) rename testing/btest/language/{expire_func_mod.bro => expire_func_mod.zeek} (100%) rename testing/btest/language/{file.bro => file.zeek} (100%) rename testing/btest/language/{for.bro => for.zeek} (100%) rename testing/btest/language/{func-assignment.bro => func-assignment.zeek} (100%) rename testing/btest/language/{function.bro => function.zeek} (100%) rename testing/btest/language/{hook.bro => hook.zeek} (100%) rename testing/btest/language/{hook_calls.bro => hook_calls.zeek} (89%) rename testing/btest/language/{if.bro => if.zeek} (100%) rename testing/btest/language/{index-assignment-invalid.bro => index-assignment-invalid.zeek} (100%) rename testing/btest/language/{init-in-anon-function.bro => init-in-anon-function.zeek} (100%) rename testing/btest/language/{int.bro => int.zeek} (100%) rename testing/btest/language/{interval.bro => interval.zeek} (100%) rename testing/btest/language/{invalid_index.bro => invalid_index.zeek} (100%) rename testing/btest/language/{ipv6-literals.bro => ipv6-literals.zeek} (100%) rename testing/btest/language/{key-value-for.bro => key-value-for.zeek} (100%) rename testing/btest/language/{module.bro => module.zeek} (100%) rename testing/btest/language/{named-record-ctors.bro => named-record-ctors.zeek} (100%) rename testing/btest/language/{named-set-ctors.bro => named-set-ctors.zeek} (100%) rename testing/btest/language/{named-table-ctors.bro => named-table-ctors.zeek} (100%) rename testing/btest/language/{named-vector-ctors.bro => named-vector-ctors.zeek} (100%) rename testing/btest/language/{nested-sets.bro => nested-sets.zeek} (100%) rename testing/btest/language/{next-test.bro => next-test.zeek} (100%) rename testing/btest/language/{no-module.bro => no-module.zeek} (100%) rename testing/btest/language/{null-statement.bro => null-statement.zeek} (100%) rename testing/btest/language/{outer_param_binding.bro => outer_param_binding.zeek} (100%) rename testing/btest/language/{pattern.bro => pattern.zeek} (100%) rename testing/btest/language/{port.bro => port.zeek} (100%) rename testing/btest/language/{precedence.bro => precedence.zeek} (100%) rename testing/btest/language/{rec-comp-init.bro => rec-comp-init.zeek} (100%) rename testing/btest/language/{rec-nested-opt.bro => rec-nested-opt.zeek} (100%) rename testing/btest/language/{rec-of-tbl.bro => rec-of-tbl.zeek} (100%) rename testing/btest/language/{rec-table-default.bro => rec-table-default.zeek} (100%) rename testing/btest/language/{record-bad-ctor.bro => record-bad-ctor.zeek} (100%) rename testing/btest/language/{record-bad-ctor2.bro => record-bad-ctor2.zeek} (100%) rename testing/btest/language/{record-ceorce-orphan.bro => record-ceorce-orphan.zeek} (100%) rename testing/btest/language/{record-coerce-clash.bro => record-coerce-clash.zeek} (100%) rename testing/btest/language/{record-default-coercion.bro => record-default-coercion.zeek} (100%) rename testing/btest/language/{record-default-set-mismatch.bro => record-default-set-mismatch.zeek} (100%) rename testing/btest/language/{record-extension.bro => record-extension.zeek} (100%) rename testing/btest/language/{record-function-recursion.bro => record-function-recursion.zeek} (100%) rename testing/btest/language/{record-index-complex-fields.bro => record-index-complex-fields.zeek} (100%) rename testing/btest/language/{record-recursive-coercion.bro => record-recursive-coercion.zeek} (100%) rename testing/btest/language/{record-redef-after-init.bro => record-redef-after-init.zeek} (100%) rename testing/btest/language/{record-ref-assign.bro => record-ref-assign.zeek} (100%) rename testing/btest/language/{record-type-checking.bro => record-type-checking.zeek} (100%) rename testing/btest/language/{redef-same-prefixtable-idx.bro => redef-same-prefixtable-idx.zeek} (100%) rename testing/btest/language/{redef-vector.bro => redef-vector.zeek} (100%) rename testing/btest/language/{returnwhen.bro => returnwhen.zeek} (100%) rename testing/btest/language/{set-opt-record-index.bro => set-opt-record-index.zeek} (100%) rename testing/btest/language/{set-type-checking.bro => set-type-checking.zeek} (100%) rename testing/btest/language/{set.bro => set.zeek} (100%) rename testing/btest/language/{short-circuit.bro => short-circuit.zeek} (100%) rename testing/btest/language/{sizeof.bro => sizeof.zeek} (100%) rename testing/btest/language/{smith-waterman-test.bro => smith-waterman-test.zeek} (100%) rename testing/btest/language/{string-indexing.bro => string-indexing.zeek} (100%) rename testing/btest/language/{string.bro => string.zeek} (100%) rename testing/btest/language/{strings.bro => strings.zeek} (100%) rename testing/btest/language/{subnet-errors.bro => subnet-errors.zeek} (100%) rename testing/btest/language/{subnet.bro => subnet.zeek} (100%) rename testing/btest/language/{switch-error-mixed.bro => switch-error-mixed.zeek} (100%) rename testing/btest/language/{switch-incomplete.bro => switch-incomplete.zeek} (100%) rename testing/btest/language/{switch-statement.bro => switch-statement.zeek} (100%) rename testing/btest/language/{switch-types-error-duplicate.bro => switch-types-error-duplicate.zeek} (100%) rename testing/btest/language/{switch-types-error-unsupported.bro => switch-types-error-unsupported.zeek} (100%) rename testing/btest/language/{switch-types-vars.bro => switch-types-vars.zeek} (100%) rename testing/btest/language/{switch-types.bro => switch-types.zeek} (100%) rename testing/btest/language/{table-default-record.bro => table-default-record.zeek} (100%) rename testing/btest/language/{table-init-attrs.bro => table-init-attrs.zeek} (100%) rename testing/btest/language/{table-init-container-ctors.bro => table-init-container-ctors.zeek} (100%) rename testing/btest/language/{table-init-record-idx.bro => table-init-record-idx.zeek} (100%) rename testing/btest/language/{table-init.bro => table-init.zeek} (100%) rename testing/btest/language/{table-redef.bro => table-redef.zeek} (100%) rename testing/btest/language/{table-type-checking.bro => table-type-checking.zeek} (100%) rename testing/btest/language/{table.bro => table.zeek} (100%) rename testing/btest/language/{ternary-record-mismatch.bro => ternary-record-mismatch.zeek} (100%) rename testing/btest/language/{time.bro => time.zeek} (100%) rename testing/btest/language/{timeout.bro => timeout.zeek} (100%) rename testing/btest/language/{type-cast-any.bro => type-cast-any.zeek} (100%) rename testing/btest/language/{type-cast-error-dynamic.bro => type-cast-error-dynamic.zeek} (100%) rename testing/btest/language/{type-cast-error-static.bro => type-cast-error-static.zeek} (100%) rename testing/btest/language/{type-cast-same.bro => type-cast-same.zeek} (100%) rename testing/btest/language/{type-check-any.bro => type-check-any.zeek} (100%) rename testing/btest/language/{type-check-vector.bro => type-check-vector.zeek} (100%) rename testing/btest/language/{type-type-error.bro => type-type-error.zeek} (100%) rename testing/btest/language/{undefined-delete-field.bro => undefined-delete-field.zeek} (100%) rename testing/btest/language/{uninitialized-local.bro => uninitialized-local.zeek} (100%) rename testing/btest/language/{uninitialized-local2.bro => uninitialized-local2.zeek} (100%) rename testing/btest/language/{vector-any-append.bro => vector-any-append.zeek} (100%) rename testing/btest/language/{vector-coerce-expr.bro => vector-coerce-expr.zeek} (100%) rename testing/btest/language/{vector-in-operator.bro => vector-in-operator.zeek} (100%) rename testing/btest/language/{vector-list-init-records.bro => vector-list-init-records.zeek} (100%) rename testing/btest/language/{vector-type-checking.bro => vector-type-checking.zeek} (100%) rename testing/btest/language/{vector-unspecified.bro => vector-unspecified.zeek} (100%) rename testing/btest/language/{vector.bro => vector.zeek} (100%) rename testing/btest/language/{when-unitialized-rhs.bro => when-unitialized-rhs.zeek} (100%) rename testing/btest/language/{when.bro => when.zeek} (100%) rename testing/btest/language/{while.bro => while.zeek} (100%) rename testing/btest/language/{wrong-delete-field.bro => wrong-delete-field.zeek} (100%) rename testing/btest/language/{wrong-record-extension.bro => wrong-record-extension.zeek} (100%) rename testing/btest/plugins/{file.bro => file.zeek} (100%) rename testing/btest/plugins/{hooks.bro => hooks.zeek} (100%) rename testing/btest/plugins/{init-plugin.bro => init-plugin.zeek} (100%) rename testing/btest/plugins/{logging-hooks.bro => logging-hooks.zeek} (100%) rename testing/btest/plugins/{pktdumper.bro => pktdumper.zeek} (100%) rename testing/btest/plugins/{pktsrc.bro => pktsrc.zeek} (100%) rename testing/btest/plugins/{plugin-nopatchversion.bro => plugin-nopatchversion.zeek} (100%) rename testing/btest/plugins/{plugin-withpatchversion.bro => plugin-withpatchversion.zeek} (100%) rename testing/btest/plugins/protocol-plugin/scripts/Demo/Foo/base/{main.bro => main.zeek} (100%) rename testing/btest/plugins/{protocol.bro => protocol.zeek} (100%) rename testing/btest/plugins/{reader.bro => reader.zeek} (100%) rename testing/btest/plugins/{reporter-hook.bro => reporter-hook.zeek} (100%) rename testing/btest/plugins/{writer.bro => writer.zeek} (100%) rename testing/btest/scripts/base/files/data_event/{basic.bro => basic.zeek} (100%) rename testing/btest/scripts/base/files/extract/{limit.bro => limit.zeek} (100%) rename testing/btest/scripts/base/files/unified2/{alert.bro => alert.zeek} (100%) rename testing/btest/scripts/base/frameworks/analyzer/{disable-analyzer.bro => disable-analyzer.zeek} (100%) rename testing/btest/scripts/base/frameworks/analyzer/{enable-analyzer.bro => enable-analyzer.zeek} (100%) rename testing/btest/scripts/base/frameworks/analyzer/{register-for-port.bro => register-for-port.zeek} (100%) rename testing/btest/scripts/base/frameworks/analyzer/{schedule-analyzer.bro => schedule-analyzer.zeek} (100%) rename testing/btest/scripts/base/frameworks/cluster/{custom_pool_exclusivity.bro => custom_pool_exclusivity.zeek} (98%) rename testing/btest/scripts/base/frameworks/cluster/{custom_pool_limits.bro => custom_pool_limits.zeek} (98%) rename testing/btest/scripts/base/frameworks/cluster/{forwarding.bro => forwarding.zeek} (98%) rename testing/btest/scripts/base/frameworks/cluster/{log_distribution.bro => log_distribution.zeek} (98%) rename testing/btest/scripts/base/frameworks/cluster/{start-it-up-logger.bro => start-it-up-logger.zeek} (98%) rename testing/btest/scripts/base/frameworks/cluster/{start-it-up.bro => start-it-up.zeek} (98%) rename testing/btest/scripts/base/frameworks/cluster/{topic_distribution.bro => topic_distribution.zeek} (98%) rename testing/btest/scripts/base/frameworks/cluster/{topic_distribution_bifs.bro => topic_distribution_bifs.zeek} (98%) rename testing/btest/scripts/base/frameworks/config/{basic.bro => basic.zeek} (100%) rename testing/btest/scripts/base/frameworks/config/{basic_cluster.bro => basic_cluster.zeek} (98%) rename testing/btest/scripts/base/frameworks/config/{cluster_resend.bro => cluster_resend.zeek} (98%) rename testing/btest/scripts/base/frameworks/config/{read_config.bro => read_config.zeek} (100%) rename testing/btest/scripts/base/frameworks/config/{read_config_cluster.bro => read_config_cluster.zeek} (98%) rename testing/btest/scripts/base/frameworks/config/{several-files.bro => several-files.zeek} (100%) rename testing/btest/scripts/base/frameworks/config/{updates.bro => updates.zeek} (100%) rename testing/btest/scripts/base/frameworks/config/{weird.bro => weird.zeek} (100%) rename testing/btest/scripts/base/frameworks/control/{configuration_update.bro => configuration_update.zeek} (97%) rename testing/btest/scripts/base/frameworks/control/{id_value.bro => id_value.zeek} (95%) rename testing/btest/scripts/base/frameworks/control/{shutdown.bro => shutdown.zeek} (100%) rename testing/btest/scripts/base/frameworks/file-analysis/actions/{data_event.bro => data_event.zeek} (84%) rename testing/btest/scripts/base/frameworks/file-analysis/bifs/{file_exists_lookup_file.bro => file_exists_lookup_file.zeek} (100%) rename testing/btest/scripts/base/frameworks/file-analysis/bifs/{register_mime_type.bro => register_mime_type.zeek} (100%) rename testing/btest/scripts/base/frameworks/file-analysis/bifs/{remove_action.bro => remove_action.zeek} (94%) rename testing/btest/scripts/base/frameworks/file-analysis/bifs/{set_timeout_interval.bro => set_timeout_interval.zeek} (92%) rename testing/btest/scripts/base/frameworks/file-analysis/bifs/{stop.bro => stop.zeek} (86%) rename testing/btest/scripts/base/frameworks/file-analysis/{big-bof-buffer.bro => big-bof-buffer.zeek} (100%) rename testing/btest/scripts/base/frameworks/file-analysis/{byteranges.bro => byteranges.zeek} (100%) rename testing/btest/scripts/base/frameworks/file-analysis/{ftp.bro => ftp.zeek} (91%) rename testing/btest/scripts/base/frameworks/file-analysis/http/{get.bro => get.zeek} (84%) rename testing/btest/scripts/base/frameworks/file-analysis/http/{multipart.bro => multipart.zeek} (92%) rename testing/btest/scripts/base/frameworks/file-analysis/http/{partial-content.bro => partial-content.zeek} (87%) rename testing/btest/scripts/base/frameworks/file-analysis/http/{pipeline.bro => pipeline.zeek} (90%) rename testing/btest/scripts/base/frameworks/file-analysis/http/{post.bro => post.zeek} (92%) rename testing/btest/scripts/base/frameworks/file-analysis/input/{basic.bro => basic.zeek} (98%) rename testing/btest/scripts/base/frameworks/file-analysis/{irc.bro => irc.zeek} (92%) rename testing/btest/scripts/base/frameworks/file-analysis/{logging.bro => logging.zeek} (92%) rename testing/btest/scripts/base/frameworks/file-analysis/{smtp.bro => smtp.zeek} (95%) rename testing/btest/scripts/base/frameworks/input/{basic.bro => basic.zeek} (100%) rename testing/btest/scripts/base/frameworks/input/{bignumber.bro => bignumber.zeek} (100%) rename testing/btest/scripts/base/frameworks/input/{binary.bro => binary.zeek} (100%) rename testing/btest/scripts/base/frameworks/input/config/{basic.bro => basic.zeek} (100%) rename testing/btest/scripts/base/frameworks/input/config/{errors.bro => errors.zeek} (100%) rename testing/btest/scripts/base/frameworks/input/config/{spaces.bro => spaces.zeek} (100%) rename testing/btest/scripts/base/frameworks/input/{default.bro => default.zeek} (100%) rename testing/btest/scripts/base/frameworks/input/{empty-values-hashing.bro => empty-values-hashing.zeek} (100%) rename testing/btest/scripts/base/frameworks/input/{emptyvals.bro => emptyvals.zeek} (100%) rename testing/btest/scripts/base/frameworks/input/{errors.bro => errors.zeek} (100%) rename testing/btest/scripts/base/frameworks/input/{event.bro => event.zeek} (100%) rename testing/btest/scripts/base/frameworks/input/{invalid-lines.bro => invalid-lines.zeek} (100%) rename testing/btest/scripts/base/frameworks/input/{invalidnumbers.bro => invalidnumbers.zeek} (100%) rename testing/btest/scripts/base/frameworks/input/{invalidset.bro => invalidset.zeek} (100%) rename testing/btest/scripts/base/frameworks/input/{invalidtext.bro => invalidtext.zeek} (100%) rename testing/btest/scripts/base/frameworks/input/{missing-enum.bro => missing-enum.zeek} (100%) rename testing/btest/scripts/base/frameworks/input/{missing-file-initially.bro => missing-file-initially.zeek} (100%) rename testing/btest/scripts/base/frameworks/input/{missing-file.bro => missing-file.zeek} (100%) rename testing/btest/scripts/base/frameworks/input/{onecolumn-norecord.bro => onecolumn-norecord.zeek} (100%) rename testing/btest/scripts/base/frameworks/input/{onecolumn-record.bro => onecolumn-record.zeek} (100%) rename testing/btest/scripts/base/frameworks/input/{optional.bro => optional.zeek} (100%) rename testing/btest/scripts/base/frameworks/input/path-prefix/{absolute-prefix.bro => absolute-prefix.zeek} (92%) rename testing/btest/scripts/base/frameworks/input/path-prefix/{absolute-source.bro => absolute-source.zeek} (91%) rename testing/btest/scripts/base/frameworks/input/path-prefix/{no-paths.bro => no-paths.zeek} (89%) rename testing/btest/scripts/base/frameworks/input/path-prefix/{path-prefix-common-analysis.bro => path-prefix-common-analysis.zeek} (100%) rename testing/btest/scripts/base/frameworks/input/path-prefix/{path-prefix-common-event.bro => path-prefix-common-event.zeek} (100%) rename testing/btest/scripts/base/frameworks/input/path-prefix/{path-prefix-common-table.bro => path-prefix-common-table.zeek} (100%) rename testing/btest/scripts/base/frameworks/input/path-prefix/{relative-prefix.bro => relative-prefix.zeek} (91%) rename testing/btest/scripts/base/frameworks/input/{port-embedded.bro => port-embedded.zeek} (100%) rename testing/btest/scripts/base/frameworks/input/{port.bro => port.zeek} (100%) rename testing/btest/scripts/base/frameworks/input/{predicate-stream.bro => predicate-stream.zeek} (100%) rename testing/btest/scripts/base/frameworks/input/{predicate.bro => predicate.zeek} (100%) rename testing/btest/scripts/base/frameworks/input/{predicatemodify.bro => predicatemodify.zeek} (100%) rename testing/btest/scripts/base/frameworks/input/{predicatemodifyandreread.bro => predicatemodifyandreread.zeek} (100%) rename testing/btest/scripts/base/frameworks/input/{predicaterefusesecondsamerecord.bro => predicaterefusesecondsamerecord.zeek} (100%) rename testing/btest/scripts/base/frameworks/input/raw/{basic.bro => basic.zeek} (100%) rename testing/btest/scripts/base/frameworks/input/raw/{execute.bro => execute.zeek} (100%) rename testing/btest/scripts/base/frameworks/input/raw/{executestdin.bro => executestdin.zeek} (100%) rename testing/btest/scripts/base/frameworks/input/raw/{executestream.bro => executestream.zeek} (100%) rename testing/btest/scripts/base/frameworks/input/raw/{long.bro => long.zeek} (100%) rename testing/btest/scripts/base/frameworks/input/raw/{offset.bro => offset.zeek} (100%) rename testing/btest/scripts/base/frameworks/input/raw/{rereadraw.bro => rereadraw.zeek} (100%) rename testing/btest/scripts/base/frameworks/input/raw/{stderr.bro => stderr.zeek} (100%) rename testing/btest/scripts/base/frameworks/input/raw/{streamraw.bro => streamraw.zeek} (100%) rename testing/btest/scripts/base/frameworks/input/{repeat.bro => repeat.zeek} (100%) rename testing/btest/scripts/base/frameworks/input/{reread.bro => reread.zeek} (100%) rename testing/btest/scripts/base/frameworks/input/{set.bro => set.zeek} (100%) rename testing/btest/scripts/base/frameworks/input/{setseparator.bro => setseparator.zeek} (100%) rename testing/btest/scripts/base/frameworks/input/{setspecialcases.bro => setspecialcases.zeek} (100%) rename testing/btest/scripts/base/frameworks/input/sqlite/{basic.bro => basic.zeek} (100%) rename testing/btest/scripts/base/frameworks/input/sqlite/{error.bro => error.zeek} (100%) rename testing/btest/scripts/base/frameworks/input/sqlite/{port.bro => port.zeek} (100%) rename testing/btest/scripts/base/frameworks/input/sqlite/{types.bro => types.zeek} (100%) rename testing/btest/scripts/base/frameworks/input/{stream.bro => stream.zeek} (100%) rename testing/btest/scripts/base/frameworks/input/{subrecord-event.bro => subrecord-event.zeek} (100%) rename testing/btest/scripts/base/frameworks/input/{subrecord.bro => subrecord.zeek} (100%) rename testing/btest/scripts/base/frameworks/input/{tableevent.bro => tableevent.zeek} (100%) rename testing/btest/scripts/base/frameworks/input/{twotables.bro => twotables.zeek} (100%) rename testing/btest/scripts/base/frameworks/input/{unsupported_types.bro => unsupported_types.zeek} (100%) rename testing/btest/scripts/base/frameworks/input/{windows.bro => windows.zeek} (100%) rename testing/btest/scripts/base/frameworks/intel/{cluster-transparency-with-proxy.bro => cluster-transparency-with-proxy.zeek} (98%) rename testing/btest/scripts/base/frameworks/intel/{cluster-transparency.bro => cluster-transparency.zeek} (98%) rename testing/btest/scripts/base/frameworks/intel/{expire-item.bro => expire-item.zeek} (100%) rename testing/btest/scripts/base/frameworks/intel/{filter-item.bro => filter-item.zeek} (100%) rename testing/btest/scripts/base/frameworks/intel/{input-and-match.bro => input-and-match.zeek} (100%) rename testing/btest/scripts/base/frameworks/intel/{match-subnet.bro => match-subnet.zeek} (100%) rename testing/btest/scripts/base/frameworks/intel/path-prefix/{input-intel-absolute-prefixes.bro => input-intel-absolute-prefixes.zeek} (96%) rename testing/btest/scripts/base/frameworks/intel/path-prefix/{input-intel-relative-prefixes.bro => input-intel-relative-prefixes.zeek} (95%) rename testing/btest/scripts/base/frameworks/intel/path-prefix/{input-prefix.bro => input-prefix.zeek} (95%) rename testing/btest/scripts/base/frameworks/intel/path-prefix/{no-paths.bro => no-paths.zeek} (94%) rename testing/btest/scripts/base/frameworks/intel/path-prefix/{path-prefix-common.bro => path-prefix-common.zeek} (100%) rename testing/btest/scripts/base/frameworks/intel/{read-file-dist-cluster.bro => read-file-dist-cluster.zeek} (98%) rename testing/btest/scripts/base/frameworks/intel/{remove-item-cluster.bro => remove-item-cluster.zeek} (98%) rename testing/btest/scripts/base/frameworks/intel/{remove-non-existing.bro => remove-non-existing.zeek} (100%) rename testing/btest/scripts/base/frameworks/intel/{updated-match.bro => updated-match.zeek} (100%) rename testing/btest/scripts/base/frameworks/logging/{adapt-filter.bro => adapt-filter.zeek} (100%) rename testing/btest/scripts/base/frameworks/logging/{ascii-binary.bro => ascii-binary.zeek} (100%) rename testing/btest/scripts/base/frameworks/logging/{ascii-double.bro => ascii-double.zeek} (95%) rename testing/btest/scripts/base/frameworks/logging/{ascii-empty.bro => ascii-empty.zeek} (100%) rename testing/btest/scripts/base/frameworks/logging/{ascii-escape-binary.bro => ascii-escape-binary.zeek} (100%) rename testing/btest/scripts/base/frameworks/logging/{ascii-escape-empty-str.bro => ascii-escape-empty-str.zeek} (100%) rename testing/btest/scripts/base/frameworks/logging/{ascii-escape-notset-str.bro => ascii-escape-notset-str.zeek} (100%) rename testing/btest/scripts/base/frameworks/logging/{ascii-escape-odd-url.bro => ascii-escape-odd-url.zeek} (100%) rename testing/btest/scripts/base/frameworks/logging/{ascii-escape-set-separator.bro => ascii-escape-set-separator.zeek} (100%) rename testing/btest/scripts/base/frameworks/logging/{ascii-escape.bro => ascii-escape.zeek} (100%) rename testing/btest/scripts/base/frameworks/logging/{ascii-gz-rotate.bro => ascii-gz-rotate.zeek} (100%) rename testing/btest/scripts/base/frameworks/logging/{ascii-gz.bro => ascii-gz.zeek} (100%) rename testing/btest/scripts/base/frameworks/logging/{ascii-json-iso-timestamps.bro => ascii-json-iso-timestamps.zeek} (100%) rename testing/btest/scripts/base/frameworks/logging/{ascii-json-optional.bro => ascii-json-optional.zeek} (100%) rename testing/btest/scripts/base/frameworks/logging/{ascii-json.bro => ascii-json.zeek} (100%) rename testing/btest/scripts/base/frameworks/logging/{ascii-line-like-comment.bro => ascii-line-like-comment.zeek} (100%) rename testing/btest/scripts/base/frameworks/logging/{ascii-options.bro => ascii-options.zeek} (100%) rename testing/btest/scripts/base/frameworks/logging/{ascii-timestamps.bro => ascii-timestamps.zeek} (100%) rename testing/btest/scripts/base/frameworks/logging/{ascii-tsv.bro => ascii-tsv.zeek} (100%) rename testing/btest/scripts/base/frameworks/logging/{attr-extend.bro => attr-extend.zeek} (100%) rename testing/btest/scripts/base/frameworks/logging/{attr.bro => attr.zeek} (100%) rename testing/btest/scripts/base/frameworks/logging/{disable-stream.bro => disable-stream.zeek} (100%) rename testing/btest/scripts/base/frameworks/logging/{empty-event.bro => empty-event.zeek} (100%) rename testing/btest/scripts/base/frameworks/logging/{enable-stream.bro => enable-stream.zeek} (100%) rename testing/btest/scripts/base/frameworks/logging/{events.bro => events.zeek} (100%) rename testing/btest/scripts/base/frameworks/logging/{exclude.bro => exclude.zeek} (100%) rename testing/btest/scripts/base/frameworks/logging/{field-extension-cluster-error.bro => field-extension-cluster-error.zeek} (87%) rename testing/btest/scripts/base/frameworks/logging/{field-extension-cluster.bro => field-extension-cluster.zeek} (84%) rename testing/btest/scripts/base/frameworks/logging/{field-extension-complex.bro => field-extension-complex.zeek} (100%) rename testing/btest/scripts/base/frameworks/logging/{field-extension-invalid.bro => field-extension-invalid.zeek} (100%) rename testing/btest/scripts/base/frameworks/logging/{field-extension-optional.bro => field-extension-optional.zeek} (100%) rename testing/btest/scripts/base/frameworks/logging/{field-extension-table.bro => field-extension-table.zeek} (100%) rename testing/btest/scripts/base/frameworks/logging/{field-extension.bro => field-extension.zeek} (100%) rename testing/btest/scripts/base/frameworks/logging/{field-name-map.bro => field-name-map.zeek} (100%) rename testing/btest/scripts/base/frameworks/logging/{field-name-map2.bro => field-name-map2.zeek} (100%) rename testing/btest/scripts/base/frameworks/logging/{file.bro => file.zeek} (100%) rename testing/btest/scripts/base/frameworks/logging/{include.bro => include.zeek} (100%) rename testing/btest/scripts/base/frameworks/logging/{no-local.bro => no-local.zeek} (100%) rename testing/btest/scripts/base/frameworks/logging/{none-debug.bro => none-debug.zeek} (100%) rename testing/btest/scripts/base/frameworks/logging/{path-func-column-demote.bro => path-func-column-demote.zeek} (100%) rename testing/btest/scripts/base/frameworks/logging/{path-func.bro => path-func.zeek} (100%) rename testing/btest/scripts/base/frameworks/logging/{pred.bro => pred.zeek} (100%) rename testing/btest/scripts/base/frameworks/logging/{remove.bro => remove.zeek} (100%) rename testing/btest/scripts/base/frameworks/logging/{rotate-custom.bro => rotate-custom.zeek} (100%) rename testing/btest/scripts/base/frameworks/logging/{rotate.bro => rotate.zeek} (100%) rename testing/btest/scripts/base/frameworks/logging/{scope_sep.bro => scope_sep.zeek} (100%) rename testing/btest/scripts/base/frameworks/logging/{scope_sep_and_field_name_map.bro => scope_sep_and_field_name_map.zeek} (100%) rename testing/btest/scripts/base/frameworks/logging/sqlite/{error.bro => error.zeek} (100%) rename testing/btest/scripts/base/frameworks/logging/sqlite/{set.bro => set.zeek} (100%) rename testing/btest/scripts/base/frameworks/logging/sqlite/{simultaneous-writes.bro => simultaneous-writes.zeek} (100%) rename testing/btest/scripts/base/frameworks/logging/sqlite/{types.bro => types.zeek} (100%) rename testing/btest/scripts/base/frameworks/logging/sqlite/{wikipedia.bro => wikipedia.zeek} (100%) rename testing/btest/scripts/base/frameworks/logging/{stdout.bro => stdout.zeek} (100%) rename testing/btest/scripts/base/frameworks/logging/{test-logging.bro => test-logging.zeek} (100%) rename testing/btest/scripts/base/frameworks/logging/{types.bro => types.zeek} (100%) rename testing/btest/scripts/base/frameworks/logging/{unset-record.bro => unset-record.zeek} (100%) rename testing/btest/scripts/base/frameworks/logging/{vec.bro => vec.zeek} (100%) rename testing/btest/scripts/base/frameworks/logging/{writer-path-conflict.bro => writer-path-conflict.zeek} (100%) rename testing/btest/scripts/base/frameworks/netcontrol/{acld-hook.bro => acld-hook.zeek} (95%) rename testing/btest/scripts/base/frameworks/netcontrol/{acld.bro => acld.zeek} (95%) rename testing/btest/scripts/base/frameworks/netcontrol/{basic-cluster.bro => basic-cluster.zeek} (81%) rename testing/btest/scripts/base/frameworks/netcontrol/{basic.bro => basic.zeek} (100%) rename testing/btest/scripts/base/frameworks/netcontrol/{broker.bro => broker.zeek} (95%) rename testing/btest/scripts/base/frameworks/netcontrol/{catch-and-release-forgotten.bro => catch-and-release-forgotten.zeek} (100%) rename testing/btest/scripts/base/frameworks/netcontrol/{catch-and-release.bro => catch-and-release.zeek} (100%) rename testing/btest/scripts/base/frameworks/netcontrol/{delete-internal-state.bro => delete-internal-state.zeek} (100%) rename testing/btest/scripts/base/frameworks/netcontrol/{duplicate.bro => duplicate.zeek} (100%) rename testing/btest/scripts/base/frameworks/netcontrol/{find-rules.bro => find-rules.zeek} (100%) rename testing/btest/scripts/base/frameworks/netcontrol/{hook.bro => hook.zeek} (100%) rename testing/btest/scripts/base/frameworks/netcontrol/{multiple.bro => multiple.zeek} (100%) rename testing/btest/scripts/base/frameworks/netcontrol/{openflow.bro => openflow.zeek} (100%) rename testing/btest/scripts/base/frameworks/netcontrol/{packetfilter.bro => packetfilter.zeek} (100%) rename testing/btest/scripts/base/frameworks/netcontrol/{quarantine-openflow.bro => quarantine-openflow.zeek} (100%) rename testing/btest/scripts/base/frameworks/netcontrol/{timeout.bro => timeout.zeek} (100%) rename testing/btest/scripts/base/frameworks/notice/{cluster.bro => cluster.zeek} (97%) rename testing/btest/scripts/base/frameworks/notice/{mail-alarms.bro => mail-alarms.zeek} (100%) rename testing/btest/scripts/base/frameworks/notice/{suppression-cluster.bro => suppression-cluster.zeek} (98%) rename testing/btest/scripts/base/frameworks/notice/{suppression-disable.bro => suppression-disable.zeek} (100%) rename testing/btest/scripts/base/frameworks/notice/{suppression.bro => suppression.zeek} (100%) rename testing/btest/scripts/base/frameworks/openflow/{broker-basic.bro => broker-basic.zeek} (94%) rename testing/btest/scripts/base/frameworks/openflow/{log-basic.bro => log-basic.zeek} (100%) rename testing/btest/scripts/base/frameworks/openflow/{log-cluster.bro => log-cluster.zeek} (84%) rename testing/btest/scripts/base/frameworks/openflow/{ryu-basic.bro => ryu-basic.zeek} (100%) rename testing/btest/scripts/base/frameworks/reporter/{disable-stderr.bro => disable-stderr.zeek} (100%) rename testing/btest/scripts/base/frameworks/reporter/{stderr.bro => stderr.zeek} (100%) rename testing/btest/scripts/base/frameworks/software/{version-parsing.bro => version-parsing.zeek} (100%) rename testing/btest/scripts/base/frameworks/sumstats/{basic-cluster.bro => basic-cluster.zeek} (98%) rename testing/btest/scripts/base/frameworks/sumstats/{basic.bro => basic.zeek} (100%) rename testing/btest/scripts/base/frameworks/sumstats/{cluster-intermediate-update.bro => cluster-intermediate-update.zeek} (98%) rename testing/btest/scripts/base/frameworks/sumstats/{last-cluster.bro => last-cluster.zeek} (98%) rename testing/btest/scripts/base/frameworks/sumstats/{on-demand-cluster.bro => on-demand-cluster.zeek} (98%) rename testing/btest/scripts/base/frameworks/sumstats/{on-demand.bro => on-demand.zeek} (100%) rename testing/btest/scripts/base/frameworks/sumstats/{sample-cluster.bro => sample-cluster.zeek} (99%) rename testing/btest/scripts/base/frameworks/sumstats/{sample.bro => sample.zeek} (100%) rename testing/btest/scripts/base/frameworks/sumstats/{thresholding.bro => thresholding.zeek} (100%) rename testing/btest/scripts/base/frameworks/sumstats/{topk-cluster.bro => topk-cluster.zeek} (98%) rename testing/btest/scripts/base/frameworks/sumstats/{topk.bro => topk.zeek} (100%) rename testing/btest/scripts/base/misc/{version.bro => version.zeek} (100%) rename testing/btest/scripts/base/protocols/conn/{new_connection_contents.bro => new_connection_contents.zeek} (100%) rename testing/btest/scripts/base/protocols/conn/{threshold.bro => threshold.zeek} (100%) rename testing/btest/scripts/base/protocols/dce-rpc/{context.bro => context.zeek} (100%) rename testing/btest/scripts/base/protocols/dnp3/{dnp3_del_measure.bro => dnp3_del_measure.zeek} (96%) rename testing/btest/scripts/base/protocols/dnp3/{dnp3_en_spon.bro => dnp3_en_spon.zeek} (97%) rename testing/btest/scripts/base/protocols/dnp3/{dnp3_file_del.bro => dnp3_file_del.zeek} (96%) rename testing/btest/scripts/base/protocols/dnp3/{dnp3_file_read.bro => dnp3_file_read.zeek} (96%) rename testing/btest/scripts/base/protocols/dnp3/{dnp3_file_write.bro => dnp3_file_write.zeek} (96%) rename testing/btest/scripts/base/protocols/dnp3/{dnp3_link_only.bro => dnp3_link_only.zeek} (95%) rename testing/btest/scripts/base/protocols/dnp3/{dnp3_write.bro => dnp3_read.zeek} (83%) rename testing/btest/scripts/base/protocols/dnp3/{dnp3_rec_time.bro => dnp3_rec_time.zeek} (96%) rename testing/btest/scripts/base/protocols/dnp3/{dnp3_select_operate.bro => dnp3_select_operate.zeek} (95%) rename testing/btest/scripts/base/protocols/dnp3/{dnp3_udp_en_spon.bro => dnp3_udp_en_spon.zeek} (96%) rename testing/btest/scripts/base/protocols/dnp3/{dnp3_udp_read.bro => dnp3_udp_read.zeek} (96%) rename testing/btest/scripts/base/protocols/dnp3/{dnp3_udp_select_operate.bro => dnp3_udp_select_operate.zeek} (94%) rename testing/btest/scripts/base/protocols/dnp3/{dnp3_udp_write.bro => dnp3_udp_write.zeek} (96%) rename testing/btest/scripts/base/protocols/dnp3/{dnp3_read.bro => dnp3_write.zeek} (82%) rename testing/btest/scripts/base/protocols/dnp3/{events.bro => events.zeek} (100%) rename testing/btest/scripts/base/protocols/dns/{caa.bro => caa.zeek} (100%) rename testing/btest/scripts/base/protocols/dns/{dns-key.bro => dns-key.zeek} (100%) rename testing/btest/scripts/base/protocols/dns/{dnskey.bro => dnskey.zeek} (100%) rename testing/btest/scripts/base/protocols/dns/{ds.bro => ds.zeek} (100%) rename testing/btest/scripts/base/protocols/dns/{duplicate-reponses.bro => duplicate-reponses.zeek} (100%) rename testing/btest/scripts/base/protocols/dns/{flip.bro => flip.zeek} (100%) rename testing/btest/scripts/base/protocols/dns/{huge-ttl.bro => huge-ttl.zeek} (100%) rename testing/btest/scripts/base/protocols/dns/{multiple-txt-strings.bro => multiple-txt-strings.zeek} (100%) rename testing/btest/scripts/base/protocols/dns/{nsec.bro => nsec.zeek} (100%) rename testing/btest/scripts/base/protocols/dns/{nsec3.bro => nsec3.zeek} (100%) rename testing/btest/scripts/base/protocols/dns/{rrsig.bro => rrsig.zeek} (100%) rename testing/btest/scripts/base/protocols/dns/{tsig.bro => tsig.zeek} (100%) rename testing/btest/scripts/base/protocols/dns/{zero-responses.bro => zero-responses.zeek} (100%) rename testing/btest/scripts/base/protocols/ftp/{cwd-navigation.bro => cwd-navigation.zeek} (100%) rename testing/btest/scripts/base/protocols/ftp/{ftp-get-file-size.bro => ftp-get-file-size.zeek} (100%) rename testing/btest/scripts/base/protocols/ftp/{ftp-ipv4.bro => ftp-ipv4.zeek} (100%) rename testing/btest/scripts/base/protocols/ftp/{ftp-ipv6.bro => ftp-ipv6.zeek} (100%) rename testing/btest/scripts/base/protocols/http/{100-continue.bro => 100-continue.zeek} (100%) rename testing/btest/scripts/base/protocols/http/{101-switching-protocols.bro => 101-switching-protocols.zeek} (100%) rename testing/btest/scripts/base/protocols/http/{content-range-gap-skip.bro => content-range-gap-skip.zeek} (100%) rename testing/btest/scripts/base/protocols/http/{content-range-gap.bro => content-range-gap.zeek} (100%) rename testing/btest/scripts/base/protocols/http/{content-range-less-than-len.bro => content-range-less-than-len.zeek} (100%) rename testing/btest/scripts/base/protocols/http/{entity-gap.bro => entity-gap.zeek} (100%) rename testing/btest/scripts/base/protocols/http/{entity-gap2.bro => entity-gap2.zeek} (100%) rename testing/btest/scripts/base/protocols/http/{fake-content-length.bro => fake-content-length.zeek} (100%) rename testing/btest/scripts/base/protocols/http/{http-bad-request-with-version.bro => http-bad-request-with-version.zeek} (100%) rename testing/btest/scripts/base/protocols/http/{http-connect-with-header.bro => http-connect-with-header.zeek} (100%) rename testing/btest/scripts/base/protocols/http/{http-connect.bro => http-connect.zeek} (100%) rename testing/btest/scripts/base/protocols/http/{http-filename.bro => http-filename.zeek} (100%) rename testing/btest/scripts/base/protocols/http/{http-header-crlf.bro => http-header-crlf.zeek} (100%) rename testing/btest/scripts/base/protocols/http/{http-methods.bro => http-methods.zeek} (100%) rename testing/btest/scripts/base/protocols/http/{http-pipelining.bro => http-pipelining.zeek} (100%) rename testing/btest/scripts/base/protocols/http/{missing-zlib-header.bro => missing-zlib-header.zeek} (100%) rename testing/btest/scripts/base/protocols/http/{multipart-extract.bro => multipart-extract.zeek} (100%) rename testing/btest/scripts/base/protocols/http/{multipart-file-limit.bro => multipart-file-limit.zeek} (100%) rename testing/btest/scripts/base/protocols/http/{no-uri.bro => no-uri.zeek} (100%) rename testing/btest/scripts/base/protocols/http/{no-version.bro => no-version.zeek} (100%) rename testing/btest/scripts/base/protocols/http/{percent-end-of-line.bro => percent-end-of-line.zeek} (100%) rename testing/btest/scripts/base/protocols/http/{x-gzip.bro => x-gzip.zeek} (100%) rename testing/btest/scripts/base/protocols/http/{zero-length-bodies-with-drops.bro => zero-length-bodies-with-drops.zeek} (100%) rename testing/btest/scripts/base/protocols/irc/{names-weird.bro => names-weird.zeek} (100%) rename testing/btest/scripts/base/protocols/modbus/{coil_parsing_big.bro => coil_parsing_big.zeek} (100%) rename testing/btest/scripts/base/protocols/modbus/{coil_parsing_small.bro => coil_parsing_small.zeek} (100%) rename testing/btest/scripts/base/protocols/modbus/{events.bro => events.zeek} (100%) rename testing/btest/scripts/base/protocols/modbus/{length_mismatch.bro => length_mismatch.zeek} (100%) rename testing/btest/scripts/base/protocols/modbus/{policy.bro => policy.zeek} (100%) rename testing/btest/scripts/base/protocols/modbus/{register_parsing.bro => register_parsing.zeek} (100%) rename testing/btest/scripts/base/protocols/ncp/{event.bro => event.zeek} (100%) rename testing/btest/scripts/base/protocols/ncp/{frame_size_tuning.bro => frame_size_tuning.zeek} (100%) rename testing/btest/scripts/base/protocols/pop3/{starttls.bro => starttls.zeek} (100%) rename testing/btest/scripts/base/protocols/rdp/{rdp-proprietary-encryption.bro => rdp-proprietary-encryption.zeek} (100%) rename testing/btest/scripts/base/protocols/rdp/{rdp-to-ssl.bro => rdp-to-ssl.zeek} (100%) rename testing/btest/scripts/base/protocols/rdp/{rdp-x509.bro => rdp-x509.zeek} (100%) rename testing/btest/scripts/base/protocols/smb/{smb2-read-write.bro => smb2-read-write.zeek} (100%) rename testing/btest/scripts/base/protocols/snmp/{snmp-addr.bro => snmp-addr.zeek} (100%) rename testing/btest/scripts/base/protocols/snmp/{v1.bro => v1.zeek} (78%) rename testing/btest/scripts/base/protocols/snmp/{v2.bro => v2.zeek} (77%) rename testing/btest/scripts/base/protocols/snmp/{v3.bro => v3.zeek} (79%) rename testing/btest/scripts/base/protocols/socks/{socks-auth.bro => socks-auth.zeek} (100%) rename testing/btest/scripts/base/protocols/syslog/{missing-pri.bro => missing-pri.zeek} (100%) rename testing/btest/scripts/base/protocols/tcp/{pending.bro => pending.zeek} (100%) rename testing/btest/scripts/base/utils/{decompose_uri.bro => decompose_uri.zeek} (100%) rename testing/btest/scripts/base/utils/{hash_hrw.bro => hash_hrw.zeek} (100%) rename testing/btest/scripts/{check-test-all-policy.bro => check-test-all-policy.zeek} (100%) rename testing/btest/scripts/policy/frameworks/files/{extract-all.bro => extract-all.zeek} (100%) rename testing/btest/scripts/policy/frameworks/intel/{removal.bro => removal.zeek} (100%) rename testing/btest/scripts/policy/frameworks/intel/seen/{certs.bro => certs.zeek} (100%) rename testing/btest/scripts/policy/frameworks/intel/seen/{smb.bro => smb.zeek} (100%) rename testing/btest/scripts/policy/frameworks/intel/seen/{smtp.bro => smtp.zeek} (100%) rename testing/btest/scripts/policy/frameworks/intel/{whitelisting.bro => whitelisting.zeek} (100%) rename testing/btest/scripts/policy/frameworks/software/{version-changes.bro => version-changes.zeek} (100%) rename testing/btest/scripts/policy/frameworks/software/{vulnerable.bro => vulnerable.zeek} (100%) rename testing/btest/scripts/policy/misc/{dump-events.bro => dump-events.zeek} (100%) rename testing/btest/scripts/policy/misc/{weird-stats-cluster.bro => weird-stats-cluster.zeek} (98%) rename testing/btest/scripts/policy/misc/{weird-stats.bro => weird-stats.zeek} (100%) rename testing/btest/scripts/policy/protocols/conn/{known-hosts.bro => known-hosts.zeek} (100%) rename testing/btest/scripts/policy/protocols/conn/{known-services.bro => known-services.zeek} (100%) rename testing/btest/scripts/policy/protocols/conn/{mac-logging.bro => mac-logging.zeek} (100%) rename testing/btest/scripts/policy/protocols/conn/{vlan-logging.bro => vlan-logging.zeek} (100%) rename testing/btest/scripts/policy/protocols/dns/{inverse-request.bro => inverse-request.zeek} (100%) rename testing/btest/scripts/policy/protocols/http/{flash-version.bro => flash-version.zeek} (100%) rename testing/btest/scripts/policy/protocols/http/{header-names.bro => header-names.zeek} (100%) rename testing/btest/scripts/policy/protocols/http/{test-sql-injection-regex.bro => test-sql-injection-regex.zeek} (100%) rename testing/btest/scripts/policy/protocols/krb/{ticket-logging.bro => ticket-logging.zeek} (100%) rename testing/btest/scripts/policy/protocols/ssh/{detect-bruteforcing.bro => detect-bruteforcing.zeek} (100%) rename testing/btest/scripts/policy/protocols/ssl/{expiring-certs.bro => expiring-certs.zeek} (100%) rename testing/btest/scripts/policy/protocols/ssl/{extract-certs-pem.bro => extract-certs-pem.zeek} (100%) rename testing/btest/scripts/policy/protocols/ssl/{heartbleed.bro => heartbleed.zeek} (100%) rename testing/btest/scripts/policy/protocols/ssl/{known-certs.bro => known-certs.zeek} (100%) rename testing/btest/scripts/policy/protocols/ssl/{log-hostcerts-only.bro => log-hostcerts-only.zeek} (100%) rename testing/btest/scripts/policy/protocols/ssl/{validate-certs-no-cache.bro => validate-certs-no-cache.zeek} (88%) rename testing/btest/scripts/policy/protocols/ssl/{validate-certs.bro => validate-certs.zeek} (84%) rename testing/btest/scripts/policy/protocols/ssl/{validate-ocsp.bro => validate-ocsp.zeek} (62%) rename testing/btest/scripts/policy/protocols/ssl/{validate-sct.bro => validate-sct.zeek} (88%) rename testing/btest/scripts/policy/protocols/ssl/{weak-keys.bro => weak-keys.zeek} (100%) rename testing/btest/signatures/{bad-eval-condition.bro => bad-eval-condition.zeek} (100%) rename testing/btest/signatures/{dpd.bro => dpd.zeek} (100%) rename testing/btest/signatures/{dst-ip-cidr-v4.bro => dst-ip-cidr-v4.zeek} (100%) rename testing/btest/signatures/{dst-ip-header-condition-v4-masks.bro => dst-ip-header-condition-v4-masks.zeek} (100%) rename testing/btest/signatures/{dst-ip-header-condition-v4.bro => dst-ip-header-condition-v4.zeek} (100%) rename testing/btest/signatures/{dst-ip-header-condition-v6-masks.bro => dst-ip-header-condition-v6-masks.zeek} (100%) rename testing/btest/signatures/{dst-ip-header-condition-v6.bro => dst-ip-header-condition-v6.zeek} (100%) rename testing/btest/signatures/{dst-port-header-condition.bro => dst-port-header-condition.zeek} (100%) rename testing/btest/signatures/{eval-condition-no-return-value.bro => eval-condition-no-return-value.zeek} (100%) rename testing/btest/signatures/{eval-condition.bro => eval-condition.zeek} (100%) rename testing/btest/signatures/{header-header-condition.bro => header-header-condition.zeek} (100%) rename testing/btest/signatures/{id-lookup.bro => id-lookup.zeek} (100%) rename testing/btest/signatures/{ip-proto-header-condition.bro => ip-proto-header-condition.zeek} (100%) rename testing/btest/signatures/{load-sigs.bro => load-sigs.zeek} (100%) rename testing/btest/signatures/{src-ip-header-condition-v4-masks.bro => src-ip-header-condition-v4-masks.zeek} (100%) rename testing/btest/signatures/{src-ip-header-condition-v4.bro => src-ip-header-condition-v4.zeek} (100%) rename testing/btest/signatures/{src-ip-header-condition-v6-masks.bro => src-ip-header-condition-v6-masks.zeek} (100%) rename testing/btest/signatures/{src-ip-header-condition-v6.bro => src-ip-header-condition-v6.zeek} (100%) rename testing/btest/signatures/{src-port-header-condition.bro => src-port-header-condition.zeek} (100%) rename testing/btest/signatures/{udp-packetwise-match.bro => udp-packetwise-match.zeek} (100%) rename testing/btest/signatures/{udp-payload-size.bro => udp-payload-size.zeek} (100%) delete mode 120000 testing/external/scripts/external-ca-list.bro create mode 120000 testing/external/scripts/external-ca-list.zeek rename testing/external/scripts/{testing-setup.bro => testing-setup.zeek} (91%) rename testing/scripts/{external-ca-list.bro => external-ca-list.zeek} (100%) rename testing/scripts/{file-analysis-test.bro => file-analysis-test.zeek} (100%) rename testing/scripts/{snmp-test.bro => snmp-test.zeek} (100%) diff --git a/CHANGES b/CHANGES index 8ca429af4c..d9146fbb9b 100644 --- a/CHANGES +++ b/CHANGES @@ -1,4 +1,8 @@ +2.6-225 | 2019-04-16 16:07:49 -0700 + + * Use .zeek file suffix in unit tests (Jon Siwek, Corelight) + 2.6-223 | 2019-04-16 11:56:00 -0700 * Update tests and baselines due to renaming all scripts (Daniel Thayer) diff --git a/VERSION b/VERSION index 439c8eab2d..23ad9f21a7 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -2.6-223 +2.6-225 diff --git a/testing/btest/Baseline/bifs.to_double_from_string/error b/testing/btest/Baseline/bifs.to_double_from_string/error index d6c6c0c75b..ed0ae3a1f9 100644 --- a/testing/btest/Baseline/bifs.to_double_from_string/error +++ b/testing/btest/Baseline/bifs.to_double_from_string/error @@ -1,2 +1,2 @@ -error in /da/home/robin/bro/master/testing/btest/.tmp/bifs.to_double_from_string/to_double_from_string.bro, line 7 and /da/home/robin/bro/master/testing/btest/.tmp/bifs.to_double_from_string/to_double_from_string.bro, line 15: bad conversion to double (to_double(d) and NotADouble) -error in /da/home/robin/bro/master/testing/btest/.tmp/bifs.to_double_from_string/to_double_from_string.bro, line 7 and /da/home/robin/bro/master/testing/btest/.tmp/bifs.to_double_from_string/to_double_from_string.bro, line 16: bad conversion to double (to_double(d) and ) +error in /da/home/robin/bro/master/testing/btest/.tmp/bifs.to_double_from_string/to_double_from_string.zeek, line 7 and /da/home/robin/bro/master/testing/btest/.tmp/bifs.to_double_from_string/to_double_from_string.zeek, line 15: bad conversion to double (to_double(d) and NotADouble) +error in /da/home/robin/bro/master/testing/btest/.tmp/bifs.to_double_from_string/to_double_from_string.zeek, line 7 and /da/home/robin/bro/master/testing/btest/.tmp/bifs.to_double_from_string/to_double_from_string.zeek, line 16: bad conversion to double (to_double(d) and ) diff --git a/testing/btest/Baseline/core.div-by-zero/out b/testing/btest/Baseline/core.div-by-zero/out index dca1894e32..702d00c156 100644 --- a/testing/btest/Baseline/core.div-by-zero/out +++ b/testing/btest/Baseline/core.div-by-zero/out @@ -1,5 +1,5 @@ -expression error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/core.div-by-zero/div-by-zero.bro, line 6: division by zero (a / b) -expression error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/core.div-by-zero/div-by-zero.bro, line 11: division by zero (a / b) -expression error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/core.div-by-zero/div-by-zero.bro, line 16: division by zero (a / b) -expression error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/core.div-by-zero/div-by-zero.bro, line 21: modulo by zero (a % b) -expression error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/core.div-by-zero/div-by-zero.bro, line 26: modulo by zero (a % b) +expression error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/core.div-by-zero/div-by-zero.zeek, line 6: division by zero (a / b) +expression error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/core.div-by-zero/div-by-zero.zeek, line 11: division by zero (a / b) +expression error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/core.div-by-zero/div-by-zero.zeek, line 16: division by zero (a / b) +expression error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/core.div-by-zero/div-by-zero.zeek, line 21: modulo by zero (a % b) +expression error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/core.div-by-zero/div-by-zero.zeek, line 26: modulo by zero (a % b) diff --git a/testing/btest/Baseline/core.expr-exception/reporter.log b/testing/btest/Baseline/core.expr-exception/reporter.log index f546142dca..e2e1a4103f 100644 --- a/testing/btest/Baseline/core.expr-exception/reporter.log +++ b/testing/btest/Baseline/core.expr-exception/reporter.log @@ -6,13 +6,13 @@ #open 2011-03-18-19-06-08 #fields ts level message location #types time enum string string -1300475168.783842 Reporter::ERROR field value missing (c$ftp) /da/home/robin/bro/master/testing/btest/.tmp/core.expr-exception/expr-exception.bro, line 10 -1300475168.915940 Reporter::ERROR field value missing (c$ftp) /da/home/robin/bro/master/testing/btest/.tmp/core.expr-exception/expr-exception.bro, line 10 -1300475168.916118 Reporter::ERROR field value missing (c$ftp) /da/home/robin/bro/master/testing/btest/.tmp/core.expr-exception/expr-exception.bro, line 10 -1300475168.918295 Reporter::ERROR field value missing (c$ftp) /da/home/robin/bro/master/testing/btest/.tmp/core.expr-exception/expr-exception.bro, line 10 -1300475168.952193 Reporter::ERROR field value missing (c$ftp) /da/home/robin/bro/master/testing/btest/.tmp/core.expr-exception/expr-exception.bro, line 10 -1300475168.952228 Reporter::ERROR field value missing (c$ftp) /da/home/robin/bro/master/testing/btest/.tmp/core.expr-exception/expr-exception.bro, line 10 -1300475168.954761 Reporter::ERROR field value missing (c$ftp) /da/home/robin/bro/master/testing/btest/.tmp/core.expr-exception/expr-exception.bro, line 10 -1300475168.962628 Reporter::ERROR field value missing (c$ftp) /da/home/robin/bro/master/testing/btest/.tmp/core.expr-exception/expr-exception.bro, line 10 -1300475169.780331 Reporter::ERROR field value missing (c$ftp) /da/home/robin/bro/master/testing/btest/.tmp/core.expr-exception/expr-exception.bro, line 10 +1300475168.783842 Reporter::ERROR field value missing (c$ftp) /da/home/robin/bro/master/testing/btest/.tmp/core.expr-exception/expr-exception.zeek, line 10 +1300475168.915940 Reporter::ERROR field value missing (c$ftp) /da/home/robin/bro/master/testing/btest/.tmp/core.expr-exception/expr-exception.zeek, line 10 +1300475168.916118 Reporter::ERROR field value missing (c$ftp) /da/home/robin/bro/master/testing/btest/.tmp/core.expr-exception/expr-exception.zeek, line 10 +1300475168.918295 Reporter::ERROR field value missing (c$ftp) /da/home/robin/bro/master/testing/btest/.tmp/core.expr-exception/expr-exception.zeek, line 10 +1300475168.952193 Reporter::ERROR field value missing (c$ftp) /da/home/robin/bro/master/testing/btest/.tmp/core.expr-exception/expr-exception.zeek, line 10 +1300475168.952228 Reporter::ERROR field value missing (c$ftp) /da/home/robin/bro/master/testing/btest/.tmp/core.expr-exception/expr-exception.zeek, line 10 +1300475168.954761 Reporter::ERROR field value missing (c$ftp) /da/home/robin/bro/master/testing/btest/.tmp/core.expr-exception/expr-exception.zeek, line 10 +1300475168.962628 Reporter::ERROR field value missing (c$ftp) /da/home/robin/bro/master/testing/btest/.tmp/core.expr-exception/expr-exception.zeek, line 10 +1300475169.780331 Reporter::ERROR field value missing (c$ftp) /da/home/robin/bro/master/testing/btest/.tmp/core.expr-exception/expr-exception.zeek, line 10 #close 2011-03-18-19-06-13 diff --git a/testing/btest/Baseline/core.init-error/out b/testing/btest/Baseline/core.init-error/out index 50aea70a75..3079bdfcbd 100644 --- a/testing/btest/Baseline/core.init-error/out +++ b/testing/btest/Baseline/core.init-error/out @@ -1,4 +1,4 @@ -expression error in /home/jon/pro/zeek/zeek/testing/btest/.tmp/core.init-error/init-error.bro, line 15: no such index (v[10]) +expression error in /home/jon/pro/zeek/zeek/testing/btest/.tmp/core.init-error/init-error.zeek, line 15: no such index (v[10]) fatal error: errors occurred while initializing 1st event 2nd event diff --git a/testing/btest/Baseline/core.old_comm_usage/out b/testing/btest/Baseline/core.old_comm_usage/out index 219a2f5620..cf4820d82e 100644 --- a/testing/btest/Baseline/core.old_comm_usage/out +++ b/testing/btest/Baseline/core.old_comm_usage/out @@ -1,2 +1,2 @@ -warning in /Users/jon/projects/bro/bro/testing/btest/.tmp/core.old_comm_usage/old_comm_usage.bro, line 6: deprecated (terminate_communication) +warning in /Users/jon/projects/bro/bro/testing/btest/.tmp/core.old_comm_usage/old_comm_usage.zeek, line 6: deprecated (terminate_communication) fatal error: Detected old, deprecated communication system usages that will not work unless you explicitly take action to initizialize and set up the old comm. system. Set the 'old_comm_usage_is_ok' flag to bypass this error if you've taken such actions, but the suggested solution is to port scripts to use the new Broker API. diff --git a/testing/btest/Baseline/core.option-errors-2/.stderr b/testing/btest/Baseline/core.option-errors-2/.stderr index 90011d5c85..ef9fb3ae4e 100644 --- a/testing/btest/Baseline/core.option-errors-2/.stderr +++ b/testing/btest/Baseline/core.option-errors-2/.stderr @@ -1 +1 @@ -error in /Users/johanna/corelight/bro/testing/btest/.tmp/core.option-errors-2/option-errors.bro, line 2: option variable must be initialized (testbool) +error in /Users/johanna/corelight/bro/testing/btest/.tmp/core.option-errors-2/option-errors.zeek, line 2: option variable must be initialized (testbool) diff --git a/testing/btest/Baseline/core.option-errors-3/.stderr b/testing/btest/Baseline/core.option-errors-3/.stderr index ffe699c739..a3c52db614 100644 --- a/testing/btest/Baseline/core.option-errors-3/.stderr +++ b/testing/btest/Baseline/core.option-errors-3/.stderr @@ -1 +1 @@ -error in /Users/johanna/corelight/bro/testing/btest/.tmp/core.option-errors-3/option-errors.bro, line 3: option is not a modifiable lvalue (testopt) +error in /Users/johanna/corelight/bro/testing/btest/.tmp/core.option-errors-3/option-errors.zeek, line 3: option is not a modifiable lvalue (testopt) diff --git a/testing/btest/Baseline/core.option-errors/.stderr b/testing/btest/Baseline/core.option-errors/.stderr index 27a73e180d..3e5dc6c86c 100644 --- a/testing/btest/Baseline/core.option-errors/.stderr +++ b/testing/btest/Baseline/core.option-errors/.stderr @@ -1 +1 @@ -error in /Users/johanna/corelight/bro/testing/btest/.tmp/core.option-errors/option-errors.bro, line 4: no type given (testbool) +error in /Users/johanna/corelight/bro/testing/btest/.tmp/core.option-errors/option-errors.zeek, line 4: no type given (testbool) diff --git a/testing/btest/Baseline/core.option-runtime-errors-10/.stderr b/testing/btest/Baseline/core.option-runtime-errors-10/.stderr index 3b4cf422f5..6f385fbb29 100644 --- a/testing/btest/Baseline/core.option-runtime-errors-10/.stderr +++ b/testing/btest/Baseline/core.option-runtime-errors-10/.stderr @@ -1 +1 @@ -error in /Users/johanna/corelight/bro/testing/btest/.tmp/core.option-runtime-errors-10/option-runtime-errors.bro, line 7: ID 'A' is not an option (Option::set_change_handler(A, option_changed, (coerce 0 to int))) +error in /Users/johanna/corelight/bro/testing/btest/.tmp/core.option-runtime-errors-10/option-runtime-errors.zeek, line 7: ID 'A' is not an option (Option::set_change_handler(A, option_changed, (coerce 0 to int))) diff --git a/testing/btest/Baseline/core.option-runtime-errors-11/.stderr b/testing/btest/Baseline/core.option-runtime-errors-11/.stderr index 8fd7de5d2e..b0f531df70 100644 --- a/testing/btest/Baseline/core.option-runtime-errors-11/.stderr +++ b/testing/btest/Baseline/core.option-runtime-errors-11/.stderr @@ -1 +1 @@ -error in /Users/johanna/corelight/bro/testing/btest/.tmp/core.option-runtime-errors-11/option-runtime-errors.bro, line 4: Option::on_change needs function argument; got 'count' for ID 'A' (Option::set_change_handler(A, A, (coerce 0 to int))) +error in /Users/johanna/corelight/bro/testing/btest/.tmp/core.option-runtime-errors-11/option-runtime-errors.zeek, line 4: Option::on_change needs function argument; got 'count' for ID 'A' (Option::set_change_handler(A, A, (coerce 0 to int))) diff --git a/testing/btest/Baseline/core.option-runtime-errors-12/.stderr b/testing/btest/Baseline/core.option-runtime-errors-12/.stderr index 635b287c6b..bd38eea092 100644 --- a/testing/btest/Baseline/core.option-runtime-errors-12/.stderr +++ b/testing/btest/Baseline/core.option-runtime-errors-12/.stderr @@ -1 +1 @@ -error in /Users/johanna/corelight/bro/testing/btest/.tmp/core.option-runtime-errors-12/option-runtime-errors.bro, line 7: Third argument of passed function has to be string in Option::on_change for ID 'A'; got 'count' (Option::set_change_handler(A, option_changed, (coerce 0 to int))) +error in /Users/johanna/corelight/bro/testing/btest/.tmp/core.option-runtime-errors-12/option-runtime-errors.zeek, line 7: Third argument of passed function has to be string in Option::on_change for ID 'A'; got 'count' (Option::set_change_handler(A, option_changed, (coerce 0 to int))) diff --git a/testing/btest/Baseline/core.option-runtime-errors-13/.stderr b/testing/btest/Baseline/core.option-runtime-errors-13/.stderr index 7b58339d8b..738cfff6e5 100644 --- a/testing/btest/Baseline/core.option-runtime-errors-13/.stderr +++ b/testing/btest/Baseline/core.option-runtime-errors-13/.stderr @@ -1 +1 @@ -error in /Users/johanna/corelight/bro/testing/btest/.tmp/core.option-runtime-errors-13/option-runtime-errors.bro, line 7: Wrong number of arguments for passed function in Option::on_change for ID 'A'; expected 2 or 3, got 4 (Option::set_change_handler(A, option_changed, (coerce 0 to int))) +error in /Users/johanna/corelight/bro/testing/btest/.tmp/core.option-runtime-errors-13/option-runtime-errors.zeek, line 7: Wrong number of arguments for passed function in Option::on_change for ID 'A'; expected 2 or 3, got 4 (Option::set_change_handler(A, option_changed, (coerce 0 to int))) diff --git a/testing/btest/Baseline/core.option-runtime-errors-2/.stderr b/testing/btest/Baseline/core.option-runtime-errors-2/.stderr index ad027f69db..25d102b9f7 100644 --- a/testing/btest/Baseline/core.option-runtime-errors-2/.stderr +++ b/testing/btest/Baseline/core.option-runtime-errors-2/.stderr @@ -1 +1 @@ -error in /Users/johanna/corelight/bro/testing/btest/.tmp/core.option-runtime-errors-2/option-runtime-errors.bro, line 3: Incompatible type for set of ID 'A': got 'string', need 'count' (Option::set(A, hi, )) +error in /Users/johanna/corelight/bro/testing/btest/.tmp/core.option-runtime-errors-2/option-runtime-errors.zeek, line 3: Incompatible type for set of ID 'A': got 'string', need 'count' (Option::set(A, hi, )) diff --git a/testing/btest/Baseline/core.option-runtime-errors-3/.stderr b/testing/btest/Baseline/core.option-runtime-errors-3/.stderr index 2c98b170b7..d784841888 100644 --- a/testing/btest/Baseline/core.option-runtime-errors-3/.stderr +++ b/testing/btest/Baseline/core.option-runtime-errors-3/.stderr @@ -1 +1 @@ -error in /Users/johanna/corelight/bro/testing/btest/.tmp/core.option-runtime-errors-3/option-runtime-errors.bro, line 3: ID 'A' is not an option (Option::set(A, 6, )) +error in /Users/johanna/corelight/bro/testing/btest/.tmp/core.option-runtime-errors-3/option-runtime-errors.zeek, line 3: ID 'A' is not an option (Option::set(A, 6, )) diff --git a/testing/btest/Baseline/core.option-runtime-errors-4/.stderr b/testing/btest/Baseline/core.option-runtime-errors-4/.stderr index a965ddd3ae..ec76dc4be4 100644 --- a/testing/btest/Baseline/core.option-runtime-errors-4/.stderr +++ b/testing/btest/Baseline/core.option-runtime-errors-4/.stderr @@ -1 +1 @@ -error in /Users/johanna/corelight/bro/testing/btest/.tmp/core.option-runtime-errors-4/option-runtime-errors.bro, line 7: Second argument of passed function has to be count in Option::on_change for ID 'A'; got 'bool' (Option::set_change_handler(A, option_changed, (coerce 0 to int))) +error in /Users/johanna/corelight/bro/testing/btest/.tmp/core.option-runtime-errors-4/option-runtime-errors.zeek, line 7: Second argument of passed function has to be count in Option::on_change for ID 'A'; got 'bool' (Option::set_change_handler(A, option_changed, (coerce 0 to int))) diff --git a/testing/btest/Baseline/core.option-runtime-errors-5/.stderr b/testing/btest/Baseline/core.option-runtime-errors-5/.stderr index d931ff062a..4130f865d6 100644 --- a/testing/btest/Baseline/core.option-runtime-errors-5/.stderr +++ b/testing/btest/Baseline/core.option-runtime-errors-5/.stderr @@ -1 +1 @@ -error in /Users/johanna/corelight/bro/testing/btest/.tmp/core.option-runtime-errors-5/option-runtime-errors.bro, line 7: Wrong number of arguments for passed function in Option::on_change for ID 'A'; expected 2 or 3, got 1 (Option::set_change_handler(A, option_changed, (coerce 0 to int))) +error in /Users/johanna/corelight/bro/testing/btest/.tmp/core.option-runtime-errors-5/option-runtime-errors.zeek, line 7: Wrong number of arguments for passed function in Option::on_change for ID 'A'; expected 2 or 3, got 1 (Option::set_change_handler(A, option_changed, (coerce 0 to int))) diff --git a/testing/btest/Baseline/core.option-runtime-errors-6/.stderr b/testing/btest/Baseline/core.option-runtime-errors-6/.stderr index 593c239155..ee01ccfb1f 100644 --- a/testing/btest/Baseline/core.option-runtime-errors-6/.stderr +++ b/testing/btest/Baseline/core.option-runtime-errors-6/.stderr @@ -1 +1 @@ -error in /Users/johanna/corelight/bro/testing/btest/.tmp/core.option-runtime-errors-6/option-runtime-errors.bro, line 7: Passed function needs to return type 'count' for ID 'A'; got 'bool' (Option::set_change_handler(A, option_changed, (coerce 0 to int))) +error in /Users/johanna/corelight/bro/testing/btest/.tmp/core.option-runtime-errors-6/option-runtime-errors.zeek, line 7: Passed function needs to return type 'count' for ID 'A'; got 'bool' (Option::set_change_handler(A, option_changed, (coerce 0 to int))) diff --git a/testing/btest/Baseline/core.option-runtime-errors-7/.stderr b/testing/btest/Baseline/core.option-runtime-errors-7/.stderr index 57f7b5c21b..6d5f9f4595 100644 --- a/testing/btest/Baseline/core.option-runtime-errors-7/.stderr +++ b/testing/btest/Baseline/core.option-runtime-errors-7/.stderr @@ -1 +1 @@ -error in /Users/johanna/corelight/bro/testing/btest/.tmp/core.option-runtime-errors-7/option-runtime-errors.bro, line 7: Option::on_change needs function argument; not hook or event (Option::set_change_handler(A, option_changed, (coerce 0 to int))) +error in /Users/johanna/corelight/bro/testing/btest/.tmp/core.option-runtime-errors-7/option-runtime-errors.zeek, line 7: Option::on_change needs function argument; not hook or event (Option::set_change_handler(A, option_changed, (coerce 0 to int))) diff --git a/testing/btest/Baseline/core.option-runtime-errors-8/.stderr b/testing/btest/Baseline/core.option-runtime-errors-8/.stderr index 2e7735f433..90cec05f47 100644 --- a/testing/btest/Baseline/core.option-runtime-errors-8/.stderr +++ b/testing/btest/Baseline/core.option-runtime-errors-8/.stderr @@ -1 +1 @@ -error in /Users/johanna/corelight/bro/testing/btest/.tmp/core.option-runtime-errors-8/option-runtime-errors.bro, line 7: Option::on_change needs function argument; not hook or event (Option::set_change_handler(A, option_changed, (coerce 0 to int))) +error in /Users/johanna/corelight/bro/testing/btest/.tmp/core.option-runtime-errors-8/option-runtime-errors.zeek, line 7: Option::on_change needs function argument; not hook or event (Option::set_change_handler(A, option_changed, (coerce 0 to int))) diff --git a/testing/btest/Baseline/core.option-runtime-errors-9/.stderr b/testing/btest/Baseline/core.option-runtime-errors-9/.stderr index a95196eef7..f2ce6efd83 100644 --- a/testing/btest/Baseline/core.option-runtime-errors-9/.stderr +++ b/testing/btest/Baseline/core.option-runtime-errors-9/.stderr @@ -1 +1 @@ -error in /Users/johanna/corelight/bro/testing/btest/.tmp/core.option-runtime-errors-9/option-runtime-errors.bro, line 5: Could not find ID named 'A' (Option::set_change_handler(A, option_changed, (coerce 0 to int))) +error in /Users/johanna/corelight/bro/testing/btest/.tmp/core.option-runtime-errors-9/option-runtime-errors.zeek, line 5: Could not find ID named 'A' (Option::set_change_handler(A, option_changed, (coerce 0 to int))) diff --git a/testing/btest/Baseline/core.option-runtime-errors/.stderr b/testing/btest/Baseline/core.option-runtime-errors/.stderr index f3ad46d382..0d4da12312 100644 --- a/testing/btest/Baseline/core.option-runtime-errors/.stderr +++ b/testing/btest/Baseline/core.option-runtime-errors/.stderr @@ -1 +1 @@ -error in /Users/johanna/corelight/bro/testing/btest/.tmp/core.option-runtime-errors/option-runtime-errors.bro, line 8: Could not find ID named 'B' (Option::set(B, 6, )) +error in /Users/johanna/corelight/bro/testing/btest/.tmp/core.option-runtime-errors/option-runtime-errors.zeek, line 8: Could not find ID named 'B' (Option::set(B, 6, )) diff --git a/testing/btest/Baseline/core.reporter-error-in-handler/output b/testing/btest/Baseline/core.reporter-error-in-handler/output index ab5309b659..85014657a3 100644 --- a/testing/btest/Baseline/core.reporter-error-in-handler/output +++ b/testing/btest/Baseline/core.reporter-error-in-handler/output @@ -1,3 +1,3 @@ -expression error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/core.reporter-error-in-handler/reporter-error-in-handler.bro, line 28: no such index (a[1]) -expression error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/core.reporter-error-in-handler/reporter-error-in-handler.bro, line 22: no such index (a[2]) +expression error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/core.reporter-error-in-handler/reporter-error-in-handler.zeek, line 28: no such index (a[1]) +expression error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/core.reporter-error-in-handler/reporter-error-in-handler.zeek, line 22: no such index (a[2]) 1st error printed on script level diff --git a/testing/btest/Baseline/core.reporter-fmt-strings/output b/testing/btest/Baseline/core.reporter-fmt-strings/output index bbd76f3447..4e31478caa 100644 --- a/testing/btest/Baseline/core.reporter-fmt-strings/output +++ b/testing/btest/Baseline/core.reporter-fmt-strings/output @@ -1 +1 @@ -error in /da/home/robin/bro/master/testing/btest/.tmp/core.reporter-fmt-strings/reporter-fmt-strings.bro, line 9: not an event (dont_interpret_this(%s)) +error in /da/home/robin/bro/master/testing/btest/.tmp/core.reporter-fmt-strings/reporter-fmt-strings.zeek, line 9: not an event (dont_interpret_this(%s)) diff --git a/testing/btest/Baseline/core.reporter-parse-error/output b/testing/btest/Baseline/core.reporter-parse-error/output index 76535f75d1..4dd922fd24 100644 --- a/testing/btest/Baseline/core.reporter-parse-error/output +++ b/testing/btest/Baseline/core.reporter-parse-error/output @@ -1 +1 @@ -error in /da/home/robin/bro/master/testing/btest/.tmp/core.reporter-parse-error/reporter-parse-error.bro, line 7: unknown identifier TESTFAILURE, at or near "TESTFAILURE" +error in /da/home/robin/bro/master/testing/btest/.tmp/core.reporter-parse-error/reporter-parse-error.zeek, line 7: unknown identifier TESTFAILURE, at or near "TESTFAILURE" diff --git a/testing/btest/Baseline/core.reporter-runtime-error/output b/testing/btest/Baseline/core.reporter-runtime-error/output index 695e2e2f81..7e0ab11845 100644 --- a/testing/btest/Baseline/core.reporter-runtime-error/output +++ b/testing/btest/Baseline/core.reporter-runtime-error/output @@ -1,2 +1,2 @@ -expression error in /home/jon/pro/zeek/zeek/testing/btest/.tmp/core.reporter-runtime-error/reporter-runtime-error.bro, line 12: no such index (a[1]) +expression error in /home/jon/pro/zeek/zeek/testing/btest/.tmp/core.reporter-runtime-error/reporter-runtime-error.zeek, line 12: no such index (a[1]) fatal error: failed to execute script statements at top-level scope diff --git a/testing/btest/Baseline/core.reporter-type-mismatch/output b/testing/btest/Baseline/core.reporter-type-mismatch/output index 23eefd13e8..d54e6e2b9b 100644 --- a/testing/btest/Baseline/core.reporter-type-mismatch/output +++ b/testing/btest/Baseline/core.reporter-type-mismatch/output @@ -1,3 +1,3 @@ -error in string and /da/home/robin/bro/master/testing/btest/.tmp/core.reporter-type-mismatch/reporter-type-mismatch.bro, line 11: arithmetic mixed with non-arithmetic (string and 42) -error in /da/home/robin/bro/master/testing/btest/.tmp/core.reporter-type-mismatch/reporter-type-mismatch.bro, line 11 and string: type mismatch (42 and string) -error in /da/home/robin/bro/master/testing/btest/.tmp/core.reporter-type-mismatch/reporter-type-mismatch.bro, line 11: argument type mismatch in event invocation (foo(42)) +error in string and /da/home/robin/bro/master/testing/btest/.tmp/core.reporter-type-mismatch/reporter-type-mismatch.zeek, line 11: arithmetic mixed with non-arithmetic (string and 42) +error in /da/home/robin/bro/master/testing/btest/.tmp/core.reporter-type-mismatch/reporter-type-mismatch.zeek, line 11 and string: type mismatch (42 and string) +error in /da/home/robin/bro/master/testing/btest/.tmp/core.reporter-type-mismatch/reporter-type-mismatch.zeek, line 11: argument type mismatch in event invocation (foo(42)) diff --git a/testing/btest/Baseline/core.reporter/logger-test.log b/testing/btest/Baseline/core.reporter/logger-test.log index 4ee0d03341..1dc58b65cd 100644 --- a/testing/btest/Baseline/core.reporter/logger-test.log +++ b/testing/btest/Baseline/core.reporter/logger-test.log @@ -1,6 +1,6 @@ -reporter_info|init test-info|/Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/core.reporter/reporter.bro, line 8|0.000000 -reporter_warning|init test-warning|/Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/core.reporter/reporter.bro, line 9|0.000000 -reporter_error|init test-error|/Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/core.reporter/reporter.bro, line 10|0.000000 -reporter_info|done test-info|/Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/core.reporter/reporter.bro, line 15|0.000000 -reporter_warning|done test-warning|/Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/core.reporter/reporter.bro, line 16|0.000000 -reporter_error|done test-error|/Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/core.reporter/reporter.bro, line 17|0.000000 +reporter_info|init test-info|/Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/core.reporter/reporter.zeek, line 8|0.000000 +reporter_warning|init test-warning|/Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/core.reporter/reporter.zeek, line 9|0.000000 +reporter_error|init test-error|/Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/core.reporter/reporter.zeek, line 10|0.000000 +reporter_info|done test-info|/Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/core.reporter/reporter.zeek, line 15|0.000000 +reporter_warning|done test-warning|/Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/core.reporter/reporter.zeek, line 16|0.000000 +reporter_error|done test-error|/Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/core.reporter/reporter.zeek, line 17|0.000000 diff --git a/testing/btest/Baseline/core.reporter/output b/testing/btest/Baseline/core.reporter/output index 24a12f9679..12069545ba 100644 --- a/testing/btest/Baseline/core.reporter/output +++ b/testing/btest/Baseline/core.reporter/output @@ -1,9 +1,9 @@ -/Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/core.reporter/reporter.bro, line 52: pre test-info -warning in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/core.reporter/reporter.bro, line 53: pre test-warning -error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/core.reporter/reporter.bro, line 54: pre test-error -/Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/core.reporter/reporter.bro, line 8: init test-info -warning in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/core.reporter/reporter.bro, line 9: init test-warning -error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/core.reporter/reporter.bro, line 10: init test-error -/Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/core.reporter/reporter.bro, line 15: done test-info -warning in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/core.reporter/reporter.bro, line 16: done test-warning -error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/core.reporter/reporter.bro, line 17: done test-error +/Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/core.reporter/reporter.zeek, line 52: pre test-info +warning in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/core.reporter/reporter.zeek, line 53: pre test-warning +error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/core.reporter/reporter.zeek, line 54: pre test-error +/Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/core.reporter/reporter.zeek, line 8: init test-info +warning in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/core.reporter/reporter.zeek, line 9: init test-warning +error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/core.reporter/reporter.zeek, line 10: init test-error +/Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/core.reporter/reporter.zeek, line 15: done test-info +warning in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/core.reporter/reporter.zeek, line 16: done test-warning +error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/core.reporter/reporter.zeek, line 17: done test-error diff --git a/testing/btest/Baseline/core.when-interpreter-exceptions/bro.output b/testing/btest/Baseline/core.when-interpreter-exceptions/bro.output index 27a90d137c..04236c9f83 100644 --- a/testing/btest/Baseline/core.when-interpreter-exceptions/bro.output +++ b/testing/btest/Baseline/core.when-interpreter-exceptions/bro.output @@ -1,7 +1,7 @@ -expression error in /Users/jon/Projects/bro/bro/testing/btest/.tmp/core.when-interpreter-exceptions/when-interpreter-exceptions.bro, line 47: field value missing (myrecord$notset) -expression error in /Users/jon/Projects/bro/bro/testing/btest/.tmp/core.when-interpreter-exceptions/when-interpreter-exceptions.bro, line 91: field value missing (myrecord$notset) -expression error in /Users/jon/Projects/bro/bro/testing/btest/.tmp/core.when-interpreter-exceptions/when-interpreter-exceptions.bro, line 72: field value missing (myrecord$notset) -expression error in /Users/jon/Projects/bro/bro/testing/btest/.tmp/core.when-interpreter-exceptions/when-interpreter-exceptions.bro, line 103: field value missing (myrecord$notset) +expression error in /Users/jon/Projects/bro/bro/testing/btest/.tmp/core.when-interpreter-exceptions/when-interpreter-exceptions.zeek, line 47: field value missing (myrecord$notset) +expression error in /Users/jon/Projects/bro/bro/testing/btest/.tmp/core.when-interpreter-exceptions/when-interpreter-exceptions.zeek, line 91: field value missing (myrecord$notset) +expression error in /Users/jon/Projects/bro/bro/testing/btest/.tmp/core.when-interpreter-exceptions/when-interpreter-exceptions.zeek, line 72: field value missing (myrecord$notset) +expression error in /Users/jon/Projects/bro/bro/testing/btest/.tmp/core.when-interpreter-exceptions/when-interpreter-exceptions.zeek, line 103: field value missing (myrecord$notset) received termination signal [f(F)] f() done, no exception, T diff --git a/testing/btest/Baseline/coverage.coverage-blacklist/output b/testing/btest/Baseline/coverage.coverage-blacklist/output index c54e4283b2..e27574face 100644 --- a/testing/btest/Baseline/coverage.coverage-blacklist/output +++ b/testing/btest/Baseline/coverage.coverage-blacklist/output @@ -1,5 +1,5 @@ -1 /da/home/robin/bro/master/testing/btest/.tmp/coverage.coverage-blacklist/coverage-blacklist.bro, line 13 print cover me; -1 /da/home/robin/bro/master/testing/btest/.tmp/coverage.coverage-blacklist/coverage-blacklist.bro, line 17 print always executed; -0 /da/home/robin/bro/master/testing/btest/.tmp/coverage.coverage-blacklist/coverage-blacklist.bro, line 26 print also impossible, but included in code coverage analysis; -1 /da/home/robin/bro/master/testing/btest/.tmp/coverage.coverage-blacklist/coverage-blacklist.bro, line 29 print success; -1 /da/home/robin/bro/master/testing/btest/.tmp/coverage.coverage-blacklist/coverage-blacklist.bro, line 5 print first; +1 /da/home/robin/bro/master/testing/btest/.tmp/coverage.coverage-blacklist/coverage-blacklist.zeek, line 13 print cover me; +1 /da/home/robin/bro/master/testing/btest/.tmp/coverage.coverage-blacklist/coverage-blacklist.zeek, line 17 print always executed; +0 /da/home/robin/bro/master/testing/btest/.tmp/coverage.coverage-blacklist/coverage-blacklist.zeek, line 26 print also impossible, but included in code coverage analysis; +1 /da/home/robin/bro/master/testing/btest/.tmp/coverage.coverage-blacklist/coverage-blacklist.zeek, line 29 print success; +1 /da/home/robin/bro/master/testing/btest/.tmp/coverage.coverage-blacklist/coverage-blacklist.zeek, line 5 print first; diff --git a/testing/btest/Baseline/language.at-deprecated/.stderr b/testing/btest/Baseline/language.at-deprecated/.stderr index 4668f2d7bf..97dc7ea331 100644 --- a/testing/btest/Baseline/language.at-deprecated/.stderr +++ b/testing/btest/Baseline/language.at-deprecated/.stderr @@ -1,3 +1,3 @@ -warning in ./foo.bro, line 1: deprecated script loaded from command line arguments -warning in ./bar.bro, line 1: deprecated script loaded from ./foo.bro:2 "Use '@load qux.bro' instead" -warning in ./baz.bro, line 1: deprecated script loaded from ./foo.bro:3 +warning in ./foo.zeek, line 1: deprecated script loaded from command line arguments +warning in ./bar.zeek, line 1: deprecated script loaded from ./foo.zeek:2 "Use '@load qux' instead" +warning in ./baz.zeek, line 1: deprecated script loaded from ./foo.zeek:3 diff --git a/testing/btest/Baseline/language.at-filename/out b/testing/btest/Baseline/language.at-filename/out index 12cfb152d9..23b37ef249 100644 --- a/testing/btest/Baseline/language.at-filename/out +++ b/testing/btest/Baseline/language.at-filename/out @@ -1 +1 @@ -at-filename.bro +at-filename.zeek diff --git a/testing/btest/Baseline/language.at-if-invalid/out b/testing/btest/Baseline/language.at-if-invalid/out index 63b93a3cf8..0214a8d2f8 100644 --- a/testing/btest/Baseline/language.at-if-invalid/out +++ b/testing/btest/Baseline/language.at-if-invalid/out @@ -1,4 +1,4 @@ -error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.at-if-invalid/at-if-invalid.bro, line 28: referencing a local name in @if (xyz) -error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.at-if-invalid/at-if-invalid.bro, line 28: invalid expression in @if (F && foo(xyz)) -error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.at-if-invalid/at-if-invalid.bro, line 36: referencing a local name in @if (local_true_condition) -error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.at-if-invalid/at-if-invalid.bro, line 36: invalid expression in @if (T && TRUE_CONDITION && local_true_condition) +error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.at-if-invalid/at-if-invalid.zeek, line 28: referencing a local name in @if (xyz) +error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.at-if-invalid/at-if-invalid.zeek, line 28: invalid expression in @if (F && foo(xyz)) +error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.at-if-invalid/at-if-invalid.zeek, line 36: referencing a local name in @if (local_true_condition) +error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.at-if-invalid/at-if-invalid.zeek, line 36: invalid expression in @if (T && TRUE_CONDITION && local_true_condition) diff --git a/testing/btest/Baseline/language.attr-default-global-set-error/out b/testing/btest/Baseline/language.attr-default-global-set-error/out index c784bb683b..6f3fd63d4f 100644 --- a/testing/btest/Baseline/language.attr-default-global-set-error/out +++ b/testing/btest/Baseline/language.attr-default-global-set-error/out @@ -1,2 +1,2 @@ -error in /home/jon/pro/zeek/zeek/testing/btest/.tmp/language.attr-default-global-set-error/attr-default-global-set-error.bro, line 4: arithmetic mixed with non-arithmetic (set[string] and 0) -error in /home/jon/pro/zeek/zeek/testing/btest/.tmp/language.attr-default-global-set-error/attr-default-global-set-error.bro, line 4: &default value has inconsistent type (0 and set[string]) +error in /home/jon/pro/zeek/zeek/testing/btest/.tmp/language.attr-default-global-set-error/attr-default-global-set-error.zeek, line 4: arithmetic mixed with non-arithmetic (set[string] and 0) +error in /home/jon/pro/zeek/zeek/testing/btest/.tmp/language.attr-default-global-set-error/attr-default-global-set-error.zeek, line 4: &default value has inconsistent type (0 and set[string]) diff --git a/testing/btest/Baseline/language.common-mistakes/1.out b/testing/btest/Baseline/language.common-mistakes/1.out index 8070f84644..6c5428605f 100644 --- a/testing/btest/Baseline/language.common-mistakes/1.out +++ b/testing/btest/Baseline/language.common-mistakes/1.out @@ -1,4 +1,4 @@ -expression error in ./1.bro, line 9: field value missing (mr$f) +expression error in ./1.zeek, line 9: field value missing (mr$f) bar start foo start other bro_init diff --git a/testing/btest/Baseline/language.common-mistakes/2.out b/testing/btest/Baseline/language.common-mistakes/2.out index dd62af107c..dbf4ed7ae6 100644 --- a/testing/btest/Baseline/language.common-mistakes/2.out +++ b/testing/btest/Baseline/language.common-mistakes/2.out @@ -1,2 +1,2 @@ -expression error in ./2.bro, line 7: no such index (t[nope]) +expression error in ./2.zeek, line 7: no such index (t[nope]) in foo diff --git a/testing/btest/Baseline/language.common-mistakes/3.out b/testing/btest/Baseline/language.common-mistakes/3.out index d914d399a7..62cb349e7d 100644 --- a/testing/btest/Baseline/language.common-mistakes/3.out +++ b/testing/btest/Baseline/language.common-mistakes/3.out @@ -1,2 +1,2 @@ -expression error in ./3.bro, line 5: type-checking failed in vector append (v += ok) +expression error in ./3.zeek, line 5: type-checking failed in vector append (v += ok) in foo diff --git a/testing/btest/Baseline/language.const/invalid.stderr b/testing/btest/Baseline/language.const/invalid.stderr index b08c472708..5b6e120f8e 100644 --- a/testing/btest/Baseline/language.const/invalid.stderr +++ b/testing/btest/Baseline/language.const/invalid.stderr @@ -1,13 +1,13 @@ -error in ./invalid.bro, line 15: const is not a modifiable lvalue (foo) -error in ./invalid.bro, line 16: const is not a modifiable lvalue (foo) -error in ./invalid.bro, line 17: const is not a modifiable lvalue (bar) -error in ./invalid.bro, line 17: const is not a modifiable lvalue (foo) -error in ./invalid.bro, line 18: const is not a modifiable lvalue (foo) -error in ./invalid.bro, line 19: const is not a modifiable lvalue (foo) -error in ./invalid.bro, line 20: const is not a modifiable lvalue (foo) -error in ./invalid.bro, line 22: const is not a modifiable lvalue (foo) -error in ./invalid.bro, line 25: const is not a modifiable lvalue (bar) -error in ./invalid.bro, line 26: const is not a modifiable lvalue (baz) -error in ./invalid.bro, line 27: const is not a modifiable lvalue (bar) -error in ./invalid.bro, line 28: const is not a modifiable lvalue (baz) -error in ./invalid.bro, line 33: const is not a modifiable lvalue (foo) +error in ./invalid.zeek, line 15: const is not a modifiable lvalue (foo) +error in ./invalid.zeek, line 16: const is not a modifiable lvalue (foo) +error in ./invalid.zeek, line 17: const is not a modifiable lvalue (bar) +error in ./invalid.zeek, line 17: const is not a modifiable lvalue (foo) +error in ./invalid.zeek, line 18: const is not a modifiable lvalue (foo) +error in ./invalid.zeek, line 19: const is not a modifiable lvalue (foo) +error in ./invalid.zeek, line 20: const is not a modifiable lvalue (foo) +error in ./invalid.zeek, line 22: const is not a modifiable lvalue (foo) +error in ./invalid.zeek, line 25: const is not a modifiable lvalue (bar) +error in ./invalid.zeek, line 26: const is not a modifiable lvalue (baz) +error in ./invalid.zeek, line 27: const is not a modifiable lvalue (bar) +error in ./invalid.zeek, line 28: const is not a modifiable lvalue (baz) +error in ./invalid.zeek, line 33: const is not a modifiable lvalue (foo) diff --git a/testing/btest/Baseline/language.deprecated/out b/testing/btest/Baseline/language.deprecated/out index 5bdf87a62b..3126b1e78b 100644 --- a/testing/btest/Baseline/language.deprecated/out +++ b/testing/btest/Baseline/language.deprecated/out @@ -1,22 +1,22 @@ -warning in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.deprecated/deprecated.bro, line 30: deprecated (ONE) -warning in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.deprecated/deprecated.bro, line 31: deprecated (TWO) -warning in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.deprecated/deprecated.bro, line 33: deprecated (GREEN) -warning in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.deprecated/deprecated.bro, line 34: deprecated (BLUE) -warning in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.deprecated/deprecated.bro, line 36: deprecated (blah) -warning in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.deprecated/deprecated.bro, line 40: deprecated (my_event) -warning in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.deprecated/deprecated.bro, line 41: deprecated (my_event) -warning in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.deprecated/deprecated.bro, line 42: deprecated (my_hook) -warning in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.deprecated/deprecated.bro, line 44: deprecated (my_record$b) -warning in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.deprecated/deprecated.bro, line 45: deprecated (my_record$b) -warning in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.deprecated/deprecated.bro, line 46: deprecated (my_record$b) -warning in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.deprecated/deprecated.bro, line 48: deprecated (my_record?$b) -warning in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.deprecated/deprecated.bro, line 49: deprecated (my_record$b) -warning in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.deprecated/deprecated.bro, line 52: deprecated (my_record$b) -warning in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.deprecated/deprecated.bro, line 55: deprecated (my_event) -warning in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.deprecated/deprecated.bro, line 60: deprecated (my_hook) -warning in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.deprecated/deprecated.bro, line 65: deprecated (blah) -warning in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.deprecated/deprecated.bro, line 74: deprecated (dont_use_me) -warning in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.deprecated/deprecated.bro, line 79: deprecated (dont_use_me_either) +warning in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.deprecated/deprecated.zeek, line 30: deprecated (ONE) +warning in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.deprecated/deprecated.zeek, line 31: deprecated (TWO) +warning in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.deprecated/deprecated.zeek, line 33: deprecated (GREEN) +warning in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.deprecated/deprecated.zeek, line 34: deprecated (BLUE) +warning in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.deprecated/deprecated.zeek, line 36: deprecated (blah) +warning in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.deprecated/deprecated.zeek, line 40: deprecated (my_event) +warning in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.deprecated/deprecated.zeek, line 41: deprecated (my_event) +warning in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.deprecated/deprecated.zeek, line 42: deprecated (my_hook) +warning in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.deprecated/deprecated.zeek, line 44: deprecated (my_record$b) +warning in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.deprecated/deprecated.zeek, line 45: deprecated (my_record$b) +warning in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.deprecated/deprecated.zeek, line 46: deprecated (my_record$b) +warning in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.deprecated/deprecated.zeek, line 48: deprecated (my_record?$b) +warning in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.deprecated/deprecated.zeek, line 49: deprecated (my_record$b) +warning in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.deprecated/deprecated.zeek, line 52: deprecated (my_record$b) +warning in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.deprecated/deprecated.zeek, line 55: deprecated (my_event) +warning in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.deprecated/deprecated.zeek, line 60: deprecated (my_hook) +warning in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.deprecated/deprecated.zeek, line 65: deprecated (blah) +warning in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.deprecated/deprecated.zeek, line 74: deprecated (dont_use_me) +warning in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.deprecated/deprecated.zeek, line 79: deprecated (dont_use_me_either) ZERO ONE TWO diff --git a/testing/btest/Baseline/language.eof-parse-errors/output1 b/testing/btest/Baseline/language.eof-parse-errors/output1 index 47a1c328e3..0fd8331175 100644 --- a/testing/btest/Baseline/language.eof-parse-errors/output1 +++ b/testing/btest/Baseline/language.eof-parse-errors/output1 @@ -1 +1 @@ -error: syntax error, at end of file ./a.bro +error: syntax error, at end of file ./a.zeek diff --git a/testing/btest/Baseline/language.eof-parse-errors/output2 b/testing/btest/Baseline/language.eof-parse-errors/output2 index 6f382c2a12..b7a433b9b0 100644 --- a/testing/btest/Baseline/language.eof-parse-errors/output2 +++ b/testing/btest/Baseline/language.eof-parse-errors/output2 @@ -1 +1 @@ -error in ./b.bro, line 1: syntax error, at or near "module" or end of file ./a.bro +error in ./b.zeek, line 1: syntax error, at or near "module" or end of file ./a.zeek diff --git a/testing/btest/Baseline/language.event-local-var/out b/testing/btest/Baseline/language.event-local-var/out index 2802c45d69..465a97d5cf 100644 --- a/testing/btest/Baseline/language.event-local-var/out +++ b/testing/btest/Baseline/language.event-local-var/out @@ -1 +1 @@ -error in /home/jgras/devel/bro/testing/btest/.tmp/language.event-local-var/event-local-var.bro, line 15: local identifier "v" cannot be used to reference an event, at or near ")" +error in /home/jgras/devel/bro/testing/btest/.tmp/language.event-local-var/event-local-var.zeek, line 15: local identifier "v" cannot be used to reference an event, at or near ")" diff --git a/testing/btest/Baseline/language.expire-expr-error/output b/testing/btest/Baseline/language.expire-expr-error/output index dfa0bf64c3..5bc22b8202 100644 --- a/testing/btest/Baseline/language.expire-expr-error/output +++ b/testing/btest/Baseline/language.expire-expr-error/output @@ -1,2 +1,2 @@ -expression error in /home/robin/bro/master/testing/btest/.tmp/language.expire-expr-error/expire-expr-error.bro, line 8: no such index (x[kaputt]) +expression error in /home/robin/bro/master/testing/btest/.tmp/language.expire-expr-error/expire-expr-error.zeek, line 8: no such index (x[kaputt]) received termination signal diff --git a/testing/btest/Baseline/language.expire-func-undef/output b/testing/btest/Baseline/language.expire-func-undef/output index cf869bbe6b..fb783261be 100644 --- a/testing/btest/Baseline/language.expire-func-undef/output +++ b/testing/btest/Baseline/language.expire-func-undef/output @@ -1,20 +1,20 @@ -1299470395.000000 expression error in /home/robin/bro/master/testing/btest/.tmp/language.expire-func-undef/expire-func-undef.bro, line 12: value used but not set (segfault::scan_summary) -1299470405.000000 expression error in /home/robin/bro/master/testing/btest/.tmp/language.expire-func-undef/expire-func-undef.bro, line 12: value used but not set (segfault::scan_summary) -1299473995.000000 expression error in /home/robin/bro/master/testing/btest/.tmp/language.expire-func-undef/expire-func-undef.bro, line 12: value used but not set (segfault::scan_summary) -1299474005.000000 expression error in /home/robin/bro/master/testing/btest/.tmp/language.expire-func-undef/expire-func-undef.bro, line 12: value used but not set (segfault::scan_summary) -1299477595.000000 expression error in /home/robin/bro/master/testing/btest/.tmp/language.expire-func-undef/expire-func-undef.bro, line 12: value used but not set (segfault::scan_summary) -1299477605.000000 expression error in /home/robin/bro/master/testing/btest/.tmp/language.expire-func-undef/expire-func-undef.bro, line 12: value used but not set (segfault::scan_summary) -1299481195.000000 expression error in /home/robin/bro/master/testing/btest/.tmp/language.expire-func-undef/expire-func-undef.bro, line 12: value used but not set (segfault::scan_summary) -1299481205.000000 expression error in /home/robin/bro/master/testing/btest/.tmp/language.expire-func-undef/expire-func-undef.bro, line 12: value used but not set (segfault::scan_summary) -1299484795.000000 expression error in /home/robin/bro/master/testing/btest/.tmp/language.expire-func-undef/expire-func-undef.bro, line 12: value used but not set (segfault::scan_summary) -1299484805.000000 expression error in /home/robin/bro/master/testing/btest/.tmp/language.expire-func-undef/expire-func-undef.bro, line 12: value used but not set (segfault::scan_summary) -1299488395.000000 expression error in /home/robin/bro/master/testing/btest/.tmp/language.expire-func-undef/expire-func-undef.bro, line 12: value used but not set (segfault::scan_summary) -1299488405.000000 expression error in /home/robin/bro/master/testing/btest/.tmp/language.expire-func-undef/expire-func-undef.bro, line 12: value used but not set (segfault::scan_summary) -1299491995.000000 expression error in /home/robin/bro/master/testing/btest/.tmp/language.expire-func-undef/expire-func-undef.bro, line 12: value used but not set (segfault::scan_summary) -1299492005.000000 expression error in /home/robin/bro/master/testing/btest/.tmp/language.expire-func-undef/expire-func-undef.bro, line 12: value used but not set (segfault::scan_summary) -1299495595.000000 expression error in /home/robin/bro/master/testing/btest/.tmp/language.expire-func-undef/expire-func-undef.bro, line 12: value used but not set (segfault::scan_summary) -1299495605.000000 expression error in /home/robin/bro/master/testing/btest/.tmp/language.expire-func-undef/expire-func-undef.bro, line 12: value used but not set (segfault::scan_summary) -1299499195.000000 expression error in /home/robin/bro/master/testing/btest/.tmp/language.expire-func-undef/expire-func-undef.bro, line 12: value used but not set (segfault::scan_summary) -1299499205.000000 expression error in /home/robin/bro/master/testing/btest/.tmp/language.expire-func-undef/expire-func-undef.bro, line 12: value used but not set (segfault::scan_summary) -1299502795.000000 expression error in /home/robin/bro/master/testing/btest/.tmp/language.expire-func-undef/expire-func-undef.bro, line 12: value used but not set (segfault::scan_summary) +1299470395.000000 expression error in /home/robin/bro/master/testing/btest/.tmp/language.expire-func-undef/expire-func-undef.zeek, line 12: value used but not set (segfault::scan_summary) +1299470405.000000 expression error in /home/robin/bro/master/testing/btest/.tmp/language.expire-func-undef/expire-func-undef.zeek, line 12: value used but not set (segfault::scan_summary) +1299473995.000000 expression error in /home/robin/bro/master/testing/btest/.tmp/language.expire-func-undef/expire-func-undef.zeek, line 12: value used but not set (segfault::scan_summary) +1299474005.000000 expression error in /home/robin/bro/master/testing/btest/.tmp/language.expire-func-undef/expire-func-undef.zeek, line 12: value used but not set (segfault::scan_summary) +1299477595.000000 expression error in /home/robin/bro/master/testing/btest/.tmp/language.expire-func-undef/expire-func-undef.zeek, line 12: value used but not set (segfault::scan_summary) +1299477605.000000 expression error in /home/robin/bro/master/testing/btest/.tmp/language.expire-func-undef/expire-func-undef.zeek, line 12: value used but not set (segfault::scan_summary) +1299481195.000000 expression error in /home/robin/bro/master/testing/btest/.tmp/language.expire-func-undef/expire-func-undef.zeek, line 12: value used but not set (segfault::scan_summary) +1299481205.000000 expression error in /home/robin/bro/master/testing/btest/.tmp/language.expire-func-undef/expire-func-undef.zeek, line 12: value used but not set (segfault::scan_summary) +1299484795.000000 expression error in /home/robin/bro/master/testing/btest/.tmp/language.expire-func-undef/expire-func-undef.zeek, line 12: value used but not set (segfault::scan_summary) +1299484805.000000 expression error in /home/robin/bro/master/testing/btest/.tmp/language.expire-func-undef/expire-func-undef.zeek, line 12: value used but not set (segfault::scan_summary) +1299488395.000000 expression error in /home/robin/bro/master/testing/btest/.tmp/language.expire-func-undef/expire-func-undef.zeek, line 12: value used but not set (segfault::scan_summary) +1299488405.000000 expression error in /home/robin/bro/master/testing/btest/.tmp/language.expire-func-undef/expire-func-undef.zeek, line 12: value used but not set (segfault::scan_summary) +1299491995.000000 expression error in /home/robin/bro/master/testing/btest/.tmp/language.expire-func-undef/expire-func-undef.zeek, line 12: value used but not set (segfault::scan_summary) +1299492005.000000 expression error in /home/robin/bro/master/testing/btest/.tmp/language.expire-func-undef/expire-func-undef.zeek, line 12: value used but not set (segfault::scan_summary) +1299495595.000000 expression error in /home/robin/bro/master/testing/btest/.tmp/language.expire-func-undef/expire-func-undef.zeek, line 12: value used but not set (segfault::scan_summary) +1299495605.000000 expression error in /home/robin/bro/master/testing/btest/.tmp/language.expire-func-undef/expire-func-undef.zeek, line 12: value used but not set (segfault::scan_summary) +1299499195.000000 expression error in /home/robin/bro/master/testing/btest/.tmp/language.expire-func-undef/expire-func-undef.zeek, line 12: value used but not set (segfault::scan_summary) +1299499205.000000 expression error in /home/robin/bro/master/testing/btest/.tmp/language.expire-func-undef/expire-func-undef.zeek, line 12: value used but not set (segfault::scan_summary) +1299502795.000000 expression error in /home/robin/bro/master/testing/btest/.tmp/language.expire-func-undef/expire-func-undef.zeek, line 12: value used but not set (segfault::scan_summary) orig: 10.0.0.2: peers: {\x0a\x0910.0.0.3\x0a} diff --git a/testing/btest/Baseline/language.expire-type-error/out b/testing/btest/Baseline/language.expire-type-error/out index c0987a6341..1050304b06 100644 --- a/testing/btest/Baseline/language.expire-type-error/out +++ b/testing/btest/Baseline/language.expire-type-error/out @@ -1 +1 @@ -error in /home/robin/bro/master/testing/btest/.tmp/language.expire-type-error/expire-type-error.bro, line 4: expiration interval has wrong type (kaputt) +error in /home/robin/bro/master/testing/btest/.tmp/language.expire-type-error/expire-type-error.zeek, line 4: expiration interval has wrong type (kaputt) diff --git a/testing/btest/Baseline/language.hook_calls/invalid.out b/testing/btest/Baseline/language.hook_calls/invalid.out index 3412c1900e..fdfd719cd8 100644 --- a/testing/btest/Baseline/language.hook_calls/invalid.out +++ b/testing/btest/Baseline/language.hook_calls/invalid.out @@ -1,10 +1,10 @@ -error in ./invalid.bro, line 9: hook cannot be called directly, use hook operator (myhook) -warning in ./invalid.bro, line 9: expression value ignored (myhook(3)) -error in ./invalid.bro, line 10: hook cannot be called directly, use hook operator (myhook) -error in ./invalid.bro, line 11: hook cannot be called directly, use hook operator (myhook) -error in ./invalid.bro, line 12: not a valid hook call expression (2 + 2) -warning in ./invalid.bro, line 12: expression value ignored (2 + 2) -error in ./invalid.bro, line 13: not a valid hook call expression (2 + 2) -error in ./invalid.bro, line 15: hook cannot be called directly, use hook operator (h) -warning in ./invalid.bro, line 15: expression value ignored (h(3)) -error in ./invalid.bro, line 16: hook cannot be called directly, use hook operator (h) +error in ./invalid.zeek, line 9: hook cannot be called directly, use hook operator (myhook) +warning in ./invalid.zeek, line 9: expression value ignored (myhook(3)) +error in ./invalid.zeek, line 10: hook cannot be called directly, use hook operator (myhook) +error in ./invalid.zeek, line 11: hook cannot be called directly, use hook operator (myhook) +error in ./invalid.zeek, line 12: not a valid hook call expression (2 + 2) +warning in ./invalid.zeek, line 12: expression value ignored (2 + 2) +error in ./invalid.zeek, line 13: not a valid hook call expression (2 + 2) +error in ./invalid.zeek, line 15: hook cannot be called directly, use hook operator (h) +warning in ./invalid.zeek, line 15: expression value ignored (h(3)) +error in ./invalid.zeek, line 16: hook cannot be called directly, use hook operator (h) diff --git a/testing/btest/Baseline/language.index-assignment-invalid/out b/testing/btest/Baseline/language.index-assignment-invalid/out index 44e82d16f6..02dd4100ce 100644 --- a/testing/btest/Baseline/language.index-assignment-invalid/out +++ b/testing/btest/Baseline/language.index-assignment-invalid/out @@ -1,5 +1,5 @@ runtime error in /home/jon/pro/zeek/zeek/scripts/base/utils/queue.zeek, line 152: vector index assignment failed for invalid type 'myrec', value: [a=T, b=hi, c=], expression: Queue::ret[Queue::j], call stack: - #0 Queue::get_vector([initialized=T, vals={[2] = test,[6] = jkl;,[4] = asdf,[1] = goodbye,[5] = 3,[0] = hello,[3] = [a=T, b=hi, c=]}, settings=[max_len=], top=7, bottom=0, size=0], [hello, goodbye, test]) at /home/jon/pro/zeek/zeek/testing/btest/.tmp/language.index-assignment-invalid/index-assignment-invalid.bro:19 - #1 bar(55) at /home/jon/pro/zeek/zeek/testing/btest/.tmp/language.index-assignment-invalid/index-assignment-invalid.bro:27 - #2 foo(hi, 13) at /home/jon/pro/zeek/zeek/testing/btest/.tmp/language.index-assignment-invalid/index-assignment-invalid.bro:39 + #0 Queue::get_vector([initialized=T, vals={[2] = test,[6] = jkl;,[4] = asdf,[1] = goodbye,[5] = 3,[0] = hello,[3] = [a=T, b=hi, c=]}, settings=[max_len=], top=7, bottom=0, size=0], [hello, goodbye, test]) at /home/jon/pro/zeek/zeek/testing/btest/.tmp/language.index-assignment-invalid/index-assignment-invalid.zeek:19 + #1 bar(55) at /home/jon/pro/zeek/zeek/testing/btest/.tmp/language.index-assignment-invalid/index-assignment-invalid.zeek:27 + #2 foo(hi, 13) at /home/jon/pro/zeek/zeek/testing/btest/.tmp/language.index-assignment-invalid/index-assignment-invalid.zeek:39 #3 bro_init() diff --git a/testing/btest/Baseline/language.invalid_index/out b/testing/btest/Baseline/language.invalid_index/out index 4ba0373e91..aa3784aa3e 100644 --- a/testing/btest/Baseline/language.invalid_index/out +++ b/testing/btest/Baseline/language.invalid_index/out @@ -1,5 +1,5 @@ -expression error in /home/jon/pro/zeek/zeek/testing/btest/.tmp/language.invalid_index/invalid_index.bro, line 10: no such index (foo[1]) -expression error in /home/jon/pro/zeek/zeek/testing/btest/.tmp/language.invalid_index/invalid_index.bro, line 16: no such index (foo2[1]) +expression error in /home/jon/pro/zeek/zeek/testing/btest/.tmp/language.invalid_index/invalid_index.zeek, line 10: no such index (foo[1]) +expression error in /home/jon/pro/zeek/zeek/testing/btest/.tmp/language.invalid_index/invalid_index.zeek, line 16: no such index (foo2[1]) foo[0], 42 foo2[0], 13 done diff --git a/testing/btest/Baseline/language.outer_param_binding/out b/testing/btest/Baseline/language.outer_param_binding/out index 28ad03c85a..afdc4191cd 100644 --- a/testing/btest/Baseline/language.outer_param_binding/out +++ b/testing/btest/Baseline/language.outer_param_binding/out @@ -1,3 +1,3 @@ -error in /home/robin/bro/master/testing/btest/.tmp/language.outer_param_binding/outer_param_binding.bro, line 16: referencing outer function IDs not supported (c) -error in /home/robin/bro/master/testing/btest/.tmp/language.outer_param_binding/outer_param_binding.bro, line 16: referencing outer function IDs not supported (d) -error in /home/robin/bro/master/testing/btest/.tmp/language.outer_param_binding/outer_param_binding.bro, line 17: referencing outer function IDs not supported (b) +error in /home/robin/bro/master/testing/btest/.tmp/language.outer_param_binding/outer_param_binding.zeek, line 16: referencing outer function IDs not supported (c) +error in /home/robin/bro/master/testing/btest/.tmp/language.outer_param_binding/outer_param_binding.zeek, line 16: referencing outer function IDs not supported (d) +error in /home/robin/bro/master/testing/btest/.tmp/language.outer_param_binding/outer_param_binding.zeek, line 17: referencing outer function IDs not supported (b) diff --git a/testing/btest/Baseline/language.record-bad-ctor/out b/testing/btest/Baseline/language.record-bad-ctor/out index d30d0ab9d3..e6ff4a8fd5 100644 --- a/testing/btest/Baseline/language.record-bad-ctor/out +++ b/testing/btest/Baseline/language.record-bad-ctor/out @@ -1,2 +1,2 @@ -error in /home/jon/pro/zeek/zeek/testing/btest/.tmp/language.record-bad-ctor/record-bad-ctor.bro, line 6: no type given (asdfasdf) -expression error in /home/jon/pro/zeek/zeek/testing/btest/.tmp/language.record-bad-ctor/record-bad-ctor.bro, line 7: uninitialized list value ($ports=asdfasdf) +error in /home/jon/pro/zeek/zeek/testing/btest/.tmp/language.record-bad-ctor/record-bad-ctor.zeek, line 6: no type given (asdfasdf) +expression error in /home/jon/pro/zeek/zeek/testing/btest/.tmp/language.record-bad-ctor/record-bad-ctor.zeek, line 7: uninitialized list value ($ports=asdfasdf) diff --git a/testing/btest/Baseline/language.record-bad-ctor2/out b/testing/btest/Baseline/language.record-bad-ctor2/out index d5ce540dd8..12b0fe3959 100644 --- a/testing/btest/Baseline/language.record-bad-ctor2/out +++ b/testing/btest/Baseline/language.record-bad-ctor2/out @@ -1 +1 @@ -error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.record-bad-ctor2/record-bad-ctor2.bro, line 14: bad type in record constructor ([[$cmd=echo hi]] and [$cmd=echo hi]) +error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.record-bad-ctor2/record-bad-ctor2.zeek, line 14: bad type in record constructor ([[$cmd=echo hi]] and [$cmd=echo hi]) diff --git a/testing/btest/Baseline/language.record-ceorce-orphan/out b/testing/btest/Baseline/language.record-ceorce-orphan/out index 59df204af2..f848945979 100644 --- a/testing/btest/Baseline/language.record-ceorce-orphan/out +++ b/testing/btest/Baseline/language.record-ceorce-orphan/out @@ -1,2 +1,2 @@ -error in /home/robin/bro/master/testing/btest/.tmp/language.record-ceorce-orphan/record-ceorce-orphan.bro, line 19: orphaned field "wtf" in record coercion ((coerce [$a=test, $b=42, $wtf=1.0 sec] to myrec)) -error in /home/robin/bro/master/testing/btest/.tmp/language.record-ceorce-orphan/record-ceorce-orphan.bro, line 21: orphaned field "wtf" in record coercion ((coerce [$a=test, $b=42, $wtf=1.0 sec] to myrec)) +error in /home/robin/bro/master/testing/btest/.tmp/language.record-ceorce-orphan/record-ceorce-orphan.zeek, line 19: orphaned field "wtf" in record coercion ((coerce [$a=test, $b=42, $wtf=1.0 sec] to myrec)) +error in /home/robin/bro/master/testing/btest/.tmp/language.record-ceorce-orphan/record-ceorce-orphan.zeek, line 21: orphaned field "wtf" in record coercion ((coerce [$a=test, $b=42, $wtf=1.0 sec] to myrec)) diff --git a/testing/btest/Baseline/language.record-coerce-clash/out b/testing/btest/Baseline/language.record-coerce-clash/out index 9ef4116c7e..cb45413c63 100644 --- a/testing/btest/Baseline/language.record-coerce-clash/out +++ b/testing/btest/Baseline/language.record-coerce-clash/out @@ -1 +1 @@ -error in /Users/jon/Projects/bro/bro/testing/btest/.tmp/language.record-coerce-clash/record-coerce-clash.bro, line 13: type clash for field "cid" ((coerce [$cid=[$orig_h=1.2.3.4, $orig_p=0/tcp, $resp_h=0.0.0.0, $resp_p=wrong]] to myrec) and record { orig_h:addr; orig_p:port; resp_h:addr; resp_p:string; }) +error in /Users/jon/Projects/bro/bro/testing/btest/.tmp/language.record-coerce-clash/record-coerce-clash.zeek, line 13: type clash for field "cid" ((coerce [$cid=[$orig_h=1.2.3.4, $orig_p=0/tcp, $resp_h=0.0.0.0, $resp_p=wrong]] to myrec) and record { orig_h:addr; orig_p:port; resp_h:addr; resp_p:string; }) diff --git a/testing/btest/Baseline/language.record-default-set-mismatch/out b/testing/btest/Baseline/language.record-default-set-mismatch/out index c005138c0c..ba40f934f7 100644 --- a/testing/btest/Baseline/language.record-default-set-mismatch/out +++ b/testing/btest/Baseline/language.record-default-set-mismatch/out @@ -1 +1 @@ -error in /home/robin/bro/master/testing/btest/.tmp/language.record-default-set-mismatch/record-default-set-mismatch.bro, line 5: &default value has inconsistent type (&default=set(1, 2, 3)) +error in /home/robin/bro/master/testing/btest/.tmp/language.record-default-set-mismatch/record-default-set-mismatch.zeek, line 5: &default value has inconsistent type (&default=set(1, 2, 3)) diff --git a/testing/btest/Baseline/language.record-type-checking/out b/testing/btest/Baseline/language.record-type-checking/out index ecd5d7b8bb..50b0db5d8c 100644 --- a/testing/btest/Baseline/language.record-type-checking/out +++ b/testing/btest/Baseline/language.record-type-checking/out @@ -1,11 +1,11 @@ -error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.record-type-checking/record-type-checking.bro, line 9 and count: type clash for field "a" ((coerce [$a=0] to MyRec) and count) -error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.record-type-checking/record-type-checking.bro, line 9: bad record initializer ((coerce [$a=0] to error)) -error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.record-type-checking/record-type-checking.bro, line 12 and count: type clash for field "a" ((coerce [$a=1] to MyRec) and count) -error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.record-type-checking/record-type-checking.bro, line 12: bad record initializer ((coerce (coerce [$a=1] to error) to error)) -error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.record-type-checking/record-type-checking.bro, line 18 and count: type clash for field "a" ((coerce [$a=2] to MyRec) and count) -error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.record-type-checking/record-type-checking.bro, line 22 and count: type clash for field "a" ((coerce [$a=3] to MyRec) and count) -error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.record-type-checking/record-type-checking.bro, line 22: bad record initializer ((coerce [$a=3] to error)) -error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.record-type-checking/record-type-checking.bro, line 27 and count: type clash for field "a" ((coerce [$a=1000] to MyRec) and count) -error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.record-type-checking/record-type-checking.bro, line 33 and count: type clash for field "a" ((coerce [$a=1001] to MyRec) and count) -error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.record-type-checking/record-type-checking.bro, line 40 and count: type clash for field "a" ((coerce [$a=1002] to MyRec) and count) -error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.record-type-checking/record-type-checking.bro, line 46 and count: type clash for field "a" ((coerce [$a=1003] to MyRec) and count) +error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.record-type-checking/record-type-checking.zeek, line 9 and count: type clash for field "a" ((coerce [$a=0] to MyRec) and count) +error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.record-type-checking/record-type-checking.zeek, line 9: bad record initializer ((coerce [$a=0] to error)) +error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.record-type-checking/record-type-checking.zeek, line 12 and count: type clash for field "a" ((coerce [$a=1] to MyRec) and count) +error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.record-type-checking/record-type-checking.zeek, line 12: bad record initializer ((coerce (coerce [$a=1] to error) to error)) +error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.record-type-checking/record-type-checking.zeek, line 18 and count: type clash for field "a" ((coerce [$a=2] to MyRec) and count) +error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.record-type-checking/record-type-checking.zeek, line 22 and count: type clash for field "a" ((coerce [$a=3] to MyRec) and count) +error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.record-type-checking/record-type-checking.zeek, line 22: bad record initializer ((coerce [$a=3] to error)) +error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.record-type-checking/record-type-checking.zeek, line 27 and count: type clash for field "a" ((coerce [$a=1000] to MyRec) and count) +error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.record-type-checking/record-type-checking.zeek, line 33 and count: type clash for field "a" ((coerce [$a=1001] to MyRec) and count) +error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.record-type-checking/record-type-checking.zeek, line 40 and count: type clash for field "a" ((coerce [$a=1002] to MyRec) and count) +error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.record-type-checking/record-type-checking.zeek, line 46 and count: type clash for field "a" ((coerce [$a=1003] to MyRec) and count) diff --git a/testing/btest/Baseline/language.set-type-checking/out b/testing/btest/Baseline/language.set-type-checking/out index 0387146723..d27da6205a 100644 --- a/testing/btest/Baseline/language.set-type-checking/out +++ b/testing/btest/Baseline/language.set-type-checking/out @@ -1,24 +1,24 @@ -error in port and /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.set-type-checking/set-type-checking.bro, line 7: arithmetic mixed with non-arithmetic (port and 0) -error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.set-type-checking/set-type-checking.bro, line 7 and port: type mismatch (0 and port) -error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.set-type-checking/set-type-checking.bro, line 7: inconsistent type in set constructor (set(0)) -error in port and /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.set-type-checking/set-type-checking.bro, line 10: arithmetic mixed with non-arithmetic (port and 1) -error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.set-type-checking/set-type-checking.bro, line 10 and port: type mismatch (1 and port) -error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.set-type-checking/set-type-checking.bro, line 10: inconsistent type in set constructor (set(1)) -error in port and /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.set-type-checking/set-type-checking.bro, line 16: arithmetic mixed with non-arithmetic (port and 2) -error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.set-type-checking/set-type-checking.bro, line 16 and port: type mismatch (2 and port) -error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.set-type-checking/set-type-checking.bro, line 16: inconsistent type in set constructor (set(2)) +error in port and /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.set-type-checking/set-type-checking.zeek, line 7: arithmetic mixed with non-arithmetic (port and 0) +error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.set-type-checking/set-type-checking.zeek, line 7 and port: type mismatch (0 and port) +error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.set-type-checking/set-type-checking.zeek, line 7: inconsistent type in set constructor (set(0)) +error in port and /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.set-type-checking/set-type-checking.zeek, line 10: arithmetic mixed with non-arithmetic (port and 1) +error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.set-type-checking/set-type-checking.zeek, line 10 and port: type mismatch (1 and port) +error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.set-type-checking/set-type-checking.zeek, line 10: inconsistent type in set constructor (set(1)) +error in port and /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.set-type-checking/set-type-checking.zeek, line 16: arithmetic mixed with non-arithmetic (port and 2) +error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.set-type-checking/set-type-checking.zeek, line 16 and port: type mismatch (2 and port) +error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.set-type-checking/set-type-checking.zeek, line 16: inconsistent type in set constructor (set(2)) error in port: arithmetic mixed with non-arithmetic (port and 3) -error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.set-type-checking/set-type-checking.bro, line 20: initialization type mismatch in set (set(3) and 3) -error in port and /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.set-type-checking/set-type-checking.bro, line 25: arithmetic mixed with non-arithmetic (port and 1000) -error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.set-type-checking/set-type-checking.bro, line 25 and port: type mismatch (1000 and port) -error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.set-type-checking/set-type-checking.bro, line 25: inconsistent type in set constructor (set(1000)) -error in port and /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.set-type-checking/set-type-checking.bro, line 31: arithmetic mixed with non-arithmetic (port and 1001) -error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.set-type-checking/set-type-checking.bro, line 31 and port: type mismatch (1001 and port) -error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.set-type-checking/set-type-checking.bro, line 31: inconsistent type in set constructor (set(1001)) -error in port and /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.set-type-checking/set-type-checking.bro, line 38: arithmetic mixed with non-arithmetic (port and 1002) -error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.set-type-checking/set-type-checking.bro, line 38 and port: type mismatch (1002 and port) -error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.set-type-checking/set-type-checking.bro, line 38: inconsistent type in set constructor (set(1002)) -error in port and /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.set-type-checking/set-type-checking.bro, line 44: arithmetic mixed with non-arithmetic (port and 1003) -error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.set-type-checking/set-type-checking.bro, line 44 and port: type mismatch (1003 and port) -error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.set-type-checking/set-type-checking.bro, line 44: inconsistent type in set constructor (set(1003)) -error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.set-type-checking/set-type-checking.bro, line 44: type clash in assignment (lea = set(1003)) +error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.set-type-checking/set-type-checking.zeek, line 20: initialization type mismatch in set (set(3) and 3) +error in port and /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.set-type-checking/set-type-checking.zeek, line 25: arithmetic mixed with non-arithmetic (port and 1000) +error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.set-type-checking/set-type-checking.zeek, line 25 and port: type mismatch (1000 and port) +error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.set-type-checking/set-type-checking.zeek, line 25: inconsistent type in set constructor (set(1000)) +error in port and /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.set-type-checking/set-type-checking.zeek, line 31: arithmetic mixed with non-arithmetic (port and 1001) +error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.set-type-checking/set-type-checking.zeek, line 31 and port: type mismatch (1001 and port) +error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.set-type-checking/set-type-checking.zeek, line 31: inconsistent type in set constructor (set(1001)) +error in port and /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.set-type-checking/set-type-checking.zeek, line 38: arithmetic mixed with non-arithmetic (port and 1002) +error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.set-type-checking/set-type-checking.zeek, line 38 and port: type mismatch (1002 and port) +error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.set-type-checking/set-type-checking.zeek, line 38: inconsistent type in set constructor (set(1002)) +error in port and /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.set-type-checking/set-type-checking.zeek, line 44: arithmetic mixed with non-arithmetic (port and 1003) +error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.set-type-checking/set-type-checking.zeek, line 44 and port: type mismatch (1003 and port) +error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.set-type-checking/set-type-checking.zeek, line 44: inconsistent type in set constructor (set(1003)) +error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.set-type-checking/set-type-checking.zeek, line 44: type clash in assignment (lea = set(1003)) diff --git a/testing/btest/Baseline/language.subnet-errors/out b/testing/btest/Baseline/language.subnet-errors/out index 5d8e3d76da..97e999ef9b 100644 --- a/testing/btest/Baseline/language.subnet-errors/out +++ b/testing/btest/Baseline/language.subnet-errors/out @@ -1,5 +1,5 @@ -expression error in /home/jon/pro/zeek/zeek/testing/btest/.tmp/language.subnet-errors/subnet-errors.bro, line 9: bad IPv4 subnet prefix length: 33 (1.2.3.4 / i) -expression error in /home/jon/pro/zeek/zeek/testing/btest/.tmp/language.subnet-errors/subnet-errors.bro, line 18: bad IPv6 subnet prefix length: 129 (:: / i) +expression error in /home/jon/pro/zeek/zeek/testing/btest/.tmp/language.subnet-errors/subnet-errors.zeek, line 9: bad IPv4 subnet prefix length: 33 (1.2.3.4 / i) +expression error in /home/jon/pro/zeek/zeek/testing/btest/.tmp/language.subnet-errors/subnet-errors.zeek, line 18: bad IPv6 subnet prefix length: 129 (:: / i) 1.2.3.4/32 ::/128 init last diff --git a/testing/btest/Baseline/language.switch-error-mixed/out b/testing/btest/Baseline/language.switch-error-mixed/out index 75fa1d84c2..679b34f6ef 100644 --- a/testing/btest/Baseline/language.switch-error-mixed/out +++ b/testing/btest/Baseline/language.switch-error-mixed/out @@ -1 +1 @@ -error in /home/robin/bro/lang-ext/testing/btest/.tmp/language.switch-error-mixed/switch-error-mixed.bro, line 6: cannot mix cases with expressions and types (switch (v) {case 42:{ return (42!)}case type count:{ return (Count!)}}) +error in /home/robin/bro/lang-ext/testing/btest/.tmp/language.switch-error-mixed/switch-error-mixed.zeek, line 6: cannot mix cases with expressions and types (switch (v) {case 42:{ return (42!)}case type count:{ return (Count!)}}) diff --git a/testing/btest/Baseline/language.switch-incomplete/out b/testing/btest/Baseline/language.switch-incomplete/out index bfe4429956..4ce7d39a08 100644 --- a/testing/btest/Baseline/language.switch-incomplete/out +++ b/testing/btest/Baseline/language.switch-incomplete/out @@ -1 +1 @@ -error in /home/robin/bro/master/testing/btest/.tmp/language.switch-incomplete/switch-incomplete.bro, lines 7-8: case block must end in break/fallthrough/return statement (case 1:{ print 1}) +error in /home/robin/bro/master/testing/btest/.tmp/language.switch-incomplete/switch-incomplete.zeek, lines 7-8: case block must end in break/fallthrough/return statement (case 1:{ print 1}) diff --git a/testing/btest/Baseline/language.switch-types-error-duplicate/out b/testing/btest/Baseline/language.switch-types-error-duplicate/out index e523b14550..0ab618bc16 100644 --- a/testing/btest/Baseline/language.switch-types-error-duplicate/out +++ b/testing/btest/Baseline/language.switch-types-error-duplicate/out @@ -1 +1 @@ -error in /home/robin/bro/lang-ext/testing/btest/.tmp/language.switch-types-error-duplicate/switch-types-error-duplicate.bro, lines 11-12: duplicate case label (case type bool, type count:{ return (Bool or address!)}) +error in /home/robin/bro/lang-ext/testing/btest/.tmp/language.switch-types-error-duplicate/switch-types-error-duplicate.zeek, lines 11-12: duplicate case label (case type bool, type count:{ return (Bool or address!)}) diff --git a/testing/btest/Baseline/language.switch-types-error-unsupported/out b/testing/btest/Baseline/language.switch-types-error-unsupported/out index 133c8653f2..7932073710 100644 --- a/testing/btest/Baseline/language.switch-types-error-unsupported/out +++ b/testing/btest/Baseline/language.switch-types-error-unsupported/out @@ -1,3 +1,3 @@ -error in /home/robin/bro/lang-ext/testing/btest/.tmp/language.switch-types-error-unsupported/switch-types-error-unsupported.bro, lines 9-10: cannot cast switch expression to case type (case type count:{ return (Count!)}) -error in /home/robin/bro/lang-ext/testing/btest/.tmp/language.switch-types-error-unsupported/switch-types-error-unsupported.bro, lines 11-12: cannot cast switch expression to case type (case type bool, type addr:{ return (Bool or address!)}) -error in /home/robin/bro/lang-ext/testing/btest/.tmp/language.switch-types-error-unsupported/switch-types-error-unsupported.bro, lines 11-12: cannot cast switch expression to case type (case type bool, type addr:{ return (Bool or address!)}) +error in /home/robin/bro/lang-ext/testing/btest/.tmp/language.switch-types-error-unsupported/switch-types-error-unsupported.zeek, lines 9-10: cannot cast switch expression to case type (case type count:{ return (Count!)}) +error in /home/robin/bro/lang-ext/testing/btest/.tmp/language.switch-types-error-unsupported/switch-types-error-unsupported.zeek, lines 11-12: cannot cast switch expression to case type (case type bool, type addr:{ return (Bool or address!)}) +error in /home/robin/bro/lang-ext/testing/btest/.tmp/language.switch-types-error-unsupported/switch-types-error-unsupported.zeek, lines 11-12: cannot cast switch expression to case type (case type bool, type addr:{ return (Bool or address!)}) diff --git a/testing/btest/Baseline/language.table-type-checking/out b/testing/btest/Baseline/language.table-type-checking/out index 488cb83ab2..a6307a6155 100644 --- a/testing/btest/Baseline/language.table-type-checking/out +++ b/testing/btest/Baseline/language.table-type-checking/out @@ -1,14 +1,14 @@ -error in port and /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.table-type-checking/table-type-checking.bro, line 7: type clash (port and zero) -error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.table-type-checking/table-type-checking.bro, line 7: inconsistent types in table constructor (table(zero = 0)) -error in port and /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.table-type-checking/table-type-checking.bro, line 10: type clash (port and one) -error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.table-type-checking/table-type-checking.bro, line 10: inconsistent types in table constructor (table(one = 1)) -error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.table-type-checking/table-type-checking.bro, line 17: type clash in assignment (gda = gda2) -error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.table-type-checking/table-type-checking.bro, line 21 and /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.table-type-checking/table-type-checking.bro, line 4: index type doesn't match table (three and list of port) -expression error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.table-type-checking/table-type-checking.bro, line 21: type clash in table assignment (three = 3) -error in port and /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.table-type-checking/table-type-checking.bro, line 26: type clash (port and thousand) -error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.table-type-checking/table-type-checking.bro, line 26: inconsistent types in table constructor (table(thousand = 1000)) -error in port and /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.table-type-checking/table-type-checking.bro, line 32: type clash (port and thousand-one) -error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.table-type-checking/table-type-checking.bro, line 32: inconsistent types in table constructor (table(thousand-one = 1001)) -error in port and /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.table-type-checking/table-type-checking.bro, line 39: type clash (port and thousand-two) -error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.table-type-checking/table-type-checking.bro, line 39: inconsistent types in table constructor (table(thousand-two = 1002)) -error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.table-type-checking/table-type-checking.bro, line 45: type clash in assignment (lea = table(thousand-three = 1003)) +error in port and /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.table-type-checking/table-type-checking.zeek, line 7: type clash (port and zero) +error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.table-type-checking/table-type-checking.zeek, line 7: inconsistent types in table constructor (table(zero = 0)) +error in port and /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.table-type-checking/table-type-checking.zeek, line 10: type clash (port and one) +error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.table-type-checking/table-type-checking.zeek, line 10: inconsistent types in table constructor (table(one = 1)) +error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.table-type-checking/table-type-checking.zeek, line 17: type clash in assignment (gda = gda2) +error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.table-type-checking/table-type-checking.zeek, line 21 and /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.table-type-checking/table-type-checking.zeek, line 4: index type doesn't match table (three and list of port) +expression error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.table-type-checking/table-type-checking.zeek, line 21: type clash in table assignment (three = 3) +error in port and /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.table-type-checking/table-type-checking.zeek, line 26: type clash (port and thousand) +error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.table-type-checking/table-type-checking.zeek, line 26: inconsistent types in table constructor (table(thousand = 1000)) +error in port and /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.table-type-checking/table-type-checking.zeek, line 32: type clash (port and thousand-one) +error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.table-type-checking/table-type-checking.zeek, line 32: inconsistent types in table constructor (table(thousand-one = 1001)) +error in port and /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.table-type-checking/table-type-checking.zeek, line 39: type clash (port and thousand-two) +error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.table-type-checking/table-type-checking.zeek, line 39: inconsistent types in table constructor (table(thousand-two = 1002)) +error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.table-type-checking/table-type-checking.zeek, line 45: type clash in assignment (lea = table(thousand-three = 1003)) diff --git a/testing/btest/Baseline/language.ternary-record-mismatch/out b/testing/btest/Baseline/language.ternary-record-mismatch/out index 0c1cefce0d..91a3aa2e02 100644 --- a/testing/btest/Baseline/language.ternary-record-mismatch/out +++ b/testing/btest/Baseline/language.ternary-record-mismatch/out @@ -1 +1 @@ -error in /Users/jon/pro/zeek/zeek/testing/btest/.tmp/language.ternary-record-mismatch/ternary-record-mismatch.bro, lines 13-14: operands must be of the same type ((F) ? (coerce [$a=a string, $b=6] to MyRecord) : [$a=a different string, $b=7]) +error in /Users/jon/pro/zeek/zeek/testing/btest/.tmp/language.ternary-record-mismatch/ternary-record-mismatch.zeek, lines 13-14: operands must be of the same type ((F) ? (coerce [$a=a string, $b=6] to MyRecord) : [$a=a different string, $b=7]) diff --git a/testing/btest/Baseline/language.type-cast-error-dynamic/output b/testing/btest/Baseline/language.type-cast-error-dynamic/output index 7c4ec0332f..dfac361f11 100644 --- a/testing/btest/Baseline/language.type-cast-error-dynamic/output +++ b/testing/btest/Baseline/language.type-cast-error-dynamic/output @@ -1,4 +1,4 @@ -expression error in /home/jon/pro/zeek/zeek/testing/btest/.tmp/language.type-cast-error-dynamic/type-cast-error-dynamic.bro, line 11: invalid cast of value with type 'count' to type 'string' (a as string) -expression error in /home/jon/pro/zeek/zeek/testing/btest/.tmp/language.type-cast-error-dynamic/type-cast-error-dynamic.bro, line 11: invalid cast of value with type 'record { a:addr; b:port; }' to type 'string' (a as string) -expression error in /home/jon/pro/zeek/zeek/testing/btest/.tmp/language.type-cast-error-dynamic/type-cast-error-dynamic.bro, line 11: invalid cast of value with type 'record { data:opaque of Broker::Data; }' to type 'string' (nil $data field) (a as string) +expression error in /home/jon/pro/zeek/zeek/testing/btest/.tmp/language.type-cast-error-dynamic/type-cast-error-dynamic.zeek, line 11: invalid cast of value with type 'count' to type 'string' (a as string) +expression error in /home/jon/pro/zeek/zeek/testing/btest/.tmp/language.type-cast-error-dynamic/type-cast-error-dynamic.zeek, line 11: invalid cast of value with type 'record { a:addr; b:port; }' to type 'string' (a as string) +expression error in /home/jon/pro/zeek/zeek/testing/btest/.tmp/language.type-cast-error-dynamic/type-cast-error-dynamic.zeek, line 11: invalid cast of value with type 'record { data:opaque of Broker::Data; }' to type 'string' (nil $data field) (a as string) data is string, F diff --git a/testing/btest/Baseline/language.type-cast-error-static/output b/testing/btest/Baseline/language.type-cast-error-static/output index a93e262f21..bd00361939 100644 --- a/testing/btest/Baseline/language.type-cast-error-static/output +++ b/testing/btest/Baseline/language.type-cast-error-static/output @@ -1,2 +1,2 @@ -error in /home/robin/bro/lang-ext/testing/btest/.tmp/language.type-cast-error-static/type-cast-error-static.bro, line 14: cast not supported (string as count) -error in /home/robin/bro/lang-ext/testing/btest/.tmp/language.type-cast-error-static/type-cast-error-static.bro, line 15: cast not supported (string as X) +error in /home/robin/bro/lang-ext/testing/btest/.tmp/language.type-cast-error-static/type-cast-error-static.zeek, line 14: cast not supported (string as count) +error in /home/robin/bro/lang-ext/testing/btest/.tmp/language.type-cast-error-static/type-cast-error-static.zeek, line 15: cast not supported (string as X) diff --git a/testing/btest/Baseline/language.type-type-error/.stderr b/testing/btest/Baseline/language.type-type-error/.stderr index 95cb065ece..b0e0800c72 100644 --- a/testing/btest/Baseline/language.type-type-error/.stderr +++ b/testing/btest/Baseline/language.type-type-error/.stderr @@ -1 +1 @@ -error in /home/jsiwek/bro/testing/btest/.tmp/language.type-type-error/type-type-error.bro, line 13: not a record (r$a) +error in /home/jsiwek/bro/testing/btest/.tmp/language.type-type-error/type-type-error.zeek, line 13: not a record (r$a) diff --git a/testing/btest/Baseline/language.undefined-delete-field/output b/testing/btest/Baseline/language.undefined-delete-field/output index bd0fb99289..99a71b1087 100644 --- a/testing/btest/Baseline/language.undefined-delete-field/output +++ b/testing/btest/Baseline/language.undefined-delete-field/output @@ -1,2 +1,2 @@ -error in /Users/johanna/bro/master/testing/btest/.tmp/language.undefined-delete-field/undefined-delete-field.bro, line 14: no such field in record (x$c) +error in /Users/johanna/bro/master/testing/btest/.tmp/language.undefined-delete-field/undefined-delete-field.zeek, line 14: no such field in record (x$c) 1 diff --git a/testing/btest/Baseline/language.uninitialized-local/out b/testing/btest/Baseline/language.uninitialized-local/out index 24d45d3456..dd6867f524 100644 --- a/testing/btest/Baseline/language.uninitialized-local/out +++ b/testing/btest/Baseline/language.uninitialized-local/out @@ -1 +1 @@ -expression error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.uninitialized-local/uninitialized-local.bro, line 16: value used but not set (my_string) +expression error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.uninitialized-local/uninitialized-local.zeek, line 16: value used but not set (my_string) diff --git a/testing/btest/Baseline/language.uninitialized-local2/out b/testing/btest/Baseline/language.uninitialized-local2/out index bba567878e..ba668f08ff 100644 --- a/testing/btest/Baseline/language.uninitialized-local2/out +++ b/testing/btest/Baseline/language.uninitialized-local2/out @@ -1,2 +1,2 @@ -expression error in /home/jon/projects/bro/bro/testing/btest/.tmp/language.uninitialized-local2/uninitialized-local2.bro, line 19: value used but not set (var_b) +expression error in /home/jon/projects/bro/bro/testing/btest/.tmp/language.uninitialized-local2/uninitialized-local2.zeek, line 19: value used but not set (var_b) var_a is, baz diff --git a/testing/btest/Baseline/language.vector-type-checking/out b/testing/btest/Baseline/language.vector-type-checking/out index e96017082a..33be41836f 100644 --- a/testing/btest/Baseline/language.vector-type-checking/out +++ b/testing/btest/Baseline/language.vector-type-checking/out @@ -1,19 +1,19 @@ -error in count and /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.vector-type-checking/vector-type-checking.bro, line 7: arithmetic mixed with non-arithmetic (count and zero) -error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.vector-type-checking/vector-type-checking.bro, line 7 and count: type mismatch (zero and count) -error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.vector-type-checking/vector-type-checking.bro, line 7: inconsistent types in vector constructor (vector(zero)) -error in count and /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.vector-type-checking/vector-type-checking.bro, line 10: arithmetic mixed with non-arithmetic (count and one) -error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.vector-type-checking/vector-type-checking.bro, line 10 and count: type mismatch (one and count) -error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.vector-type-checking/vector-type-checking.bro, line 10: inconsistent types in vector constructor (vector(one)) -error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.vector-type-checking/vector-type-checking.bro, line 17: type clash in assignment (gda = gda2) -error in count and /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.vector-type-checking/vector-type-checking.bro, line 21: arithmetic mixed with non-arithmetic (count and three) -error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.vector-type-checking/vector-type-checking.bro, line 21: initialization type mismatch at index 0 (vector(three) and three) -error in count and /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.vector-type-checking/vector-type-checking.bro, line 26: arithmetic mixed with non-arithmetic (count and thousand) -error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.vector-type-checking/vector-type-checking.bro, line 26 and count: type mismatch (thousand and count) -error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.vector-type-checking/vector-type-checking.bro, line 26: inconsistent types in vector constructor (vector(thousand)) -error in count and /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.vector-type-checking/vector-type-checking.bro, line 32: arithmetic mixed with non-arithmetic (count and thousand-one) -error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.vector-type-checking/vector-type-checking.bro, line 32 and count: type mismatch (thousand-one and count) -error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.vector-type-checking/vector-type-checking.bro, line 32: inconsistent types in vector constructor (vector(thousand-one)) -error in count and /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.vector-type-checking/vector-type-checking.bro, line 39: arithmetic mixed with non-arithmetic (count and thousand-two) -error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.vector-type-checking/vector-type-checking.bro, line 39 and count: type mismatch (thousand-two and count) -error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.vector-type-checking/vector-type-checking.bro, line 39: inconsistent types in vector constructor (vector(thousand-two)) -error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.vector-type-checking/vector-type-checking.bro, line 45: type clash in assignment (lea = vector(thousand-three)) +error in count and /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.vector-type-checking/vector-type-checking.zeek, line 7: arithmetic mixed with non-arithmetic (count and zero) +error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.vector-type-checking/vector-type-checking.zeek, line 7 and count: type mismatch (zero and count) +error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.vector-type-checking/vector-type-checking.zeek, line 7: inconsistent types in vector constructor (vector(zero)) +error in count and /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.vector-type-checking/vector-type-checking.zeek, line 10: arithmetic mixed with non-arithmetic (count and one) +error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.vector-type-checking/vector-type-checking.zeek, line 10 and count: type mismatch (one and count) +error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.vector-type-checking/vector-type-checking.zeek, line 10: inconsistent types in vector constructor (vector(one)) +error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.vector-type-checking/vector-type-checking.zeek, line 17: type clash in assignment (gda = gda2) +error in count and /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.vector-type-checking/vector-type-checking.zeek, line 21: arithmetic mixed with non-arithmetic (count and three) +error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.vector-type-checking/vector-type-checking.zeek, line 21: initialization type mismatch at index 0 (vector(three) and three) +error in count and /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.vector-type-checking/vector-type-checking.zeek, line 26: arithmetic mixed with non-arithmetic (count and thousand) +error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.vector-type-checking/vector-type-checking.zeek, line 26 and count: type mismatch (thousand and count) +error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.vector-type-checking/vector-type-checking.zeek, line 26: inconsistent types in vector constructor (vector(thousand)) +error in count and /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.vector-type-checking/vector-type-checking.zeek, line 32: arithmetic mixed with non-arithmetic (count and thousand-one) +error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.vector-type-checking/vector-type-checking.zeek, line 32 and count: type mismatch (thousand-one and count) +error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.vector-type-checking/vector-type-checking.zeek, line 32: inconsistent types in vector constructor (vector(thousand-one)) +error in count and /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.vector-type-checking/vector-type-checking.zeek, line 39: arithmetic mixed with non-arithmetic (count and thousand-two) +error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.vector-type-checking/vector-type-checking.zeek, line 39 and count: type mismatch (thousand-two and count) +error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.vector-type-checking/vector-type-checking.zeek, line 39: inconsistent types in vector constructor (vector(thousand-two)) +error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.vector-type-checking/vector-type-checking.zeek, line 45: type clash in assignment (lea = vector(thousand-three)) diff --git a/testing/btest/Baseline/language.when-unitialized-rhs/out b/testing/btest/Baseline/language.when-unitialized-rhs/out index 6698887be0..bad1bdbb78 100644 --- a/testing/btest/Baseline/language.when-unitialized-rhs/out +++ b/testing/btest/Baseline/language.when-unitialized-rhs/out @@ -1,5 +1,5 @@ -expression error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.when-unitialized-rhs/when-unitialized-rhs.bro, line 9: value used but not set (crashMe) -expression error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.when-unitialized-rhs/when-unitialized-rhs.bro, line 14: value used but not set (x) +expression error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.when-unitialized-rhs/when-unitialized-rhs.zeek, line 9: value used but not set (crashMe) +expression error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.when-unitialized-rhs/when-unitialized-rhs.zeek, line 14: value used but not set (x) 1 2 3 diff --git a/testing/btest/Baseline/language.wrong-delete-field/output b/testing/btest/Baseline/language.wrong-delete-field/output index 1eefa1d2fe..1250f03c3d 100644 --- a/testing/btest/Baseline/language.wrong-delete-field/output +++ b/testing/btest/Baseline/language.wrong-delete-field/output @@ -1 +1 @@ -error in /da/home/robin/bro/master/testing/btest/.tmp/language.wrong-delete-field/wrong-delete-field.bro, line 10: illegal delete statement (delete x$a) +error in /da/home/robin/bro/master/testing/btest/.tmp/language.wrong-delete-field/wrong-delete-field.zeek, line 10: illegal delete statement (delete x$a) diff --git a/testing/btest/Baseline/plugins.hooks/output b/testing/btest/Baseline/plugins.hooks/output index 0d383879f7..cd3ac7337f 100644 --- a/testing/btest/Baseline/plugins.hooks/output +++ b/testing/btest/Baseline/plugins.hooks/output @@ -788,7 +788,7 @@ 0.000000 MetaHookPost LoadFile(0, .<...>/weird.zeek) -> -1 0.000000 MetaHookPost LoadFile(0, <...>/__load__.zeek) -> -1 0.000000 MetaHookPost LoadFile(0, <...>/__preload__.zeek) -> -1 -0.000000 MetaHookPost LoadFile(0, <...>/hooks.bro) -> -1 +0.000000 MetaHookPost LoadFile(0, <...>/hooks.zeek) -> -1 0.000000 MetaHookPost LoadFile(0, base<...>/Bro_KRB.types.bif.zeek) -> -1 0.000000 MetaHookPost LoadFile(0, base<...>/Bro_SNMP.types.bif.zeek) -> -1 0.000000 MetaHookPost LoadFile(0, base<...>/active-http.zeek) -> -1 @@ -1691,7 +1691,7 @@ 0.000000 MetaHookPre LoadFile(0, .<...>/weird.zeek) 0.000000 MetaHookPre LoadFile(0, <...>/__load__.zeek) 0.000000 MetaHookPre LoadFile(0, <...>/__preload__.zeek) -0.000000 MetaHookPre LoadFile(0, <...>/hooks.bro) +0.000000 MetaHookPre LoadFile(0, <...>/hooks.zeek) 0.000000 MetaHookPre LoadFile(0, base<...>/Bro_KRB.types.bif.zeek) 0.000000 MetaHookPre LoadFile(0, base<...>/Bro_SNMP.types.bif.zeek) 0.000000 MetaHookPre LoadFile(0, base<...>/active-http.zeek) @@ -2602,7 +2602,7 @@ 0.000000 | HookLoadFile .<...>/weird.zeek 0.000000 | HookLoadFile <...>/__load__.zeek 0.000000 | HookLoadFile <...>/__preload__.zeek -0.000000 | HookLoadFile <...>/hooks.bro +0.000000 | HookLoadFile <...>/hooks.zeek 0.000000 | HookLoadFile base<...>/Bro_KRB.types.bif.zeek 0.000000 | HookLoadFile base<...>/Bro_SNMP.types.bif.zeek 0.000000 | HookLoadFile base<...>/active-http.zeek diff --git a/testing/btest/Baseline/plugins.reporter-hook/output b/testing/btest/Baseline/plugins.reporter-hook/output index 8f706ec644..36418d2405 100644 --- a/testing/btest/Baseline/plugins.reporter-hook/output +++ b/testing/btest/Baseline/plugins.reporter-hook/output @@ -1,10 +1,10 @@ - | Hook Some Info <...>/reporter-hook.bro, line 16 - | Hook error An Error <...>/reporter-hook.bro, line 18 - | Hook error An Error that does not show up in the log <...>/reporter-hook.bro, line 19 - | Hook expression error field value missing (b$a) <...>/reporter-hook.bro, line 23 - | Hook warning A warning <...>/reporter-hook.bro, line 17 -<...>/reporter-hook.bro, line 16: Some Info -error in <...>/reporter-hook.bro, line 18: An Error -error in <...>/reporter-hook.bro, line 19: An Error that does not show up in the log -expression error in <...>/reporter-hook.bro, line 23: field value missing (b$a) -warning in <...>/reporter-hook.bro, line 17: A warning + | Hook Some Info <...>/reporter-hook.zeek, line 16 + | Hook error An Error <...>/reporter-hook.zeek, line 18 + | Hook error An Error that does not show up in the log <...>/reporter-hook.zeek, line 19 + | Hook expression error field value missing (b$a) <...>/reporter-hook.zeek, line 23 + | Hook warning A warning <...>/reporter-hook.zeek, line 17 +<...>/reporter-hook.zeek, line 16: Some Info +error in <...>/reporter-hook.zeek, line 18: An Error +error in <...>/reporter-hook.zeek, line 19: An Error that does not show up in the log +expression error in <...>/reporter-hook.zeek, line 23: field value missing (b$a) +warning in <...>/reporter-hook.zeek, line 17: A warning diff --git a/testing/btest/Baseline/plugins.reporter-hook/reporter.log b/testing/btest/Baseline/plugins.reporter-hook/reporter.log index bce2fb909f..fc5a79bc86 100644 --- a/testing/btest/Baseline/plugins.reporter-hook/reporter.log +++ b/testing/btest/Baseline/plugins.reporter-hook/reporter.log @@ -6,8 +6,8 @@ #open 2017-07-26-17-58-52 #fields ts level message location #types time enum string string -0.000000 Reporter::INFO Some Info /Users/johanna/corelight/bro/testing/btest/.tmp/plugins.reporter-hook/reporter-hook.bro, line 16 -0.000000 Reporter::WARNING A warning /Users/johanna/corelight/bro/testing/btest/.tmp/plugins.reporter-hook/reporter-hook.bro, line 17 -0.000000 Reporter::ERROR An Error /Users/johanna/corelight/bro/testing/btest/.tmp/plugins.reporter-hook/reporter-hook.bro, line 18 -0.000000 Reporter::ERROR field value missing (b$a) /Users/johanna/corelight/bro/testing/btest/.tmp/plugins.reporter-hook/reporter-hook.bro, line 23 +0.000000 Reporter::INFO Some Info /Users/johanna/corelight/bro/testing/btest/.tmp/plugins.reporter-hook/reporter-hook.zeek, line 16 +0.000000 Reporter::WARNING A warning /Users/johanna/corelight/bro/testing/btest/.tmp/plugins.reporter-hook/reporter-hook.zeek, line 17 +0.000000 Reporter::ERROR An Error /Users/johanna/corelight/bro/testing/btest/.tmp/plugins.reporter-hook/reporter-hook.zeek, line 18 +0.000000 Reporter::ERROR field value missing (b$a) /Users/johanna/corelight/bro/testing/btest/.tmp/plugins.reporter-hook/reporter-hook.zeek, line 23 #close 2017-07-26-17-58-52 diff --git a/testing/btest/Baseline/scripts.base.frameworks.logging.field-extension-cluster-error/manager-reporter.log b/testing/btest/Baseline/scripts.base.frameworks.logging.field-extension-cluster-error/manager-reporter.log index f4b240d619..a58380f26c 100644 --- a/testing/btest/Baseline/scripts.base.frameworks.logging.field-extension-cluster-error/manager-reporter.log +++ b/testing/btest/Baseline/scripts.base.frameworks.logging.field-extension-cluster-error/manager-reporter.log @@ -1,2 +1,2 @@ -1535139819.649067 Reporter::INFO qux /home/jon/projects/bro/bro/testing/btest/.tmp/scripts.base.frameworks.logging.field-extension-cluster-error/field-extension-cluster-error.bro, line XX -1535139821.906059 bah manager-1 0.000000 Reporter::INFO qux /home/jon/projects/bro/bro/testing/btest/.tmp/scripts.base.frameworks.logging.field-extension-cluster-error/field-extension-cluster-error.bro, line XX +1535139819.649067 Reporter::INFO qux /home/jon/projects/bro/bro/testing/btest/.tmp/scripts.base.frameworks.logging.field-extension-cluster-error/field-extension-cluster-error.zeek, line XX +1535139821.906059 bah manager-1 0.000000 Reporter::INFO qux /home/jon/projects/bro/bro/testing/btest/.tmp/scripts.base.frameworks.logging.field-extension-cluster-error/field-extension-cluster-error.zeek, line XX diff --git a/testing/btest/Baseline/scripts.base.frameworks.logging.field-extension-table/.stderr b/testing/btest/Baseline/scripts.base.frameworks.logging.field-extension-table/.stderr index ff76d4ea54..5efd4bac43 100644 --- a/testing/btest/Baseline/scripts.base.frameworks.logging.field-extension-table/.stderr +++ b/testing/btest/Baseline/scripts.base.frameworks.logging.field-extension-table/.stderr @@ -1,2 +1,2 @@ -error in /testing/btest/.tmp/scripts.base.frameworks.logging.field-extension-table/field-extension-table.bro, line 9: &log applied to a type that cannot be logged (&log) -error in /testing/btest/.tmp/scripts.base.frameworks.logging.field-extension-table/field-extension-table.bro, line 18: syntax error, at or near "{" +error in /testing/btest/.tmp/scripts.base.frameworks.logging.field-extension-table/field-extension-table.zeek, line 9: &log applied to a type that cannot be logged (&log) +error in /testing/btest/.tmp/scripts.base.frameworks.logging.field-extension-table/field-extension-table.zeek, line 18: syntax error, at or near "{" diff --git a/testing/btest/Baseline/scripts.base.frameworks.reporter.disable-stderr/reporter.log b/testing/btest/Baseline/scripts.base.frameworks.reporter.disable-stderr/reporter.log index 144c094b2f..744f050046 100644 --- a/testing/btest/Baseline/scripts.base.frameworks.reporter.disable-stderr/reporter.log +++ b/testing/btest/Baseline/scripts.base.frameworks.reporter.disable-stderr/reporter.log @@ -6,5 +6,5 @@ #open 2012-08-10-20-09-16 #fields ts level message location #types time enum string string -0.000000 Reporter::ERROR no such index (test[3]) /da/home/robin/bro/master/testing/btest/.tmp/scripts.base.frameworks.reporter.disable-stderr/disable-stderr.bro, line 12 +0.000000 Reporter::ERROR no such index (test[3]) /da/home/robin/bro/master/testing/btest/.tmp/scripts.base.frameworks.reporter.disable-stderr/disable-stderr.zeek, line 12 #close 2012-08-10-20-09-16 diff --git a/testing/btest/Baseline/scripts.base.frameworks.reporter.stderr/.stderr b/testing/btest/Baseline/scripts.base.frameworks.reporter.stderr/.stderr index ed161b2409..b01cfa1e84 100644 --- a/testing/btest/Baseline/scripts.base.frameworks.reporter.stderr/.stderr +++ b/testing/btest/Baseline/scripts.base.frameworks.reporter.stderr/.stderr @@ -1 +1 @@ -expression error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/scripts.base.frameworks.reporter.stderr/stderr.bro, line 9: no such index (test[3]) +expression error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/scripts.base.frameworks.reporter.stderr/stderr.zeek, line 9: no such index (test[3]) diff --git a/testing/btest/Baseline/scripts.base.frameworks.reporter.stderr/reporter.log b/testing/btest/Baseline/scripts.base.frameworks.reporter.stderr/reporter.log index 391cf77a00..705bb357fa 100644 --- a/testing/btest/Baseline/scripts.base.frameworks.reporter.stderr/reporter.log +++ b/testing/btest/Baseline/scripts.base.frameworks.reporter.stderr/reporter.log @@ -6,5 +6,5 @@ #open 2013-01-18-18-29-30 #fields ts level message location #types time enum string string -0.000000 Reporter::ERROR no such index (test[3]) /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/scripts.base.frameworks.reporter.stderr/stderr.bro, line 9 +0.000000 Reporter::ERROR no such index (test[3]) /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/scripts.base.frameworks.reporter.stderr/stderr.zeek, line 9 #close 2013-01-18-18-29-30 diff --git a/testing/btest/bifs/addr_count_conversion.bro b/testing/btest/bifs/addr_count_conversion.zeek similarity index 100% rename from testing/btest/bifs/addr_count_conversion.bro rename to testing/btest/bifs/addr_count_conversion.zeek diff --git a/testing/btest/bifs/addr_to_ptr_name.bro b/testing/btest/bifs/addr_to_ptr_name.zeek similarity index 100% rename from testing/btest/bifs/addr_to_ptr_name.bro rename to testing/btest/bifs/addr_to_ptr_name.zeek diff --git a/testing/btest/bifs/addr_version.bro b/testing/btest/bifs/addr_version.zeek similarity index 100% rename from testing/btest/bifs/addr_version.bro rename to testing/btest/bifs/addr_version.zeek diff --git a/testing/btest/bifs/all_set.bro b/testing/btest/bifs/all_set.zeek similarity index 100% rename from testing/btest/bifs/all_set.bro rename to testing/btest/bifs/all_set.zeek diff --git a/testing/btest/bifs/analyzer_name.bro b/testing/btest/bifs/analyzer_name.zeek similarity index 100% rename from testing/btest/bifs/analyzer_name.bro rename to testing/btest/bifs/analyzer_name.zeek diff --git a/testing/btest/bifs/any_set.bro b/testing/btest/bifs/any_set.zeek similarity index 100% rename from testing/btest/bifs/any_set.bro rename to testing/btest/bifs/any_set.zeek diff --git a/testing/btest/bifs/bloomfilter-seed.bro b/testing/btest/bifs/bloomfilter-seed.zeek similarity index 100% rename from testing/btest/bifs/bloomfilter-seed.bro rename to testing/btest/bifs/bloomfilter-seed.zeek diff --git a/testing/btest/bifs/bloomfilter.bro b/testing/btest/bifs/bloomfilter.zeek similarity index 100% rename from testing/btest/bifs/bloomfilter.bro rename to testing/btest/bifs/bloomfilter.zeek diff --git a/testing/btest/bifs/bro_version.bro b/testing/btest/bifs/bro_version.zeek similarity index 100% rename from testing/btest/bifs/bro_version.bro rename to testing/btest/bifs/bro_version.zeek diff --git a/testing/btest/bifs/bytestring_to_count.bro b/testing/btest/bifs/bytestring_to_count.zeek similarity index 100% rename from testing/btest/bifs/bytestring_to_count.bro rename to testing/btest/bifs/bytestring_to_count.zeek diff --git a/testing/btest/bifs/bytestring_to_double.bro b/testing/btest/bifs/bytestring_to_double.zeek similarity index 100% rename from testing/btest/bifs/bytestring_to_double.bro rename to testing/btest/bifs/bytestring_to_double.zeek diff --git a/testing/btest/bifs/bytestring_to_hexstr.bro b/testing/btest/bifs/bytestring_to_hexstr.zeek similarity index 100% rename from testing/btest/bifs/bytestring_to_hexstr.bro rename to testing/btest/bifs/bytestring_to_hexstr.zeek diff --git a/testing/btest/bifs/capture_state_updates.bro b/testing/btest/bifs/capture_state_updates.zeek similarity index 100% rename from testing/btest/bifs/capture_state_updates.bro rename to testing/btest/bifs/capture_state_updates.zeek diff --git a/testing/btest/bifs/cat.bro b/testing/btest/bifs/cat.zeek similarity index 100% rename from testing/btest/bifs/cat.bro rename to testing/btest/bifs/cat.zeek diff --git a/testing/btest/bifs/cat_string_array.bro b/testing/btest/bifs/cat_string_array.zeek similarity index 100% rename from testing/btest/bifs/cat_string_array.bro rename to testing/btest/bifs/cat_string_array.zeek diff --git a/testing/btest/bifs/check_subnet.bro b/testing/btest/bifs/check_subnet.zeek similarity index 100% rename from testing/btest/bifs/check_subnet.bro rename to testing/btest/bifs/check_subnet.zeek diff --git a/testing/btest/bifs/checkpoint_state.bro b/testing/btest/bifs/checkpoint_state.zeek similarity index 100% rename from testing/btest/bifs/checkpoint_state.bro rename to testing/btest/bifs/checkpoint_state.zeek diff --git a/testing/btest/bifs/clear_table.bro b/testing/btest/bifs/clear_table.zeek similarity index 100% rename from testing/btest/bifs/clear_table.bro rename to testing/btest/bifs/clear_table.zeek diff --git a/testing/btest/bifs/convert_for_pattern.bro b/testing/btest/bifs/convert_for_pattern.zeek similarity index 100% rename from testing/btest/bifs/convert_for_pattern.bro rename to testing/btest/bifs/convert_for_pattern.zeek diff --git a/testing/btest/bifs/count_to_addr.bro b/testing/btest/bifs/count_to_addr.zeek similarity index 100% rename from testing/btest/bifs/count_to_addr.bro rename to testing/btest/bifs/count_to_addr.zeek diff --git a/testing/btest/bifs/create_file.bro b/testing/btest/bifs/create_file.zeek similarity index 100% rename from testing/btest/bifs/create_file.bro rename to testing/btest/bifs/create_file.zeek diff --git a/testing/btest/bifs/current_analyzer.bro b/testing/btest/bifs/current_analyzer.zeek similarity index 100% rename from testing/btest/bifs/current_analyzer.bro rename to testing/btest/bifs/current_analyzer.zeek diff --git a/testing/btest/bifs/current_time.bro b/testing/btest/bifs/current_time.zeek similarity index 100% rename from testing/btest/bifs/current_time.bro rename to testing/btest/bifs/current_time.zeek diff --git a/testing/btest/bifs/decode_base64.bro b/testing/btest/bifs/decode_base64.zeek similarity index 100% rename from testing/btest/bifs/decode_base64.bro rename to testing/btest/bifs/decode_base64.zeek diff --git a/testing/btest/bifs/decode_base64_conn.bro b/testing/btest/bifs/decode_base64_conn.zeek similarity index 100% rename from testing/btest/bifs/decode_base64_conn.bro rename to testing/btest/bifs/decode_base64_conn.zeek diff --git a/testing/btest/bifs/directory_operations.bro b/testing/btest/bifs/directory_operations.zeek similarity index 100% rename from testing/btest/bifs/directory_operations.bro rename to testing/btest/bifs/directory_operations.zeek diff --git a/testing/btest/bifs/dump_current_packet.bro b/testing/btest/bifs/dump_current_packet.zeek similarity index 100% rename from testing/btest/bifs/dump_current_packet.bro rename to testing/btest/bifs/dump_current_packet.zeek diff --git a/testing/btest/bifs/edit.bro b/testing/btest/bifs/edit.zeek similarity index 100% rename from testing/btest/bifs/edit.bro rename to testing/btest/bifs/edit.zeek diff --git a/testing/btest/bifs/encode_base64.bro b/testing/btest/bifs/encode_base64.zeek similarity index 100% rename from testing/btest/bifs/encode_base64.bro rename to testing/btest/bifs/encode_base64.zeek diff --git a/testing/btest/bifs/entropy_test.bro b/testing/btest/bifs/entropy_test.zeek similarity index 100% rename from testing/btest/bifs/entropy_test.bro rename to testing/btest/bifs/entropy_test.zeek diff --git a/testing/btest/bifs/enum_to_int.bro b/testing/btest/bifs/enum_to_int.zeek similarity index 100% rename from testing/btest/bifs/enum_to_int.bro rename to testing/btest/bifs/enum_to_int.zeek diff --git a/testing/btest/bifs/escape_string.bro b/testing/btest/bifs/escape_string.zeek similarity index 100% rename from testing/btest/bifs/escape_string.bro rename to testing/btest/bifs/escape_string.zeek diff --git a/testing/btest/bifs/exit.bro b/testing/btest/bifs/exit.zeek similarity index 100% rename from testing/btest/bifs/exit.bro rename to testing/btest/bifs/exit.zeek diff --git a/testing/btest/bifs/file_mode.bro b/testing/btest/bifs/file_mode.zeek similarity index 100% rename from testing/btest/bifs/file_mode.bro rename to testing/btest/bifs/file_mode.zeek diff --git a/testing/btest/bifs/filter_subnet_table.bro b/testing/btest/bifs/filter_subnet_table.zeek similarity index 100% rename from testing/btest/bifs/filter_subnet_table.bro rename to testing/btest/bifs/filter_subnet_table.zeek diff --git a/testing/btest/bifs/find_all.bro b/testing/btest/bifs/find_all.zeek similarity index 100% rename from testing/btest/bifs/find_all.bro rename to testing/btest/bifs/find_all.zeek diff --git a/testing/btest/bifs/find_entropy.bro b/testing/btest/bifs/find_entropy.zeek similarity index 100% rename from testing/btest/bifs/find_entropy.bro rename to testing/btest/bifs/find_entropy.zeek diff --git a/testing/btest/bifs/find_last.bro b/testing/btest/bifs/find_last.zeek similarity index 100% rename from testing/btest/bifs/find_last.bro rename to testing/btest/bifs/find_last.zeek diff --git a/testing/btest/bifs/fmt.bro b/testing/btest/bifs/fmt.zeek similarity index 100% rename from testing/btest/bifs/fmt.bro rename to testing/btest/bifs/fmt.zeek diff --git a/testing/btest/bifs/fmt_ftp_port.bro b/testing/btest/bifs/fmt_ftp_port.zeek similarity index 100% rename from testing/btest/bifs/fmt_ftp_port.bro rename to testing/btest/bifs/fmt_ftp_port.zeek diff --git a/testing/btest/bifs/get_current_packet_header.bro b/testing/btest/bifs/get_current_packet_header.zeek similarity index 100% rename from testing/btest/bifs/get_current_packet_header.bro rename to testing/btest/bifs/get_current_packet_header.zeek diff --git a/testing/btest/bifs/get_matcher_stats.bro b/testing/btest/bifs/get_matcher_stats.zeek similarity index 100% rename from testing/btest/bifs/get_matcher_stats.bro rename to testing/btest/bifs/get_matcher_stats.zeek diff --git a/testing/btest/bifs/get_port_transport_proto.bro b/testing/btest/bifs/get_port_transport_proto.zeek similarity index 100% rename from testing/btest/bifs/get_port_transport_proto.bro rename to testing/btest/bifs/get_port_transport_proto.zeek diff --git a/testing/btest/bifs/gethostname.bro b/testing/btest/bifs/gethostname.zeek similarity index 100% rename from testing/btest/bifs/gethostname.bro rename to testing/btest/bifs/gethostname.zeek diff --git a/testing/btest/bifs/getpid.bro b/testing/btest/bifs/getpid.zeek similarity index 100% rename from testing/btest/bifs/getpid.bro rename to testing/btest/bifs/getpid.zeek diff --git a/testing/btest/bifs/getsetenv.bro b/testing/btest/bifs/getsetenv.zeek similarity index 100% rename from testing/btest/bifs/getsetenv.bro rename to testing/btest/bifs/getsetenv.zeek diff --git a/testing/btest/bifs/global_ids.bro b/testing/btest/bifs/global_ids.zeek similarity index 100% rename from testing/btest/bifs/global_ids.bro rename to testing/btest/bifs/global_ids.zeek diff --git a/testing/btest/bifs/global_sizes.bro b/testing/btest/bifs/global_sizes.zeek similarity index 100% rename from testing/btest/bifs/global_sizes.bro rename to testing/btest/bifs/global_sizes.zeek diff --git a/testing/btest/bifs/haversine_distance.bro b/testing/btest/bifs/haversine_distance.zeek similarity index 100% rename from testing/btest/bifs/haversine_distance.bro rename to testing/btest/bifs/haversine_distance.zeek diff --git a/testing/btest/bifs/hexdump.bro b/testing/btest/bifs/hexdump.zeek similarity index 100% rename from testing/btest/bifs/hexdump.bro rename to testing/btest/bifs/hexdump.zeek diff --git a/testing/btest/bifs/hexstr_to_bytestring.bro b/testing/btest/bifs/hexstr_to_bytestring.zeek similarity index 100% rename from testing/btest/bifs/hexstr_to_bytestring.bro rename to testing/btest/bifs/hexstr_to_bytestring.zeek diff --git a/testing/btest/bifs/hll_cardinality.bro b/testing/btest/bifs/hll_cardinality.zeek similarity index 100% rename from testing/btest/bifs/hll_cardinality.bro rename to testing/btest/bifs/hll_cardinality.zeek diff --git a/testing/btest/bifs/hll_large_estimate.bro b/testing/btest/bifs/hll_large_estimate.zeek similarity index 100% rename from testing/btest/bifs/hll_large_estimate.bro rename to testing/btest/bifs/hll_large_estimate.zeek diff --git a/testing/btest/bifs/identify_data.bro b/testing/btest/bifs/identify_data.zeek similarity index 100% rename from testing/btest/bifs/identify_data.bro rename to testing/btest/bifs/identify_data.zeek diff --git a/testing/btest/bifs/is_ascii.bro b/testing/btest/bifs/is_ascii.zeek similarity index 100% rename from testing/btest/bifs/is_ascii.bro rename to testing/btest/bifs/is_ascii.zeek diff --git a/testing/btest/bifs/is_local_interface.bro b/testing/btest/bifs/is_local_interface.zeek similarity index 100% rename from testing/btest/bifs/is_local_interface.bro rename to testing/btest/bifs/is_local_interface.zeek diff --git a/testing/btest/bifs/is_port.bro b/testing/btest/bifs/is_port.zeek similarity index 100% rename from testing/btest/bifs/is_port.bro rename to testing/btest/bifs/is_port.zeek diff --git a/testing/btest/bifs/join_string.bro b/testing/btest/bifs/join_string.zeek similarity index 100% rename from testing/btest/bifs/join_string.bro rename to testing/btest/bifs/join_string.zeek diff --git a/testing/btest/bifs/levenshtein_distance.bro b/testing/btest/bifs/levenshtein_distance.zeek similarity index 100% rename from testing/btest/bifs/levenshtein_distance.bro rename to testing/btest/bifs/levenshtein_distance.zeek diff --git a/testing/btest/bifs/lookup_ID.bro b/testing/btest/bifs/lookup_ID.zeek similarity index 100% rename from testing/btest/bifs/lookup_ID.bro rename to testing/btest/bifs/lookup_ID.zeek diff --git a/testing/btest/bifs/lowerupper.bro b/testing/btest/bifs/lowerupper.zeek similarity index 100% rename from testing/btest/bifs/lowerupper.bro rename to testing/btest/bifs/lowerupper.zeek diff --git a/testing/btest/bifs/lstrip.bro b/testing/btest/bifs/lstrip.zeek similarity index 100% rename from testing/btest/bifs/lstrip.bro rename to testing/btest/bifs/lstrip.zeek diff --git a/testing/btest/bifs/mask_addr.bro b/testing/btest/bifs/mask_addr.zeek similarity index 100% rename from testing/btest/bifs/mask_addr.bro rename to testing/btest/bifs/mask_addr.zeek diff --git a/testing/btest/bifs/matching_subnets.bro b/testing/btest/bifs/matching_subnets.zeek similarity index 100% rename from testing/btest/bifs/matching_subnets.bro rename to testing/btest/bifs/matching_subnets.zeek diff --git a/testing/btest/bifs/math.bro b/testing/btest/bifs/math.zeek similarity index 100% rename from testing/btest/bifs/math.bro rename to testing/btest/bifs/math.zeek diff --git a/testing/btest/bifs/merge_pattern.bro b/testing/btest/bifs/merge_pattern.zeek similarity index 100% rename from testing/btest/bifs/merge_pattern.bro rename to testing/btest/bifs/merge_pattern.zeek diff --git a/testing/btest/bifs/netbios-functions.bro b/testing/btest/bifs/netbios-functions.zeek similarity index 100% rename from testing/btest/bifs/netbios-functions.bro rename to testing/btest/bifs/netbios-functions.zeek diff --git a/testing/btest/bifs/order.bro b/testing/btest/bifs/order.zeek similarity index 100% rename from testing/btest/bifs/order.bro rename to testing/btest/bifs/order.zeek diff --git a/testing/btest/bifs/parse_ftp.bro b/testing/btest/bifs/parse_ftp.zeek similarity index 100% rename from testing/btest/bifs/parse_ftp.bro rename to testing/btest/bifs/parse_ftp.zeek diff --git a/testing/btest/bifs/piped_exec.bro b/testing/btest/bifs/piped_exec.zeek similarity index 100% rename from testing/btest/bifs/piped_exec.bro rename to testing/btest/bifs/piped_exec.zeek diff --git a/testing/btest/bifs/ptr_name_to_addr.bro b/testing/btest/bifs/ptr_name_to_addr.zeek similarity index 100% rename from testing/btest/bifs/ptr_name_to_addr.bro rename to testing/btest/bifs/ptr_name_to_addr.zeek diff --git a/testing/btest/bifs/rand.bro b/testing/btest/bifs/rand.zeek similarity index 100% rename from testing/btest/bifs/rand.bro rename to testing/btest/bifs/rand.zeek diff --git a/testing/btest/bifs/raw_bytes_to_v4_addr.bro b/testing/btest/bifs/raw_bytes_to_v4_addr.zeek similarity index 100% rename from testing/btest/bifs/raw_bytes_to_v4_addr.bro rename to testing/btest/bifs/raw_bytes_to_v4_addr.zeek diff --git a/testing/btest/bifs/reading_traces.bro b/testing/btest/bifs/reading_traces.zeek similarity index 100% rename from testing/btest/bifs/reading_traces.bro rename to testing/btest/bifs/reading_traces.zeek diff --git a/testing/btest/bifs/record_type_to_vector.bro b/testing/btest/bifs/record_type_to_vector.zeek similarity index 100% rename from testing/btest/bifs/record_type_to_vector.bro rename to testing/btest/bifs/record_type_to_vector.zeek diff --git a/testing/btest/bifs/records_fields.bro b/testing/btest/bifs/records_fields.zeek similarity index 100% rename from testing/btest/bifs/records_fields.bro rename to testing/btest/bifs/records_fields.zeek diff --git a/testing/btest/bifs/remask_addr.bro b/testing/btest/bifs/remask_addr.zeek similarity index 100% rename from testing/btest/bifs/remask_addr.bro rename to testing/btest/bifs/remask_addr.zeek diff --git a/testing/btest/bifs/resize.bro b/testing/btest/bifs/resize.zeek similarity index 100% rename from testing/btest/bifs/resize.bro rename to testing/btest/bifs/resize.zeek diff --git a/testing/btest/bifs/reverse.bro b/testing/btest/bifs/reverse.zeek similarity index 100% rename from testing/btest/bifs/reverse.bro rename to testing/btest/bifs/reverse.zeek diff --git a/testing/btest/bifs/rotate_file.bro b/testing/btest/bifs/rotate_file.zeek similarity index 100% rename from testing/btest/bifs/rotate_file.bro rename to testing/btest/bifs/rotate_file.zeek diff --git a/testing/btest/bifs/rotate_file_by_name.bro b/testing/btest/bifs/rotate_file_by_name.zeek similarity index 100% rename from testing/btest/bifs/rotate_file_by_name.bro rename to testing/btest/bifs/rotate_file_by_name.zeek diff --git a/testing/btest/bifs/rstrip.bro b/testing/btest/bifs/rstrip.zeek similarity index 100% rename from testing/btest/bifs/rstrip.bro rename to testing/btest/bifs/rstrip.zeek diff --git a/testing/btest/bifs/safe_shell_quote.bro b/testing/btest/bifs/safe_shell_quote.zeek similarity index 100% rename from testing/btest/bifs/safe_shell_quote.bro rename to testing/btest/bifs/safe_shell_quote.zeek diff --git a/testing/btest/bifs/same_object.bro b/testing/btest/bifs/same_object.zeek similarity index 100% rename from testing/btest/bifs/same_object.bro rename to testing/btest/bifs/same_object.zeek diff --git a/testing/btest/bifs/sort.bro b/testing/btest/bifs/sort.zeek similarity index 100% rename from testing/btest/bifs/sort.bro rename to testing/btest/bifs/sort.zeek diff --git a/testing/btest/bifs/sort_string_array.bro b/testing/btest/bifs/sort_string_array.zeek similarity index 100% rename from testing/btest/bifs/sort_string_array.bro rename to testing/btest/bifs/sort_string_array.zeek diff --git a/testing/btest/bifs/split.bro b/testing/btest/bifs/split.zeek similarity index 100% rename from testing/btest/bifs/split.bro rename to testing/btest/bifs/split.zeek diff --git a/testing/btest/bifs/split_string.bro b/testing/btest/bifs/split_string.zeek similarity index 100% rename from testing/btest/bifs/split_string.bro rename to testing/btest/bifs/split_string.zeek diff --git a/testing/btest/bifs/str_shell_escape.bro b/testing/btest/bifs/str_shell_escape.zeek similarity index 100% rename from testing/btest/bifs/str_shell_escape.bro rename to testing/btest/bifs/str_shell_escape.zeek diff --git a/testing/btest/bifs/strcmp.bro b/testing/btest/bifs/strcmp.zeek similarity index 100% rename from testing/btest/bifs/strcmp.bro rename to testing/btest/bifs/strcmp.zeek diff --git a/testing/btest/bifs/strftime.bro b/testing/btest/bifs/strftime.zeek similarity index 100% rename from testing/btest/bifs/strftime.bro rename to testing/btest/bifs/strftime.zeek diff --git a/testing/btest/bifs/string_fill.bro b/testing/btest/bifs/string_fill.zeek similarity index 100% rename from testing/btest/bifs/string_fill.bro rename to testing/btest/bifs/string_fill.zeek diff --git a/testing/btest/bifs/string_to_pattern.bro b/testing/btest/bifs/string_to_pattern.zeek similarity index 100% rename from testing/btest/bifs/string_to_pattern.bro rename to testing/btest/bifs/string_to_pattern.zeek diff --git a/testing/btest/bifs/strip.bro b/testing/btest/bifs/strip.zeek similarity index 100% rename from testing/btest/bifs/strip.bro rename to testing/btest/bifs/strip.zeek diff --git a/testing/btest/bifs/strptime.bro b/testing/btest/bifs/strptime.zeek similarity index 100% rename from testing/btest/bifs/strptime.bro rename to testing/btest/bifs/strptime.zeek diff --git a/testing/btest/bifs/strstr.bro b/testing/btest/bifs/strstr.zeek similarity index 100% rename from testing/btest/bifs/strstr.bro rename to testing/btest/bifs/strstr.zeek diff --git a/testing/btest/bifs/sub.bro b/testing/btest/bifs/sub.zeek similarity index 100% rename from testing/btest/bifs/sub.bro rename to testing/btest/bifs/sub.zeek diff --git a/testing/btest/bifs/subnet_to_addr.bro b/testing/btest/bifs/subnet_to_addr.zeek similarity index 100% rename from testing/btest/bifs/subnet_to_addr.bro rename to testing/btest/bifs/subnet_to_addr.zeek diff --git a/testing/btest/bifs/subnet_version.bro b/testing/btest/bifs/subnet_version.zeek similarity index 100% rename from testing/btest/bifs/subnet_version.bro rename to testing/btest/bifs/subnet_version.zeek diff --git a/testing/btest/bifs/subst_string.bro b/testing/btest/bifs/subst_string.zeek similarity index 100% rename from testing/btest/bifs/subst_string.bro rename to testing/btest/bifs/subst_string.zeek diff --git a/testing/btest/bifs/system.bro b/testing/btest/bifs/system.zeek similarity index 100% rename from testing/btest/bifs/system.bro rename to testing/btest/bifs/system.zeek diff --git a/testing/btest/bifs/system_env.bro b/testing/btest/bifs/system_env.zeek similarity index 100% rename from testing/btest/bifs/system_env.bro rename to testing/btest/bifs/system_env.zeek diff --git a/testing/btest/bifs/to_addr.bro b/testing/btest/bifs/to_addr.zeek similarity index 100% rename from testing/btest/bifs/to_addr.bro rename to testing/btest/bifs/to_addr.zeek diff --git a/testing/btest/bifs/to_count.bro b/testing/btest/bifs/to_count.zeek similarity index 100% rename from testing/btest/bifs/to_count.bro rename to testing/btest/bifs/to_count.zeek diff --git a/testing/btest/bifs/to_double.bro b/testing/btest/bifs/to_double.zeek similarity index 100% rename from testing/btest/bifs/to_double.bro rename to testing/btest/bifs/to_double.zeek diff --git a/testing/btest/bifs/to_double_from_string.bro b/testing/btest/bifs/to_double_from_string.zeek similarity index 100% rename from testing/btest/bifs/to_double_from_string.bro rename to testing/btest/bifs/to_double_from_string.zeek diff --git a/testing/btest/bifs/to_int.bro b/testing/btest/bifs/to_int.zeek similarity index 100% rename from testing/btest/bifs/to_int.bro rename to testing/btest/bifs/to_int.zeek diff --git a/testing/btest/bifs/to_interval.bro b/testing/btest/bifs/to_interval.zeek similarity index 100% rename from testing/btest/bifs/to_interval.bro rename to testing/btest/bifs/to_interval.zeek diff --git a/testing/btest/bifs/to_port.bro b/testing/btest/bifs/to_port.zeek similarity index 100% rename from testing/btest/bifs/to_port.bro rename to testing/btest/bifs/to_port.zeek diff --git a/testing/btest/bifs/to_subnet.bro b/testing/btest/bifs/to_subnet.zeek similarity index 100% rename from testing/btest/bifs/to_subnet.bro rename to testing/btest/bifs/to_subnet.zeek diff --git a/testing/btest/bifs/to_time.bro b/testing/btest/bifs/to_time.zeek similarity index 100% rename from testing/btest/bifs/to_time.bro rename to testing/btest/bifs/to_time.zeek diff --git a/testing/btest/bifs/topk.bro b/testing/btest/bifs/topk.zeek similarity index 100% rename from testing/btest/bifs/topk.bro rename to testing/btest/bifs/topk.zeek diff --git a/testing/btest/bifs/type_name.bro b/testing/btest/bifs/type_name.zeek similarity index 100% rename from testing/btest/bifs/type_name.bro rename to testing/btest/bifs/type_name.zeek diff --git a/testing/btest/bifs/unique_id-pools.bro b/testing/btest/bifs/unique_id-pools.zeek similarity index 87% rename from testing/btest/bifs/unique_id-pools.bro rename to testing/btest/bifs/unique_id-pools.zeek index abdc4b22ba..ba31485dc3 100644 --- a/testing/btest/bifs/unique_id-pools.bro +++ b/testing/btest/bifs/unique_id-pools.zeek @@ -3,7 +3,7 @@ # @TEST-EXEC: bro order_base | sort >out.2 # @TEST-EXEC: cmp out.1 out.2 -@TEST-START-FILE order_rand.bro +@TEST-START-FILE order_rand.zeek print unique_id("A-"); print unique_id_from(5, "E-"); @@ -14,7 +14,7 @@ print unique_id_from(5, "F-"); @TEST-END-FILE -@TEST-START-FILE order_base.bro +@TEST-START-FILE order_base.zeek print unique_id("A-"); print unique_id("B-"); diff --git a/testing/btest/bifs/unique_id-rnd.bro b/testing/btest/bifs/unique_id-rnd.zeek similarity index 100% rename from testing/btest/bifs/unique_id-rnd.bro rename to testing/btest/bifs/unique_id-rnd.zeek diff --git a/testing/btest/bifs/unique_id.bro b/testing/btest/bifs/unique_id.zeek similarity index 100% rename from testing/btest/bifs/unique_id.bro rename to testing/btest/bifs/unique_id.zeek diff --git a/testing/btest/bifs/uuid_to_string.bro b/testing/btest/bifs/uuid_to_string.zeek similarity index 100% rename from testing/btest/bifs/uuid_to_string.bro rename to testing/btest/bifs/uuid_to_string.zeek diff --git a/testing/btest/bifs/val_size.bro b/testing/btest/bifs/val_size.zeek similarity index 100% rename from testing/btest/bifs/val_size.bro rename to testing/btest/bifs/val_size.zeek diff --git a/testing/btest/bifs/x509_verify.bro b/testing/btest/bifs/x509_verify.zeek similarity index 100% rename from testing/btest/bifs/x509_verify.bro rename to testing/btest/bifs/x509_verify.zeek diff --git a/testing/btest/broker/connect-on-retry.bro b/testing/btest/broker/connect-on-retry.zeek similarity index 91% rename from testing/btest/broker/connect-on-retry.bro rename to testing/btest/broker/connect-on-retry.zeek index 56e479b7ea..56df29cab1 100644 --- a/testing/btest/broker/connect-on-retry.bro +++ b/testing/btest/broker/connect-on-retry.zeek @@ -1,13 +1,13 @@ # @TEST-PORT: BROKER_PORT # -# @TEST-EXEC: btest-bg-run recv "bro -B broker -b ../recv.bro >recv.out" -# @TEST-EXEC: btest-bg-run send "bro -B broker -b ../send.bro >send.out" +# @TEST-EXEC: btest-bg-run recv "bro -B broker -b ../recv.zeek >recv.out" +# @TEST-EXEC: btest-bg-run send "bro -B broker -b ../send.zeek >send.out" # # @TEST-EXEC: btest-bg-wait 45 # @TEST-EXEC: btest-diff recv/recv.out # @TEST-EXEC: btest-diff send/send.out -@TEST-START-FILE send.bro +@TEST-START-FILE send.zeek # Using btest's environment settings for connect/listen retry of 1sec. redef exit_only_after_terminate = T; @@ -49,7 +49,7 @@ event pong(msg: string, n: count) @TEST-END-FILE -@TEST-START-FILE recv.bro +@TEST-START-FILE recv.zeek redef exit_only_after_terminate = T; diff --git a/testing/btest/broker/disconnect.bro b/testing/btest/broker/disconnect.zeek similarity index 82% rename from testing/btest/broker/disconnect.bro rename to testing/btest/broker/disconnect.zeek index 08d80f0441..10a3fbfa69 100644 --- a/testing/btest/broker/disconnect.bro +++ b/testing/btest/broker/disconnect.zeek @@ -1,18 +1,18 @@ # @TEST-PORT: BROKER_PORT -# @TEST-EXEC: btest-bg-run recv "bro -B broker -b ../recv.bro >recv.out" -# @TEST-EXEC: btest-bg-run send "bro -B broker -b ../send.bro >send.out" +# @TEST-EXEC: btest-bg-run recv "bro -B broker -b ../recv.zeek >recv.out" +# @TEST-EXEC: btest-bg-run send "bro -B broker -b ../send.zeek >send.out" # @TEST-EXEC: $SCRIPTS/wait-for-pid $(cat recv/.pid) 45 || (btest-bg-wait -k 1 && false) -# @TEST-EXEC: btest-bg-run recv2 "bro -B broker -b ../recv.bro >recv2.out" +# @TEST-EXEC: btest-bg-run recv2 "bro -B broker -b ../recv.zeek >recv2.out" # @TEST-EXEC: btest-bg-wait 45 # @TEST-EXEC: btest-diff send/send.out # @TEST-EXEC: btest-diff recv/recv.out # @TEST-EXEC: btest-diff recv2/recv2.out -@TEST-START-FILE send.bro +@TEST-START-FILE send.zeek redef exit_only_after_terminate = T; @@ -48,7 +48,7 @@ event Broker::peer_added(endpoint: Broker::EndpointInfo, msg: string) @TEST-END-FILE -@TEST-START-FILE recv.bro +@TEST-START-FILE recv.zeek redef exit_only_after_terminate = T; diff --git a/testing/btest/broker/error.bro b/testing/btest/broker/error.zeek similarity index 88% rename from testing/btest/broker/error.bro rename to testing/btest/broker/error.zeek index aa413ea2ac..a3feac10fb 100644 --- a/testing/btest/broker/error.bro +++ b/testing/btest/broker/error.zeek @@ -1,8 +1,8 @@ -# @TEST-EXEC: bro -B main-loop,broker -b send.bro >send.out +# @TEST-EXEC: bro -B main-loop,broker -b send.zeek >send.out # @TEST-EXEC: btest-diff send.out # -@TEST-START-FILE send.bro +@TEST-START-FILE send.zeek redef exit_only_after_terminate = T; diff --git a/testing/btest/broker/remote_event.bro b/testing/btest/broker/remote_event.zeek similarity index 92% rename from testing/btest/broker/remote_event.bro rename to testing/btest/broker/remote_event.zeek index a9e22ec25f..7a4ffec627 100644 --- a/testing/btest/broker/remote_event.bro +++ b/testing/btest/broker/remote_event.zeek @@ -1,13 +1,13 @@ # @TEST-PORT: BROKER_PORT # -# @TEST-EXEC: btest-bg-run recv "bro -B broker -b ../recv.bro >recv.out" -# @TEST-EXEC: btest-bg-run send "bro -B broker -b ../send.bro >send.out" +# @TEST-EXEC: btest-bg-run recv "bro -B broker -b ../recv.zeek >recv.out" +# @TEST-EXEC: btest-bg-run send "bro -B broker -b ../send.zeek >send.out" # # @TEST-EXEC: btest-bg-wait 45 # @TEST-EXEC: btest-diff recv/recv.out # @TEST-EXEC: btest-diff send/send.out -@TEST-START-FILE send.bro +@TEST-START-FILE send.zeek redef exit_only_after_terminate = T; @@ -53,7 +53,7 @@ event pong(msg: string, n: count) @TEST-END-FILE -@TEST-START-FILE recv.bro +@TEST-START-FILE recv.zeek redef exit_only_after_terminate = T; diff --git a/testing/btest/broker/remote_event_any.bro b/testing/btest/broker/remote_event_any.zeek similarity index 92% rename from testing/btest/broker/remote_event_any.bro rename to testing/btest/broker/remote_event_any.zeek index b45e5017ef..f0bb5713ca 100644 --- a/testing/btest/broker/remote_event_any.bro +++ b/testing/btest/broker/remote_event_any.zeek @@ -1,13 +1,13 @@ # @TEST-PORT: BROKER_PORT # -# @TEST-EXEC: btest-bg-run recv "bro -B broker -b ../recv.bro >recv.out" -# @TEST-EXEC: btest-bg-run send "bro -B broker -b ../send.bro >send.out" +# @TEST-EXEC: btest-bg-run recv "bro -B broker -b ../recv.zeek >recv.out" +# @TEST-EXEC: btest-bg-run send "bro -B broker -b ../send.zeek >send.out" # # @TEST-EXEC: btest-bg-wait 45 # @TEST-EXEC: btest-diff recv/recv.out # @TEST-EXEC: btest-diff send/send.out -@TEST-START-FILE send.bro +@TEST-START-FILE send.zeek redef exit_only_after_terminate = T; @@ -56,7 +56,7 @@ event pong(msg: string, n: any) @TEST-END-FILE -@TEST-START-FILE recv.bro +@TEST-START-FILE recv.zeek redef exit_only_after_terminate = T; diff --git a/testing/btest/broker/remote_event_auto.bro b/testing/btest/broker/remote_event_auto.zeek similarity index 92% rename from testing/btest/broker/remote_event_auto.bro rename to testing/btest/broker/remote_event_auto.zeek index 04570b9e6d..9917be84f8 100644 --- a/testing/btest/broker/remote_event_auto.bro +++ b/testing/btest/broker/remote_event_auto.zeek @@ -1,13 +1,13 @@ # @TEST-PORT: BROKER_PORT # -# @TEST-EXEC: btest-bg-run recv "bro -b ../recv.bro >recv.out" -# @TEST-EXEC: btest-bg-run send "bro -b ../send.bro >send.out" +# @TEST-EXEC: btest-bg-run recv "bro -b ../recv.zeek >recv.out" +# @TEST-EXEC: btest-bg-run send "bro -b ../send.zeek >send.out" # # @TEST-EXEC: btest-bg-wait 45 # @TEST-EXEC: btest-diff recv/recv.out # @TEST-EXEC: btest-diff send/send.out -@TEST-START-FILE send.bro +@TEST-START-FILE send.zeek redef exit_only_after_terminate = T; @@ -48,7 +48,7 @@ event pong(msg: string, n: count) @TEST-END-FILE -@TEST-START-FILE recv.bro +@TEST-START-FILE recv.zeek redef exit_only_after_terminate = T; diff --git a/testing/btest/broker/remote_event_ssl_auth.bro b/testing/btest/broker/remote_event_ssl_auth.zeek similarity index 98% rename from testing/btest/broker/remote_event_ssl_auth.bro rename to testing/btest/broker/remote_event_ssl_auth.zeek index 2422638416..d6c3d779ac 100644 --- a/testing/btest/broker/remote_event_ssl_auth.bro +++ b/testing/btest/broker/remote_event_ssl_auth.zeek @@ -1,7 +1,7 @@ # @TEST-PORT: BROKER_PORT # -# @TEST-EXEC: btest-bg-run recv "bro -B broker -b ../recv.bro >recv.out" -# @TEST-EXEC: btest-bg-run send "bro -B broker -b ../send.bro >send.out" +# @TEST-EXEC: btest-bg-run recv "bro -B broker -b ../recv.zeek >recv.out" +# @TEST-EXEC: btest-bg-run send "bro -B broker -b ../send.zeek >send.out" # # @TEST-EXEC: btest-bg-wait 45 # @TEST-EXEC: btest-diff recv/recv.out @@ -162,7 +162,7 @@ vq+Zqu15QV9T4BVWKHv0 -----END CERTIFICATE----- @TEST-END-FILE -@TEST-START-FILE send.bro +@TEST-START-FILE send.zeek redef exit_only_after_terminate = T; @@ -210,7 +210,7 @@ event pong(msg: string, n: count) @TEST-END-FILE -@TEST-START-FILE recv.bro +@TEST-START-FILE recv.zeek redef exit_only_after_terminate = T; diff --git a/testing/btest/broker/remote_event_vector_any.bro b/testing/btest/broker/remote_event_vector_any.zeek similarity index 88% rename from testing/btest/broker/remote_event_vector_any.bro rename to testing/btest/broker/remote_event_vector_any.zeek index 6f03d97c56..e0e3c9f879 100644 --- a/testing/btest/broker/remote_event_vector_any.bro +++ b/testing/btest/broker/remote_event_vector_any.zeek @@ -1,12 +1,12 @@ # @TEST-PORT: BROKER_PORT # -# @TEST-EXEC: btest-bg-run recv "bro -B broker -b ../recv.bro >recv.out" -# @TEST-EXEC: btest-bg-run send "bro -B broker -b ../send.bro >send.out" +# @TEST-EXEC: btest-bg-run recv "bro -B broker -b ../recv.zeek >recv.out" +# @TEST-EXEC: btest-bg-run send "bro -B broker -b ../send.zeek >send.out" # # @TEST-EXEC: btest-bg-wait 45 # @TEST-EXEC: btest-diff recv/recv.out -@TEST-START-FILE send.bro +@TEST-START-FILE send.zeek redef exit_only_after_terminate = T; @@ -41,7 +41,7 @@ event Broker::peer_lost(endpoint: Broker::EndpointInfo, msg: string) @TEST-END-FILE -@TEST-START-FILE recv.bro +@TEST-START-FILE recv.zeek redef exit_only_after_terminate = T; diff --git a/testing/btest/broker/remote_id.bro b/testing/btest/broker/remote_id.zeek similarity index 83% rename from testing/btest/broker/remote_id.bro rename to testing/btest/broker/remote_id.zeek index 62cddb9f25..52fc304364 100644 --- a/testing/btest/broker/remote_id.bro +++ b/testing/btest/broker/remote_id.zeek @@ -1,12 +1,12 @@ # @TEST-PORT: BROKER_PORT # -# @TEST-EXEC: btest-bg-run recv "bro -B broker -b ../recv.bro >recv.out" -# @TEST-EXEC: btest-bg-run send "bro -B broker -b ../send.bro test_var=newval >send.out" +# @TEST-EXEC: btest-bg-run recv "bro -B broker -b ../recv.zeek >recv.out" +# @TEST-EXEC: btest-bg-run send "bro -B broker -b ../send.zeek test_var=newval >send.out" # # @TEST-EXEC: btest-bg-wait 45 # @TEST-EXEC: btest-diff recv/recv.out -@TEST-START-FILE send.bro +@TEST-START-FILE send.zeek const test_var = "init" &redef; @@ -29,7 +29,7 @@ event Broker::peer_added(endpoint: Broker::EndpointInfo, msg: string) @TEST-END-FILE -@TEST-START-FILE recv.bro +@TEST-START-FILE recv.zeek const test_var = "init" &redef; diff --git a/testing/btest/broker/remote_log.bro b/testing/btest/broker/remote_log.zeek similarity index 83% rename from testing/btest/broker/remote_log.bro rename to testing/btest/broker/remote_log.zeek index dae89d42b2..2274555cc7 100644 --- a/testing/btest/broker/remote_log.bro +++ b/testing/btest/broker/remote_log.zeek @@ -1,7 +1,7 @@ # @TEST-PORT: BROKER_PORT -# @TEST-EXEC: btest-bg-run recv "bro -B broker -b ../recv.bro >recv.out" -# @TEST-EXEC: btest-bg-run send "bro -B broker -b ../send.bro >send.out" +# @TEST-EXEC: btest-bg-run recv "bro -B broker -b ../recv.zeek >recv.out" +# @TEST-EXEC: btest-bg-run send "bro -B broker -b ../send.zeek >send.out" # @TEST-EXEC: btest-bg-wait 45 # @TEST-EXEC: btest-diff recv/recv.out @@ -9,7 +9,7 @@ # @TEST-EXEC: btest-diff send/send.out # @TEST-EXEC: btest-diff send/test.log -@TEST-START-FILE common.bro +@TEST-START-FILE common.zeek redef exit_only_after_terminate = T; @@ -37,10 +37,10 @@ event Broker::peer_lost(endpoint: Broker::EndpointInfo, msg: string) @TEST-END-FILE -@TEST-START-FILE recv.bro +@TEST-START-FILE recv.zeek -@load ./common.bro +@load ./common event bro_init() { @@ -55,11 +55,11 @@ event Broker::peer_removed(endpoint: Broker::EndpointInfo, msg: string) @TEST-END-FILE -@TEST-START-FILE send.bro +@TEST-START-FILE send.zeek -@load ./common.bro +@load ./common event bro_init() { diff --git a/testing/btest/broker/remote_log_late_join.bro b/testing/btest/broker/remote_log_late_join.zeek similarity index 85% rename from testing/btest/broker/remote_log_late_join.bro rename to testing/btest/broker/remote_log_late_join.zeek index aea7846996..3b3666b98b 100644 --- a/testing/btest/broker/remote_log_late_join.bro +++ b/testing/btest/broker/remote_log_late_join.zeek @@ -1,7 +1,7 @@ # @TEST-PORT: BROKER_PORT -# @TEST-EXEC: btest-bg-run recv "bro -b ../recv.bro >recv.out" -# @TEST-EXEC: btest-bg-run send "bro -b ../send.bro >send.out" +# @TEST-EXEC: btest-bg-run recv "bro -b ../recv.zeek >recv.out" +# @TEST-EXEC: btest-bg-run send "bro -b ../send.zeek >send.out" # @TEST-EXEC: btest-bg-wait 45 # @TEST-EXEC: btest-diff recv/recv.out @@ -9,7 +9,7 @@ # @TEST-EXEC: btest-diff send/send.out # @TEST-EXEC: btest-diff send/test.log -@TEST-START-FILE common.bro +@TEST-START-FILE common.zeek redef exit_only_after_terminate = T; @@ -37,10 +37,10 @@ event Broker::peer_lost(endpoint: Broker::EndpointInfo, msg: string) @TEST-END-FILE -@TEST-START-FILE recv.bro +@TEST-START-FILE recv.zeek -@load ./common.bro +@load ./common event bro_init() { @@ -55,11 +55,11 @@ event Broker::peer_removed(endpoint: Broker::EndpointInfo, msg: string) @TEST-END-FILE -@TEST-START-FILE send.bro +@TEST-START-FILE send.zeek -@load ./common.bro +@load ./common event doconnect() { diff --git a/testing/btest/broker/remote_log_types.bro b/testing/btest/broker/remote_log_types.zeek similarity index 90% rename from testing/btest/broker/remote_log_types.bro rename to testing/btest/broker/remote_log_types.zeek index 8bbc66eaa2..2d7f56da92 100644 --- a/testing/btest/broker/remote_log_types.bro +++ b/testing/btest/broker/remote_log_types.zeek @@ -1,7 +1,7 @@ # @TEST-PORT: BROKER_PORT -# @TEST-EXEC: btest-bg-run recv "bro -b ../recv.bro >recv.out" -# @TEST-EXEC: btest-bg-run send "bro -b ../send.bro >send.out" +# @TEST-EXEC: btest-bg-run recv "bro -b ../recv.zeek >recv.out" +# @TEST-EXEC: btest-bg-run send "bro -b ../send.zeek >send.out" # @TEST-EXEC: btest-bg-wait 45 # @TEST-EXEC: btest-diff recv/recv.out @@ -12,7 +12,7 @@ # @TEST-EXEC: cat recv/test.log | grep -v '#close' | grep -v '#open' >recv/test.log.filtered # @TEST-EXEC: diff -u send/test.log.filtered recv/test.log.filtered -@TEST-START-FILE common.bro +@TEST-START-FILE common.zeek redef exit_only_after_terminate = T; @@ -54,9 +54,9 @@ event bro_init() &priority=5 @TEST-END-FILE -@TEST-START-FILE recv.bro +@TEST-START-FILE recv.zeek -@load ./common.bro +@load ./common event bro_init() { @@ -71,11 +71,11 @@ event quit_receiver() @TEST-END-FILE -@TEST-START-FILE send.bro +@TEST-START-FILE send.zeek -@load ./common.bro +@load ./common event bro_init() { diff --git a/testing/btest/broker/ssl_auth_failure.bro b/testing/btest/broker/ssl_auth_failure.zeek similarity index 96% rename from testing/btest/broker/ssl_auth_failure.bro rename to testing/btest/broker/ssl_auth_failure.zeek index bc90d86298..41c79236d4 100644 --- a/testing/btest/broker/ssl_auth_failure.bro +++ b/testing/btest/broker/ssl_auth_failure.zeek @@ -1,7 +1,7 @@ # @TEST-PORT: BROKER_PORT # -# @TEST-EXEC: btest-bg-run recv "bro -B broker -b ../recv.bro >recv.out" -# @TEST-EXEC: btest-bg-run send "bro -B broker -b ../send.bro >send.out" +# @TEST-EXEC: btest-bg-run recv "bro -B broker -b ../recv.zeek >recv.out" +# @TEST-EXEC: btest-bg-run send "bro -B broker -b ../send.zeek >send.out" # # @TEST-EXEC: btest-bg-wait 45 # @TEST-EXEC: btest-diff recv/recv.out @@ -86,7 +86,7 @@ BTdqMbieumB/zL97iK5baHUFEJ4VRtLQhh/SOXgew/BF8ccpilI= -----END RSA PRIVATE KEY----- @TEST-END-FILE -@TEST-START-FILE send.bro +@TEST-START-FILE send.zeek redef exit_only_after_terminate = T; @@ -130,7 +130,7 @@ event Broker::error(code: Broker::ErrorCode, msg: string) @TEST-END-FILE -@TEST-START-FILE recv.bro +@TEST-START-FILE recv.zeek redef exit_only_after_terminate = T; diff --git a/testing/btest/broker/store/clone.bro b/testing/btest/broker/store/clone.zeek similarity index 96% rename from testing/btest/broker/store/clone.bro rename to testing/btest/broker/store/clone.zeek index 5620303410..25021a226f 100644 --- a/testing/btest/broker/store/clone.bro +++ b/testing/btest/broker/store/clone.zeek @@ -1,13 +1,13 @@ # @TEST-PORT: BROKER_PORT # -# @TEST-EXEC: btest-bg-run clone "bro -B broker -b ../clone-main.bro >clone.out" -# @TEST-EXEC: btest-bg-run master "bro -B broker -b ../master-main.bro >master.out" +# @TEST-EXEC: btest-bg-run clone "bro -B broker -b ../clone-main.zeek >clone.out" +# @TEST-EXEC: btest-bg-run master "bro -B broker -b ../master-main.zeek >master.out" # # @TEST-EXEC: btest-bg-wait 45 # @TEST-EXEC: btest-diff clone/clone.out # @TEST-EXEC: btest-diff master/master.out -@TEST-START-FILE master-main.bro +@TEST-START-FILE master-main.zeek redef exit_only_after_terminate = T; global query_timeout = 1sec; @@ -75,7 +75,7 @@ event Broker::peer_added(endpoint: Broker::EndpointInfo, msg: string) @TEST-END-FILE -@TEST-START-FILE clone-main.bro +@TEST-START-FILE clone-main.zeek redef exit_only_after_terminate = T; diff --git a/testing/btest/broker/store/local.bro b/testing/btest/broker/store/local.zeek similarity index 100% rename from testing/btest/broker/store/local.bro rename to testing/btest/broker/store/local.zeek diff --git a/testing/btest/broker/store/ops.bro b/testing/btest/broker/store/ops.zeek similarity index 100% rename from testing/btest/broker/store/ops.bro rename to testing/btest/broker/store/ops.zeek diff --git a/testing/btest/broker/store/record.bro b/testing/btest/broker/store/record.zeek similarity index 100% rename from testing/btest/broker/store/record.bro rename to testing/btest/broker/store/record.zeek diff --git a/testing/btest/broker/store/set.bro b/testing/btest/broker/store/set.zeek similarity index 100% rename from testing/btest/broker/store/set.bro rename to testing/btest/broker/store/set.zeek diff --git a/testing/btest/broker/store/sqlite.bro b/testing/btest/broker/store/sqlite.zeek similarity index 100% rename from testing/btest/broker/store/sqlite.bro rename to testing/btest/broker/store/sqlite.zeek diff --git a/testing/btest/broker/store/table.bro b/testing/btest/broker/store/table.zeek similarity index 100% rename from testing/btest/broker/store/table.bro rename to testing/btest/broker/store/table.zeek diff --git a/testing/btest/broker/store/type-conversion.bro b/testing/btest/broker/store/type-conversion.zeek similarity index 100% rename from testing/btest/broker/store/type-conversion.bro rename to testing/btest/broker/store/type-conversion.zeek diff --git a/testing/btest/broker/store/vector.bro b/testing/btest/broker/store/vector.zeek similarity index 100% rename from testing/btest/broker/store/vector.bro rename to testing/btest/broker/store/vector.zeek diff --git a/testing/btest/broker/unpeer.bro b/testing/btest/broker/unpeer.zeek similarity index 89% rename from testing/btest/broker/unpeer.bro rename to testing/btest/broker/unpeer.zeek index b591815955..57bdf0301f 100644 --- a/testing/btest/broker/unpeer.bro +++ b/testing/btest/broker/unpeer.zeek @@ -1,7 +1,7 @@ # @TEST-PORT: BROKER_PORT # -# @TEST-EXEC: btest-bg-run recv "bro -b ../recv.bro >recv.out" -# @TEST-EXEC: btest-bg-run send "bro -b ../send.bro >send.out" +# @TEST-EXEC: btest-bg-run recv "bro -b ../recv.zeek >recv.out" +# @TEST-EXEC: btest-bg-run send "bro -b ../send.zeek >send.out" # # @TEST-EXEC: btest-bg-wait 45 # @TEST-EXEC: btest-diff recv/recv.out @@ -12,7 +12,7 @@ # @TEST-EXEC: btest-diff recv/broker.filtered.log # @TEST-EXEC: btest-diff send/broker.filtered.log -@TEST-START-FILE send.bro +@TEST-START-FILE send.zeek redef exit_only_after_terminate = T; @@ -51,7 +51,7 @@ event Broker::peer_added(endpoint: Broker::EndpointInfo, msg: string) @TEST-END-FILE -@TEST-START-FILE recv.bro +@TEST-START-FILE recv.zeek redef exit_only_after_terminate = T; diff --git a/testing/btest/core/bits_per_uid.bro b/testing/btest/core/bits_per_uid.zeek similarity index 100% rename from testing/btest/core/bits_per_uid.bro rename to testing/btest/core/bits_per_uid.zeek diff --git a/testing/btest/core/cisco-fabric-path.bro b/testing/btest/core/cisco-fabric-path.zeek similarity index 100% rename from testing/btest/core/cisco-fabric-path.bro rename to testing/btest/core/cisco-fabric-path.zeek diff --git a/testing/btest/core/conn-size-threshold.bro b/testing/btest/core/conn-size-threshold.zeek similarity index 100% rename from testing/btest/core/conn-size-threshold.bro rename to testing/btest/core/conn-size-threshold.zeek diff --git a/testing/btest/core/conn-uid.bro b/testing/btest/core/conn-uid.zeek similarity index 100% rename from testing/btest/core/conn-uid.bro rename to testing/btest/core/conn-uid.zeek diff --git a/testing/btest/core/connection_flip_roles.bro b/testing/btest/core/connection_flip_roles.zeek similarity index 100% rename from testing/btest/core/connection_flip_roles.bro rename to testing/btest/core/connection_flip_roles.zeek diff --git a/testing/btest/core/discarder.bro b/testing/btest/core/discarder.zeek similarity index 88% rename from testing/btest/core/discarder.bro rename to testing/btest/core/discarder.zeek index 9e8f5e7a2f..71b78373e9 100644 --- a/testing/btest/core/discarder.bro +++ b/testing/btest/core/discarder.zeek @@ -1,10 +1,10 @@ -# @TEST-EXEC: bro -b -C -r $TRACES/wikipedia.trace discarder-ip.bro >output -# @TEST-EXEC: bro -b -C -r $TRACES/wikipedia.trace discarder-tcp.bro >>output -# @TEST-EXEC: bro -b -C -r $TRACES/wikipedia.trace discarder-udp.bro >>output -# @TEST-EXEC: bro -b -C -r $TRACES/icmp/icmp-destunreach-udp.pcap discarder-icmp.bro >>output +# @TEST-EXEC: bro -b -C -r $TRACES/wikipedia.trace discarder-ip.zeek >output +# @TEST-EXEC: bro -b -C -r $TRACES/wikipedia.trace discarder-tcp.zeek >>output +# @TEST-EXEC: bro -b -C -r $TRACES/wikipedia.trace discarder-udp.zeek >>output +# @TEST-EXEC: bro -b -C -r $TRACES/icmp/icmp-destunreach-udp.pcap discarder-icmp.zeek >>output # @TEST-EXEC: btest-diff output -@TEST-START-FILE discarder-ip.bro +@TEST-START-FILE discarder-ip.zeek event bro_init() { @@ -26,7 +26,7 @@ event new_packet(c: connection, p: pkt_hdr) @TEST-END-FILE -@TEST-START-FILE discarder-tcp.bro +@TEST-START-FILE discarder-tcp.zeek event bro_init() { @@ -48,7 +48,7 @@ event new_packet(c: connection, p: pkt_hdr) @TEST-END-FILE -@TEST-START-FILE discarder-udp.bro +@TEST-START-FILE discarder-udp.zeek event bro_init() { @@ -70,7 +70,7 @@ event new_packet(c: connection, p: pkt_hdr) @TEST-END-FILE -@TEST-START-FILE discarder-icmp.bro +@TEST-START-FILE discarder-icmp.zeek event bro_init() { diff --git a/testing/btest/core/div-by-zero.bro b/testing/btest/core/div-by-zero.zeek similarity index 100% rename from testing/btest/core/div-by-zero.bro rename to testing/btest/core/div-by-zero.zeek diff --git a/testing/btest/core/dns-init.bro b/testing/btest/core/dns-init.zeek similarity index 100% rename from testing/btest/core/dns-init.bro rename to testing/btest/core/dns-init.zeek diff --git a/testing/btest/core/embedded-null.bro b/testing/btest/core/embedded-null.zeek similarity index 100% rename from testing/btest/core/embedded-null.bro rename to testing/btest/core/embedded-null.zeek diff --git a/testing/btest/core/enum-redef-exists.bro b/testing/btest/core/enum-redef-exists.zeek similarity index 100% rename from testing/btest/core/enum-redef-exists.bro rename to testing/btest/core/enum-redef-exists.zeek diff --git a/testing/btest/core/erspan.bro b/testing/btest/core/erspan.zeek similarity index 100% rename from testing/btest/core/erspan.bro rename to testing/btest/core/erspan.zeek diff --git a/testing/btest/core/erspanII.bro b/testing/btest/core/erspanII.zeek similarity index 100% rename from testing/btest/core/erspanII.bro rename to testing/btest/core/erspanII.zeek diff --git a/testing/btest/core/erspanIII.bro b/testing/btest/core/erspanIII.zeek similarity index 100% rename from testing/btest/core/erspanIII.bro rename to testing/btest/core/erspanIII.zeek diff --git a/testing/btest/core/ether-addrs.bro b/testing/btest/core/ether-addrs.zeek similarity index 100% rename from testing/btest/core/ether-addrs.bro rename to testing/btest/core/ether-addrs.zeek diff --git a/testing/btest/core/event-arg-reuse.bro b/testing/btest/core/event-arg-reuse.zeek similarity index 100% rename from testing/btest/core/event-arg-reuse.bro rename to testing/btest/core/event-arg-reuse.zeek diff --git a/testing/btest/core/expr-exception.bro b/testing/btest/core/expr-exception.zeek similarity index 100% rename from testing/btest/core/expr-exception.bro rename to testing/btest/core/expr-exception.zeek diff --git a/testing/btest/core/fake_dns.bro b/testing/btest/core/fake_dns.zeek similarity index 100% rename from testing/btest/core/fake_dns.bro rename to testing/btest/core/fake_dns.zeek diff --git a/testing/btest/core/global_opaque_val.bro b/testing/btest/core/global_opaque_val.zeek similarity index 100% rename from testing/btest/core/global_opaque_val.bro rename to testing/btest/core/global_opaque_val.zeek diff --git a/testing/btest/core/history-flip.bro b/testing/btest/core/history-flip.zeek similarity index 100% rename from testing/btest/core/history-flip.bro rename to testing/btest/core/history-flip.zeek diff --git a/testing/btest/core/icmp/icmp_sent.bro b/testing/btest/core/icmp/icmp_sent.zeek similarity index 100% rename from testing/btest/core/icmp/icmp_sent.bro rename to testing/btest/core/icmp/icmp_sent.zeek diff --git a/testing/btest/core/init-error.bro b/testing/btest/core/init-error.zeek similarity index 100% rename from testing/btest/core/init-error.bro rename to testing/btest/core/init-error.zeek diff --git a/testing/btest/core/ip-broken-header.bro b/testing/btest/core/ip-broken-header.zeek similarity index 100% rename from testing/btest/core/ip-broken-header.bro rename to testing/btest/core/ip-broken-header.zeek diff --git a/testing/btest/core/leaks/basic-cluster.bro b/testing/btest/core/leaks/basic-cluster.zeek similarity index 98% rename from testing/btest/core/leaks/basic-cluster.bro rename to testing/btest/core/leaks/basic-cluster.zeek index fa73fb9a96..7e08756bb7 100644 --- a/testing/btest/core/leaks/basic-cluster.bro +++ b/testing/btest/core/leaks/basic-cluster.zeek @@ -12,7 +12,7 @@ # @TEST-EXEC: btest-bg-run worker-2 HEAP_CHECK_DUMP_DIRECTORY=. HEAPCHECK=local BROPATH=$BROPATH:.. CLUSTER_NODE=worker-2 bro -m %INPUT # @TEST-EXEC: btest-bg-wait 60 -@TEST-START-FILE cluster-layout.bro +@TEST-START-FILE cluster-layout.zeek redef Cluster::nodes = { ["manager-1"] = [$node_type=Cluster::MANAGER, $ip=127.0.0.1, $p=to_port(getenv("BROKER_PORT1"))], ["worker-1"] = [$node_type=Cluster::WORKER, $ip=127.0.0.1, $p=to_port(getenv("BROKER_PORT2")), $manager="manager-1", $interface="eth0"], diff --git a/testing/btest/core/leaks/bloomfilter.bro b/testing/btest/core/leaks/bloomfilter.zeek similarity index 100% rename from testing/btest/core/leaks/bloomfilter.bro rename to testing/btest/core/leaks/bloomfilter.zeek diff --git a/testing/btest/core/leaks/broker/clone_store.bro b/testing/btest/core/leaks/broker/clone_store.zeek similarity index 93% rename from testing/btest/core/leaks/broker/clone_store.bro rename to testing/btest/core/leaks/broker/clone_store.zeek index 68235c7bab..9dc9b6072c 100644 --- a/testing/btest/core/leaks/broker/clone_store.bro +++ b/testing/btest/core/leaks/broker/clone_store.zeek @@ -2,13 +2,13 @@ # @TEST-REQUIRES: bro --help 2>&1 | grep -q mem-leaks # @TEST-GROUP: leaks -# @TEST-EXEC: HEAP_CHECK_DUMP_DIRECTORY=. HEAPCHECK=local btest-bg-run clone "bro -m -b ../clone.bro >clone.out" -# @TEST-EXEC: btest-bg-run master "bro -b ../master.bro >master.out" +# @TEST-EXEC: HEAP_CHECK_DUMP_DIRECTORY=. HEAPCHECK=local btest-bg-run clone "bro -m -b ../clone.zeek >clone.out" +# @TEST-EXEC: btest-bg-run master "bro -b ../master.zeek >master.out" # @TEST-EXEC: btest-bg-wait 45 # @TEST-EXEC: TEST_DIFF_CANONIFIER=$SCRIPTS/diff-sort btest-diff clone/clone.out -@TEST-START-FILE master.bro +@TEST-START-FILE master.zeek redef exit_only_after_terminate = T; global query_timeout = 1sec; @@ -76,7 +76,7 @@ event Broker::peer_added(endpoint: Broker::EndpointInfo, msg: string) @TEST-END-FILE -@TEST-START-FILE clone.bro +@TEST-START-FILE clone.zeek redef exit_only_after_terminate = T; diff --git a/testing/btest/core/leaks/broker/data.bro b/testing/btest/core/leaks/broker/data.zeek similarity index 100% rename from testing/btest/core/leaks/broker/data.bro rename to testing/btest/core/leaks/broker/data.zeek diff --git a/testing/btest/core/leaks/broker/master_store.bro b/testing/btest/core/leaks/broker/master_store.zeek similarity index 100% rename from testing/btest/core/leaks/broker/master_store.bro rename to testing/btest/core/leaks/broker/master_store.zeek diff --git a/testing/btest/core/leaks/broker/remote_event.test b/testing/btest/core/leaks/broker/remote_event.test index 5000bd98d7..972f8cbf93 100644 --- a/testing/btest/core/leaks/broker/remote_event.test +++ b/testing/btest/core/leaks/broker/remote_event.test @@ -2,14 +2,14 @@ # @TEST-REQUIRES: bro --help 2>&1 | grep -q mem-leaks # @TEST-GROUP: leaks -# @TEST-EXEC: HEAP_CHECK_DUMP_DIRECTORY=. HEAPCHECK=local btest-bg-run recv "bro -m -b ../recv.bro >recv.out" -# @TEST-EXEC: HEAP_CHECK_DUMP_DIRECTORY=. HEAPCHECK=local btest-bg-run send "bro -m -b ../send.bro >send.out" +# @TEST-EXEC: HEAP_CHECK_DUMP_DIRECTORY=. HEAPCHECK=local btest-bg-run recv "bro -m -b ../recv.zeek >recv.out" +# @TEST-EXEC: HEAP_CHECK_DUMP_DIRECTORY=. HEAPCHECK=local btest-bg-run send "bro -m -b ../send.zeek >send.out" # @TEST-EXEC: btest-bg-wait 45 # @TEST-EXEC: btest-diff recv/recv.out # @TEST-EXEC: btest-diff send/send.out -@TEST-START-FILE recv.bro +@TEST-START-FILE recv.zeek redef exit_only_after_terminate = T; @@ -43,7 +43,7 @@ event event_handler(msg: string, n: count) @TEST-END-FILE -@TEST-START-FILE send.bro +@TEST-START-FILE send.zeek redef exit_only_after_terminate = T; diff --git a/testing/btest/core/leaks/broker/remote_log.test b/testing/btest/core/leaks/broker/remote_log.test index 12abc1a313..5f41ba9682 100644 --- a/testing/btest/core/leaks/broker/remote_log.test +++ b/testing/btest/core/leaks/broker/remote_log.test @@ -2,8 +2,8 @@ # @TEST-REQUIRES: bro --help 2>&1 | grep -q mem-leaks # @TEST-GROUP: leaks -# @TEST-EXEC: HEAP_CHECK_DUMP_DIRECTORY=. HEAPCHECK=local btest-bg-run recv "bro -m -b ../recv.bro >recv.out" -# @TEST-EXEC: HEAP_CHECK_DUMP_DIRECTORY=. HEAPCHECK=local btest-bg-run send "bro -m -b ../send.bro >send.out" +# @TEST-EXEC: HEAP_CHECK_DUMP_DIRECTORY=. HEAPCHECK=local btest-bg-run recv "bro -m -b ../recv.zeek >recv.out" +# @TEST-EXEC: HEAP_CHECK_DUMP_DIRECTORY=. HEAPCHECK=local btest-bg-run send "bro -m -b ../send.zeek >send.out" # @TEST-EXEC: btest-bg-wait 45 # @TEST-EXEC: btest-diff recv/recv.out @@ -11,7 +11,7 @@ # @TEST-EXEC: btest-diff send/send.out # @TEST-EXEC: btest-diff send/test.log -@TEST-START-FILE common.bro +@TEST-START-FILE common.zeek redef exit_only_after_terminate = T; @@ -39,9 +39,9 @@ event Broker::peer_lost(endpoint: Broker::EndpointInfo, msg: string) @TEST-END-FILE -@TEST-START-FILE recv.bro +@TEST-START-FILE recv.zeek -@load ./common.bro +@load ./common event bro_init() { @@ -56,9 +56,9 @@ event Broker::peer_removed(endpoint: Broker::EndpointInfo, msg: string) @TEST-END-FILE -@TEST-START-FILE send.bro +@TEST-START-FILE send.zeek -@load ./common.bro +@load ./common event bro_init() { diff --git a/testing/btest/core/leaks/dns-nsec3.bro b/testing/btest/core/leaks/dns-nsec3.zeek similarity index 100% rename from testing/btest/core/leaks/dns-nsec3.bro rename to testing/btest/core/leaks/dns-nsec3.zeek diff --git a/testing/btest/core/leaks/dns-txt.bro b/testing/btest/core/leaks/dns-txt.zeek similarity index 100% rename from testing/btest/core/leaks/dns-txt.bro rename to testing/btest/core/leaks/dns-txt.zeek diff --git a/testing/btest/core/leaks/dns.bro b/testing/btest/core/leaks/dns.zeek similarity index 100% rename from testing/btest/core/leaks/dns.bro rename to testing/btest/core/leaks/dns.zeek diff --git a/testing/btest/core/leaks/dtls.bro b/testing/btest/core/leaks/dtls.zeek similarity index 100% rename from testing/btest/core/leaks/dtls.bro rename to testing/btest/core/leaks/dtls.zeek diff --git a/testing/btest/core/leaks/exec.test b/testing/btest/core/leaks/exec.test index 4cc8240012..a859c4d4c3 100644 --- a/testing/btest/core/leaks/exec.test +++ b/testing/btest/core/leaks/exec.test @@ -4,10 +4,10 @@ # # @TEST-REQUIRES: bro --help 2>&1 | grep -q mem-leaks # -# @TEST-EXEC: HEAP_CHECK_DUMP_DIRECTORY=. HEAPCHECK=local btest-bg-run bro bro -m -b ../exectest.bro +# @TEST-EXEC: HEAP_CHECK_DUMP_DIRECTORY=. HEAPCHECK=local btest-bg-run bro bro -m -b ../exectest.zeek # @TEST-EXEC: btest-bg-wait 60 -@TEST-START-FILE exectest.bro +@TEST-START-FILE exectest.zeek @load base/utils/exec redef exit_only_after_terminate = T; diff --git a/testing/btest/core/leaks/file-analysis-http-get.bro b/testing/btest/core/leaks/file-analysis-http-get.zeek similarity index 95% rename from testing/btest/core/leaks/file-analysis-http-get.bro rename to testing/btest/core/leaks/file-analysis-http-get.zeek index 29aa6535a3..960a510137 100644 --- a/testing/btest/core/leaks/file-analysis-http-get.bro +++ b/testing/btest/core/leaks/file-analysis-http-get.zeek @@ -4,7 +4,7 @@ # # @TEST-GROUP: leaks # -# @TEST-EXEC: HEAP_CHECK_DUMP_DIRECTORY=. HEAPCHECK=local btest-bg-run bro bro -m -r $TRACES/http/get.trace $SCRIPTS/file-analysis-test.bro %INPUT +# @TEST-EXEC: HEAP_CHECK_DUMP_DIRECTORY=. HEAPCHECK=local btest-bg-run bro bro -m -r $TRACES/http/get.trace $SCRIPTS/file-analysis-test.zeek %INPUT # @TEST-EXEC: btest-bg-wait 60 redef test_file_analysis_source = "HTTP"; diff --git a/testing/btest/core/leaks/hll_cluster.bro b/testing/btest/core/leaks/hll_cluster.zeek similarity index 98% rename from testing/btest/core/leaks/hll_cluster.bro rename to testing/btest/core/leaks/hll_cluster.zeek index e565778fbc..613e458985 100644 --- a/testing/btest/core/leaks/hll_cluster.bro +++ b/testing/btest/core/leaks/hll_cluster.zeek @@ -17,7 +17,7 @@ # @TEST-EXEC: btest-diff worker-1/.stdout # @TEST-EXEC: btest-diff worker-2/.stdout -@TEST-START-FILE cluster-layout.bro +@TEST-START-FILE cluster-layout.zeek redef Cluster::nodes = { ["manager-1"] = [$node_type=Cluster::MANAGER, $ip=127.0.0.1, $p=to_port(getenv("BROKER_PORT1"))], ["worker-1"] = [$node_type=Cluster::WORKER, $ip=127.0.0.1, $p=to_port(getenv("BROKER_PORT2")), $manager="manager-1"], diff --git a/testing/btest/core/leaks/hook.bro b/testing/btest/core/leaks/hook.zeek similarity index 100% rename from testing/btest/core/leaks/hook.bro rename to testing/btest/core/leaks/hook.zeek diff --git a/testing/btest/core/leaks/http-connect.bro b/testing/btest/core/leaks/http-connect.zeek similarity index 100% rename from testing/btest/core/leaks/http-connect.bro rename to testing/btest/core/leaks/http-connect.zeek diff --git a/testing/btest/core/leaks/input-basic.bro b/testing/btest/core/leaks/input-basic.zeek similarity index 100% rename from testing/btest/core/leaks/input-basic.bro rename to testing/btest/core/leaks/input-basic.zeek diff --git a/testing/btest/core/leaks/input-errors.bro b/testing/btest/core/leaks/input-errors.zeek similarity index 100% rename from testing/btest/core/leaks/input-errors.bro rename to testing/btest/core/leaks/input-errors.zeek diff --git a/testing/btest/core/leaks/input-missing-enum.bro b/testing/btest/core/leaks/input-missing-enum.zeek similarity index 100% rename from testing/btest/core/leaks/input-missing-enum.bro rename to testing/btest/core/leaks/input-missing-enum.zeek diff --git a/testing/btest/core/leaks/input-optional-event.bro b/testing/btest/core/leaks/input-optional-event.zeek similarity index 100% rename from testing/btest/core/leaks/input-optional-event.bro rename to testing/btest/core/leaks/input-optional-event.zeek diff --git a/testing/btest/core/leaks/input-optional-table.bro b/testing/btest/core/leaks/input-optional-table.zeek similarity index 100% rename from testing/btest/core/leaks/input-optional-table.bro rename to testing/btest/core/leaks/input-optional-table.zeek diff --git a/testing/btest/core/leaks/input-raw.bro b/testing/btest/core/leaks/input-raw.zeek similarity index 100% rename from testing/btest/core/leaks/input-raw.bro rename to testing/btest/core/leaks/input-raw.zeek diff --git a/testing/btest/core/leaks/input-reread.bro b/testing/btest/core/leaks/input-reread.zeek similarity index 100% rename from testing/btest/core/leaks/input-reread.bro rename to testing/btest/core/leaks/input-reread.zeek diff --git a/testing/btest/core/leaks/input-sqlite.bro b/testing/btest/core/leaks/input-sqlite.zeek similarity index 100% rename from testing/btest/core/leaks/input-sqlite.bro rename to testing/btest/core/leaks/input-sqlite.zeek diff --git a/testing/btest/core/leaks/input-with-remove.bro b/testing/btest/core/leaks/input-with-remove.zeek similarity index 100% rename from testing/btest/core/leaks/input-with-remove.bro rename to testing/btest/core/leaks/input-with-remove.zeek diff --git a/testing/btest/core/leaks/kv-iteration.bro b/testing/btest/core/leaks/kv-iteration.zeek similarity index 100% rename from testing/btest/core/leaks/kv-iteration.bro rename to testing/btest/core/leaks/kv-iteration.zeek diff --git a/testing/btest/core/leaks/pattern.bro b/testing/btest/core/leaks/pattern.zeek similarity index 100% rename from testing/btest/core/leaks/pattern.bro rename to testing/btest/core/leaks/pattern.zeek diff --git a/testing/btest/core/leaks/returnwhen.bro b/testing/btest/core/leaks/returnwhen.zeek similarity index 100% rename from testing/btest/core/leaks/returnwhen.bro rename to testing/btest/core/leaks/returnwhen.zeek diff --git a/testing/btest/core/leaks/set.bro b/testing/btest/core/leaks/set.zeek similarity index 100% rename from testing/btest/core/leaks/set.bro rename to testing/btest/core/leaks/set.zeek diff --git a/testing/btest/core/leaks/snmp.test b/testing/btest/core/leaks/snmp.test index 4f212d2699..43112eb9bf 100644 --- a/testing/btest/core/leaks/snmp.test +++ b/testing/btest/core/leaks/snmp.test @@ -4,7 +4,7 @@ # # @TEST-GROUP: leaks # -# @TEST-EXEC: HEAP_CHECK_DUMP_DIRECTORY=. HEAPCHECK=local btest-bg-run bro bro -b -m -r $TRACES/snmp/snmpv1_get.pcap -r $TRACES/snmp/snmpv1_get_short.pcap -r $TRACES/snmp/snmpv1_set.pcap -r $TRACES/snmp/snmpv1_trap.pcap -r $TRACES/snmp/snmpv2_get_bulk.pcap -r $TRACES/snmp/snmpv2_get_next.pcap -r $TRACES/snmp/snmpv2_get.pcap -r $TRACES/snmp/snmpv3_get_next.pcap $SCRIPTS/snmp-test.bro %INPUT +# @TEST-EXEC: HEAP_CHECK_DUMP_DIRECTORY=. HEAPCHECK=local btest-bg-run bro bro -b -m -r $TRACES/snmp/snmpv1_get.pcap -r $TRACES/snmp/snmpv1_get_short.pcap -r $TRACES/snmp/snmpv1_set.pcap -r $TRACES/snmp/snmpv1_trap.pcap -r $TRACES/snmp/snmpv2_get_bulk.pcap -r $TRACES/snmp/snmpv2_get_next.pcap -r $TRACES/snmp/snmpv2_get.pcap -r $TRACES/snmp/snmpv3_get_next.pcap $SCRIPTS/snmp-test.zeek %INPUT # @TEST-EXEC: btest-bg-wait 60 @load base/protocols/snmp diff --git a/testing/btest/core/leaks/stats.bro b/testing/btest/core/leaks/stats.zeek similarity index 92% rename from testing/btest/core/leaks/stats.bro rename to testing/btest/core/leaks/stats.zeek index a3459fdc93..7df104be95 100644 --- a/testing/btest/core/leaks/stats.bro +++ b/testing/btest/core/leaks/stats.zeek @@ -7,7 +7,7 @@ # @TEST-EXEC: HEAP_CHECK_DUMP_DIRECTORY=. HEAPCHECK=local btest-bg-run bro bro -m -r $TRACES/wikipedia.trace %INPUT # @TEST-EXEC: btest-bg-wait 60 -@load policy/misc/stats.bro +@load policy/misc/stats event load_sample(samples: load_sample_info, CPU: interval, dmem: int) { diff --git a/testing/btest/core/leaks/string-indexing.bro b/testing/btest/core/leaks/string-indexing.zeek similarity index 100% rename from testing/btest/core/leaks/string-indexing.bro rename to testing/btest/core/leaks/string-indexing.zeek diff --git a/testing/btest/core/leaks/switch-statement.bro b/testing/btest/core/leaks/switch-statement.zeek similarity index 100% rename from testing/btest/core/leaks/switch-statement.bro rename to testing/btest/core/leaks/switch-statement.zeek diff --git a/testing/btest/core/leaks/teredo.bro b/testing/btest/core/leaks/teredo.zeek similarity index 100% rename from testing/btest/core/leaks/teredo.bro rename to testing/btest/core/leaks/teredo.zeek diff --git a/testing/btest/core/leaks/test-all.bro b/testing/btest/core/leaks/test-all.zeek similarity index 100% rename from testing/btest/core/leaks/test-all.bro rename to testing/btest/core/leaks/test-all.zeek diff --git a/testing/btest/core/leaks/while.bro b/testing/btest/core/leaks/while.zeek similarity index 100% rename from testing/btest/core/leaks/while.bro rename to testing/btest/core/leaks/while.zeek diff --git a/testing/btest/core/leaks/x509_ocsp_verify.bro b/testing/btest/core/leaks/x509_ocsp_verify.zeek similarity index 100% rename from testing/btest/core/leaks/x509_ocsp_verify.bro rename to testing/btest/core/leaks/x509_ocsp_verify.zeek diff --git a/testing/btest/core/leaks/x509_verify.bro b/testing/btest/core/leaks/x509_verify.zeek similarity index 100% rename from testing/btest/core/leaks/x509_verify.bro rename to testing/btest/core/leaks/x509_verify.zeek diff --git a/testing/btest/core/load-duplicates.bro b/testing/btest/core/load-duplicates.zeek similarity index 100% rename from testing/btest/core/load-duplicates.bro rename to testing/btest/core/load-duplicates.zeek diff --git a/testing/btest/core/load-file-extension.bro b/testing/btest/core/load-file-extension.zeek similarity index 100% rename from testing/btest/core/load-file-extension.bro rename to testing/btest/core/load-file-extension.zeek diff --git a/testing/btest/core/load-pkg.bro b/testing/btest/core/load-pkg.zeek similarity index 100% rename from testing/btest/core/load-pkg.bro rename to testing/btest/core/load-pkg.zeek diff --git a/testing/btest/core/load-prefixes.bro b/testing/btest/core/load-prefixes.zeek similarity index 95% rename from testing/btest/core/load-prefixes.bro rename to testing/btest/core/load-prefixes.zeek index 5147bd0250..c91f278a65 100644 --- a/testing/btest/core/load-prefixes.bro +++ b/testing/btest/core/load-prefixes.zeek @@ -3,7 +3,7 @@ # @TEST-EXEC: bro addprefixes >output # @TEST-EXEC: btest-diff output -@TEST-START-FILE addprefixes.bro +@TEST-START-FILE addprefixes.zeek @prefixes += lcl @prefixes += lcl2 @TEST-END-FILE diff --git a/testing/btest/core/load-relative.bro b/testing/btest/core/load-relative.zeek similarity index 74% rename from testing/btest/core/load-relative.bro rename to testing/btest/core/load-relative.zeek index 3bd082cf8a..439563c201 100644 --- a/testing/btest/core/load-relative.bro +++ b/testing/btest/core/load-relative.zeek @@ -3,16 +3,16 @@ # @TEST-EXEC: bro -b foo/foo >output # @TEST-EXEC: btest-diff output -@TEST-START-FILE foo/foo.bro +@TEST-START-FILE foo/foo.zeek @load ./bar @load ../baz print "foo loaded"; @TEST-END-FILE -@TEST-START-FILE foo/bar.bro +@TEST-START-FILE foo/bar.zeek print "bar loaded"; @TEST-END-FILE -@TEST-START-FILE baz.bro +@TEST-START-FILE baz.zeek print "baz loaded"; @TEST-END-FILE diff --git a/testing/btest/core/load-unload.bro b/testing/btest/core/load-unload.zeek similarity index 100% rename from testing/btest/core/load-unload.bro rename to testing/btest/core/load-unload.zeek diff --git a/testing/btest/core/mpls-in-vlan.bro b/testing/btest/core/mpls-in-vlan.zeek similarity index 100% rename from testing/btest/core/mpls-in-vlan.bro rename to testing/btest/core/mpls-in-vlan.zeek diff --git a/testing/btest/core/nflog.bro b/testing/btest/core/nflog.zeek similarity index 100% rename from testing/btest/core/nflog.bro rename to testing/btest/core/nflog.zeek diff --git a/testing/btest/core/nop.bro b/testing/btest/core/nop.zeek similarity index 100% rename from testing/btest/core/nop.bro rename to testing/btest/core/nop.zeek diff --git a/testing/btest/core/old_comm_usage.bro b/testing/btest/core/old_comm_usage.zeek similarity index 100% rename from testing/btest/core/old_comm_usage.bro rename to testing/btest/core/old_comm_usage.zeek diff --git a/testing/btest/core/option-errors.bro b/testing/btest/core/option-errors.zeek similarity index 100% rename from testing/btest/core/option-errors.bro rename to testing/btest/core/option-errors.zeek diff --git a/testing/btest/core/option-priorities.bro b/testing/btest/core/option-priorities.zeek similarity index 100% rename from testing/btest/core/option-priorities.bro rename to testing/btest/core/option-priorities.zeek diff --git a/testing/btest/core/option-redef.bro b/testing/btest/core/option-redef.zeek similarity index 100% rename from testing/btest/core/option-redef.bro rename to testing/btest/core/option-redef.zeek diff --git a/testing/btest/core/option-runtime-errors.bro b/testing/btest/core/option-runtime-errors.zeek similarity index 100% rename from testing/btest/core/option-runtime-errors.bro rename to testing/btest/core/option-runtime-errors.zeek diff --git a/testing/btest/core/pcap/dumper.bro b/testing/btest/core/pcap/dumper.zeek similarity index 100% rename from testing/btest/core/pcap/dumper.bro rename to testing/btest/core/pcap/dumper.zeek diff --git a/testing/btest/core/pcap/dynamic-filter.bro b/testing/btest/core/pcap/dynamic-filter.zeek similarity index 100% rename from testing/btest/core/pcap/dynamic-filter.bro rename to testing/btest/core/pcap/dynamic-filter.zeek diff --git a/testing/btest/core/pcap/filter-error.bro b/testing/btest/core/pcap/filter-error.zeek similarity index 100% rename from testing/btest/core/pcap/filter-error.bro rename to testing/btest/core/pcap/filter-error.zeek diff --git a/testing/btest/core/pcap/input-error.bro b/testing/btest/core/pcap/input-error.zeek similarity index 100% rename from testing/btest/core/pcap/input-error.bro rename to testing/btest/core/pcap/input-error.zeek diff --git a/testing/btest/core/pcap/pseudo-realtime.bro b/testing/btest/core/pcap/pseudo-realtime.zeek similarity index 100% rename from testing/btest/core/pcap/pseudo-realtime.bro rename to testing/btest/core/pcap/pseudo-realtime.zeek diff --git a/testing/btest/core/pcap/read-trace-with-filter.bro b/testing/btest/core/pcap/read-trace-with-filter.zeek similarity index 100% rename from testing/btest/core/pcap/read-trace-with-filter.bro rename to testing/btest/core/pcap/read-trace-with-filter.zeek diff --git a/testing/btest/core/pppoe-over-qinq.bro b/testing/btest/core/pppoe-over-qinq.zeek similarity index 100% rename from testing/btest/core/pppoe-over-qinq.bro rename to testing/btest/core/pppoe-over-qinq.zeek diff --git a/testing/btest/core/print-bpf-filters.bro b/testing/btest/core/print-bpf-filters.zeek similarity index 100% rename from testing/btest/core/print-bpf-filters.bro rename to testing/btest/core/print-bpf-filters.zeek diff --git a/testing/btest/core/q-in-q.bro b/testing/btest/core/q-in-q.zeek similarity index 100% rename from testing/btest/core/q-in-q.bro rename to testing/btest/core/q-in-q.zeek diff --git a/testing/btest/core/radiotap.bro b/testing/btest/core/radiotap.zeek similarity index 100% rename from testing/btest/core/radiotap.bro rename to testing/btest/core/radiotap.zeek diff --git a/testing/btest/core/raw_packet.bro b/testing/btest/core/raw_packet.zeek similarity index 100% rename from testing/btest/core/raw_packet.bro rename to testing/btest/core/raw_packet.zeek diff --git a/testing/btest/core/reassembly.bro b/testing/btest/core/reassembly.zeek similarity index 100% rename from testing/btest/core/reassembly.bro rename to testing/btest/core/reassembly.zeek diff --git a/testing/btest/core/recursive-event.bro b/testing/btest/core/recursive-event.zeek similarity index 100% rename from testing/btest/core/recursive-event.bro rename to testing/btest/core/recursive-event.zeek diff --git a/testing/btest/core/reporter-error-in-handler.bro b/testing/btest/core/reporter-error-in-handler.zeek similarity index 100% rename from testing/btest/core/reporter-error-in-handler.bro rename to testing/btest/core/reporter-error-in-handler.zeek diff --git a/testing/btest/core/reporter-fmt-strings.bro b/testing/btest/core/reporter-fmt-strings.zeek similarity index 100% rename from testing/btest/core/reporter-fmt-strings.bro rename to testing/btest/core/reporter-fmt-strings.zeek diff --git a/testing/btest/core/reporter-parse-error.bro b/testing/btest/core/reporter-parse-error.zeek similarity index 100% rename from testing/btest/core/reporter-parse-error.bro rename to testing/btest/core/reporter-parse-error.zeek diff --git a/testing/btest/core/reporter-runtime-error.bro b/testing/btest/core/reporter-runtime-error.zeek similarity index 100% rename from testing/btest/core/reporter-runtime-error.bro rename to testing/btest/core/reporter-runtime-error.zeek diff --git a/testing/btest/core/reporter-shutdown-order-errors.bro b/testing/btest/core/reporter-shutdown-order-errors.zeek similarity index 100% rename from testing/btest/core/reporter-shutdown-order-errors.bro rename to testing/btest/core/reporter-shutdown-order-errors.zeek diff --git a/testing/btest/core/reporter-type-mismatch.bro b/testing/btest/core/reporter-type-mismatch.zeek similarity index 100% rename from testing/btest/core/reporter-type-mismatch.bro rename to testing/btest/core/reporter-type-mismatch.zeek diff --git a/testing/btest/core/reporter-weird-sampling-disable.bro b/testing/btest/core/reporter-weird-sampling-disable.zeek similarity index 100% rename from testing/btest/core/reporter-weird-sampling-disable.bro rename to testing/btest/core/reporter-weird-sampling-disable.zeek diff --git a/testing/btest/core/reporter-weird-sampling.bro b/testing/btest/core/reporter-weird-sampling.zeek similarity index 100% rename from testing/btest/core/reporter-weird-sampling.bro rename to testing/btest/core/reporter-weird-sampling.zeek diff --git a/testing/btest/core/reporter.bro b/testing/btest/core/reporter.zeek similarity index 100% rename from testing/btest/core/reporter.bro rename to testing/btest/core/reporter.zeek diff --git a/testing/btest/core/tcp/fin-retransmit.bro b/testing/btest/core/tcp/fin-retransmit.zeek similarity index 100% rename from testing/btest/core/tcp/fin-retransmit.bro rename to testing/btest/core/tcp/fin-retransmit.zeek diff --git a/testing/btest/core/tcp/large-file-reassembly.bro b/testing/btest/core/tcp/large-file-reassembly.zeek similarity index 100% rename from testing/btest/core/tcp/large-file-reassembly.bro rename to testing/btest/core/tcp/large-file-reassembly.zeek diff --git a/testing/btest/core/tcp/miss-end-data.bro b/testing/btest/core/tcp/miss-end-data.zeek similarity index 100% rename from testing/btest/core/tcp/miss-end-data.bro rename to testing/btest/core/tcp/miss-end-data.zeek diff --git a/testing/btest/core/tcp/missing-syn.bro b/testing/btest/core/tcp/missing-syn.zeek similarity index 100% rename from testing/btest/core/tcp/missing-syn.bro rename to testing/btest/core/tcp/missing-syn.zeek diff --git a/testing/btest/core/tcp/quantum-insert.bro b/testing/btest/core/tcp/quantum-insert.zeek similarity index 100% rename from testing/btest/core/tcp/quantum-insert.bro rename to testing/btest/core/tcp/quantum-insert.zeek diff --git a/testing/btest/core/tcp/rst-after-syn.bro b/testing/btest/core/tcp/rst-after-syn.zeek similarity index 100% rename from testing/btest/core/tcp/rst-after-syn.bro rename to testing/btest/core/tcp/rst-after-syn.zeek diff --git a/testing/btest/core/tcp/rxmit-history.bro b/testing/btest/core/tcp/rxmit-history.zeek similarity index 100% rename from testing/btest/core/tcp/rxmit-history.bro rename to testing/btest/core/tcp/rxmit-history.zeek diff --git a/testing/btest/core/tcp/truncated-header.bro b/testing/btest/core/tcp/truncated-header.zeek similarity index 100% rename from testing/btest/core/tcp/truncated-header.bro rename to testing/btest/core/tcp/truncated-header.zeek diff --git a/testing/btest/core/tunnels/false-teredo.bro b/testing/btest/core/tunnels/false-teredo.zeek similarity index 100% rename from testing/btest/core/tunnels/false-teredo.bro rename to testing/btest/core/tunnels/false-teredo.zeek diff --git a/testing/btest/core/tunnels/ip-in-ip-version.bro b/testing/btest/core/tunnels/ip-in-ip-version.zeek similarity index 100% rename from testing/btest/core/tunnels/ip-in-ip-version.bro rename to testing/btest/core/tunnels/ip-in-ip-version.zeek diff --git a/testing/btest/core/tunnels/teredo.bro b/testing/btest/core/tunnels/teredo.zeek similarity index 100% rename from testing/btest/core/tunnels/teredo.bro rename to testing/btest/core/tunnels/teredo.zeek diff --git a/testing/btest/core/tunnels/vxlan.bro b/testing/btest/core/tunnels/vxlan.zeek similarity index 100% rename from testing/btest/core/tunnels/vxlan.bro rename to testing/btest/core/tunnels/vxlan.zeek diff --git a/testing/btest/core/vector-assignment.bro b/testing/btest/core/vector-assignment.zeek similarity index 100% rename from testing/btest/core/vector-assignment.bro rename to testing/btest/core/vector-assignment.zeek diff --git a/testing/btest/core/vlan-mpls.bro b/testing/btest/core/vlan-mpls.zeek similarity index 100% rename from testing/btest/core/vlan-mpls.bro rename to testing/btest/core/vlan-mpls.zeek diff --git a/testing/btest/core/when-interpreter-exceptions.bro b/testing/btest/core/when-interpreter-exceptions.zeek similarity index 100% rename from testing/btest/core/when-interpreter-exceptions.bro rename to testing/btest/core/when-interpreter-exceptions.zeek diff --git a/testing/btest/core/wlanmon.bro b/testing/btest/core/wlanmon.zeek similarity index 100% rename from testing/btest/core/wlanmon.bro rename to testing/btest/core/wlanmon.zeek diff --git a/testing/btest/core/x509-generalizedtime.bro b/testing/btest/core/x509-generalizedtime.zeek similarity index 100% rename from testing/btest/core/x509-generalizedtime.bro rename to testing/btest/core/x509-generalizedtime.zeek diff --git a/testing/btest/coverage/coverage-blacklist.bro b/testing/btest/coverage/coverage-blacklist.zeek similarity index 100% rename from testing/btest/coverage/coverage-blacklist.bro rename to testing/btest/coverage/coverage-blacklist.zeek diff --git a/testing/btest/doc/broxygen/command_line.bro b/testing/btest/doc/broxygen/command_line.zeek similarity index 100% rename from testing/btest/doc/broxygen/command_line.bro rename to testing/btest/doc/broxygen/command_line.zeek diff --git a/testing/btest/doc/broxygen/comment_retrieval_bifs.bro b/testing/btest/doc/broxygen/comment_retrieval_bifs.zeek similarity index 100% rename from testing/btest/doc/broxygen/comment_retrieval_bifs.bro rename to testing/btest/doc/broxygen/comment_retrieval_bifs.zeek diff --git a/testing/btest/doc/broxygen/enums.bro b/testing/btest/doc/broxygen/enums.zeek similarity index 100% rename from testing/btest/doc/broxygen/enums.bro rename to testing/btest/doc/broxygen/enums.zeek diff --git a/testing/btest/doc/broxygen/example.bro b/testing/btest/doc/broxygen/example.zeek similarity index 100% rename from testing/btest/doc/broxygen/example.bro rename to testing/btest/doc/broxygen/example.zeek diff --git a/testing/btest/doc/broxygen/func-params.bro b/testing/btest/doc/broxygen/func-params.zeek similarity index 100% rename from testing/btest/doc/broxygen/func-params.bro rename to testing/btest/doc/broxygen/func-params.zeek diff --git a/testing/btest/doc/broxygen/identifier.bro b/testing/btest/doc/broxygen/identifier.zeek similarity index 100% rename from testing/btest/doc/broxygen/identifier.bro rename to testing/btest/doc/broxygen/identifier.zeek diff --git a/testing/btest/doc/broxygen/package.bro b/testing/btest/doc/broxygen/package.zeek similarity index 100% rename from testing/btest/doc/broxygen/package.bro rename to testing/btest/doc/broxygen/package.zeek diff --git a/testing/btest/doc/broxygen/package_index.bro b/testing/btest/doc/broxygen/package_index.zeek similarity index 100% rename from testing/btest/doc/broxygen/package_index.bro rename to testing/btest/doc/broxygen/package_index.zeek diff --git a/testing/btest/doc/broxygen/records.bro b/testing/btest/doc/broxygen/records.zeek similarity index 100% rename from testing/btest/doc/broxygen/records.bro rename to testing/btest/doc/broxygen/records.zeek diff --git a/testing/btest/doc/broxygen/script_index.bro b/testing/btest/doc/broxygen/script_index.zeek similarity index 100% rename from testing/btest/doc/broxygen/script_index.bro rename to testing/btest/doc/broxygen/script_index.zeek diff --git a/testing/btest/doc/broxygen/script_summary.bro b/testing/btest/doc/broxygen/script_summary.zeek similarity index 100% rename from testing/btest/doc/broxygen/script_summary.bro rename to testing/btest/doc/broxygen/script_summary.zeek diff --git a/testing/btest/doc/broxygen/type-aliases.bro b/testing/btest/doc/broxygen/type-aliases.zeek similarity index 100% rename from testing/btest/doc/broxygen/type-aliases.bro rename to testing/btest/doc/broxygen/type-aliases.zeek diff --git a/testing/btest/doc/broxygen/vectors.bro b/testing/btest/doc/broxygen/vectors.zeek similarity index 100% rename from testing/btest/doc/broxygen/vectors.bro rename to testing/btest/doc/broxygen/vectors.zeek diff --git a/testing/btest/doc/record-add.bro b/testing/btest/doc/record-add.zeek similarity index 100% rename from testing/btest/doc/record-add.bro rename to testing/btest/doc/record-add.zeek diff --git a/testing/btest/doc/record-attr-check.bro b/testing/btest/doc/record-attr-check.zeek similarity index 100% rename from testing/btest/doc/record-attr-check.bro rename to testing/btest/doc/record-attr-check.zeek diff --git a/testing/btest/language/addr.bro b/testing/btest/language/addr.zeek similarity index 100% rename from testing/btest/language/addr.bro rename to testing/btest/language/addr.zeek diff --git a/testing/btest/language/any.bro b/testing/btest/language/any.zeek similarity index 100% rename from testing/btest/language/any.bro rename to testing/btest/language/any.zeek diff --git a/testing/btest/language/at-deprecated.bro b/testing/btest/language/at-deprecated.zeek similarity index 63% rename from testing/btest/language/at-deprecated.bro rename to testing/btest/language/at-deprecated.zeek index dd0f746658..271a918e5e 100644 --- a/testing/btest/language/at-deprecated.bro +++ b/testing/btest/language/at-deprecated.zeek @@ -1,16 +1,16 @@ # @TEST-EXEC: bro -b foo # @TEST-EXEC: TEST_DIFF_CANONIFIER=$SCRIPTS/diff-remove-abspath btest-diff .stderr -@TEST-START-FILE foo.bro +@TEST-START-FILE foo.zeek @deprecated @load bar @load baz @TEST-END-FILE -@TEST-START-FILE bar.bro -@deprecated "Use '@load qux.bro' instead" +@TEST-START-FILE bar.zeek +@deprecated "Use '@load qux' instead" @TEST-END-FILE -@TEST-START-FILE baz.bro +@TEST-START-FILE baz.zeek @deprecated @TEST-END-FILE diff --git a/testing/btest/language/at-dir.bro b/testing/btest/language/at-dir.zeek similarity index 75% rename from testing/btest/language/at-dir.bro rename to testing/btest/language/at-dir.zeek index b826e3a5da..a366285a5b 100644 --- a/testing/btest/language/at-dir.bro +++ b/testing/btest/language/at-dir.zeek @@ -1,10 +1,10 @@ # @TEST-EXEC: bro -b %INPUT >out # @TEST-EXEC: TEST_DIFF_CANONIFIER=$SCRIPTS/diff-remove-abspath btest-diff out -# @TEST-EXEC: bro -b ./pathtest.bro >out2 +# @TEST-EXEC: bro -b ./pathtest.zeek >out2 # @TEST-EXEC: TEST_DIFF_CANONIFIER=$SCRIPTS/diff-remove-abspath btest-diff out2 print @DIR; -@TEST-START-FILE pathtest.bro +@TEST-START-FILE pathtest.zeek print @DIR; @TEST-END-FILE diff --git a/testing/btest/language/at-filename.bro b/testing/btest/language/at-filename.zeek similarity index 100% rename from testing/btest/language/at-filename.bro rename to testing/btest/language/at-filename.zeek diff --git a/testing/btest/language/at-if-event.bro b/testing/btest/language/at-if-event.zeek similarity index 100% rename from testing/btest/language/at-if-event.bro rename to testing/btest/language/at-if-event.zeek diff --git a/testing/btest/language/at-if-invalid.bro b/testing/btest/language/at-if-invalid.zeek similarity index 100% rename from testing/btest/language/at-if-invalid.bro rename to testing/btest/language/at-if-invalid.zeek diff --git a/testing/btest/language/at-if.bro b/testing/btest/language/at-if.zeek similarity index 100% rename from testing/btest/language/at-if.bro rename to testing/btest/language/at-if.zeek diff --git a/testing/btest/language/at-ifdef.bro b/testing/btest/language/at-ifdef.zeek similarity index 100% rename from testing/btest/language/at-ifdef.bro rename to testing/btest/language/at-ifdef.zeek diff --git a/testing/btest/language/at-ifndef.bro b/testing/btest/language/at-ifndef.zeek similarity index 100% rename from testing/btest/language/at-ifndef.bro rename to testing/btest/language/at-ifndef.zeek diff --git a/testing/btest/language/at-load.bro b/testing/btest/language/at-load.zeek similarity index 100% rename from testing/btest/language/at-load.bro rename to testing/btest/language/at-load.zeek diff --git a/testing/btest/language/attr-default-coercion.bro b/testing/btest/language/attr-default-coercion.zeek similarity index 100% rename from testing/btest/language/attr-default-coercion.bro rename to testing/btest/language/attr-default-coercion.zeek diff --git a/testing/btest/language/attr-default-global-set-error.bro b/testing/btest/language/attr-default-global-set-error.zeek similarity index 100% rename from testing/btest/language/attr-default-global-set-error.bro rename to testing/btest/language/attr-default-global-set-error.zeek diff --git a/testing/btest/language/bool.bro b/testing/btest/language/bool.zeek similarity index 100% rename from testing/btest/language/bool.bro rename to testing/btest/language/bool.zeek diff --git a/testing/btest/language/common-mistakes.bro b/testing/btest/language/common-mistakes.zeek similarity index 87% rename from testing/btest/language/common-mistakes.bro rename to testing/btest/language/common-mistakes.zeek index 361aae0ff4..de7d02da23 100644 --- a/testing/btest/language/common-mistakes.bro +++ b/testing/btest/language/common-mistakes.zeek @@ -2,16 +2,16 @@ # handled internally by way of throwing an exception to unwind out # of the current event handler body. -# @TEST-EXEC: bro -b 1.bro >1.out 2>&1 +# @TEST-EXEC: bro -b 1.zeek >1.out 2>&1 # @TEST-EXEC: btest-diff 1.out -# @TEST-EXEC: bro -b 2.bro >2.out 2>&1 +# @TEST-EXEC: bro -b 2.zeek >2.out 2>&1 # @TEST-EXEC: btest-diff 2.out -# @TEST-EXEC: bro -b 3.bro >3.out 2>&1 +# @TEST-EXEC: bro -b 3.zeek >3.out 2>&1 # @TEST-EXEC: btest-diff 3.out -@TEST-START-FILE 1.bro +@TEST-START-FILE 1.zeek type myrec: record { f: string &optional; }; @@ -47,7 +47,7 @@ event bro_init() &priority=-10 } @TEST-END-FILE -@TEST-START-FILE 2.bro +@TEST-START-FILE 2.zeek function foo() { print "in foo"; @@ -74,7 +74,7 @@ event bro_init() @TEST-END-FILE -@TEST-START-FILE 3.bro +@TEST-START-FILE 3.zeek function foo(v: vector of any) { print "in foo"; diff --git a/testing/btest/language/conditional-expression.bro b/testing/btest/language/conditional-expression.zeek similarity index 100% rename from testing/btest/language/conditional-expression.bro rename to testing/btest/language/conditional-expression.zeek diff --git a/testing/btest/language/const.bro b/testing/btest/language/const.zeek similarity index 84% rename from testing/btest/language/const.bro rename to testing/btest/language/const.zeek index ee938e8d45..1c70d4d04b 100644 --- a/testing/btest/language/const.bro +++ b/testing/btest/language/const.zeek @@ -1,12 +1,12 @@ -# @TEST-EXEC: bro -b valid.bro 2>valid.stderr 1>valid.stdout +# @TEST-EXEC: bro -b valid.zeek 2>valid.stderr 1>valid.stdout # @TEST-EXEC: btest-diff valid.stderr # @TEST-EXEC: btest-diff valid.stdout -# @TEST-EXEC-FAIL: bro -b invalid.bro 2>invalid.stderr 1>invalid.stdout +# @TEST-EXEC-FAIL: bro -b invalid.zeek 2>invalid.stderr 1>invalid.stdout # @TEST-EXEC: TEST_DIFF_CANONIFIER=$SCRIPTS/diff-remove-abspath btest-diff invalid.stderr # @TEST-EXEC: btest-diff invalid.stdout -@TEST-START-FILE valid.bro +@TEST-START-FILE valid.zeek # First some simple code that should be valid and error-free. function f(c: count) @@ -40,7 +40,7 @@ event bro_init() @TEST-END-FILE -@TEST-START-FILE invalid.bro +@TEST-START-FILE invalid.zeek # Now some const assignments that should generate errors at parse-time. const foo = 0 &redef; diff --git a/testing/btest/language/container-ctor-scope.bro b/testing/btest/language/container-ctor-scope.zeek similarity index 100% rename from testing/btest/language/container-ctor-scope.bro rename to testing/btest/language/container-ctor-scope.zeek diff --git a/testing/btest/language/copy.bro b/testing/btest/language/copy.zeek similarity index 100% rename from testing/btest/language/copy.bro rename to testing/btest/language/copy.zeek diff --git a/testing/btest/language/count.bro b/testing/btest/language/count.zeek similarity index 100% rename from testing/btest/language/count.bro rename to testing/btest/language/count.zeek diff --git a/testing/btest/language/cross-product-init.bro b/testing/btest/language/cross-product-init.zeek similarity index 100% rename from testing/btest/language/cross-product-init.bro rename to testing/btest/language/cross-product-init.zeek diff --git a/testing/btest/language/default-params.bro b/testing/btest/language/default-params.zeek similarity index 100% rename from testing/btest/language/default-params.bro rename to testing/btest/language/default-params.zeek diff --git a/testing/btest/language/delete-field-set.bro b/testing/btest/language/delete-field-set.zeek similarity index 100% rename from testing/btest/language/delete-field-set.bro rename to testing/btest/language/delete-field-set.zeek diff --git a/testing/btest/language/delete-field.bro b/testing/btest/language/delete-field.zeek similarity index 100% rename from testing/btest/language/delete-field.bro rename to testing/btest/language/delete-field.zeek diff --git a/testing/btest/language/deprecated.bro b/testing/btest/language/deprecated.zeek similarity index 100% rename from testing/btest/language/deprecated.bro rename to testing/btest/language/deprecated.zeek diff --git a/testing/btest/language/double.bro b/testing/btest/language/double.zeek similarity index 100% rename from testing/btest/language/double.bro rename to testing/btest/language/double.zeek diff --git a/testing/btest/language/enum-desc.bro b/testing/btest/language/enum-desc.zeek similarity index 100% rename from testing/btest/language/enum-desc.bro rename to testing/btest/language/enum-desc.zeek diff --git a/testing/btest/language/enum-scope.bro b/testing/btest/language/enum-scope.zeek similarity index 100% rename from testing/btest/language/enum-scope.bro rename to testing/btest/language/enum-scope.zeek diff --git a/testing/btest/language/enum.bro b/testing/btest/language/enum.zeek similarity index 100% rename from testing/btest/language/enum.bro rename to testing/btest/language/enum.zeek diff --git a/testing/btest/language/eof-parse-errors.bro b/testing/btest/language/eof-parse-errors.zeek similarity index 55% rename from testing/btest/language/eof-parse-errors.bro rename to testing/btest/language/eof-parse-errors.zeek index a2c6edc66d..58d8eeacc4 100644 --- a/testing/btest/language/eof-parse-errors.bro +++ b/testing/btest/language/eof-parse-errors.zeek @@ -1,9 +1,9 @@ -# @TEST-EXEC-FAIL: bro -b a.bro >output1 2>&1 -# @TEST-EXEC-FAIL: bro -b a.bro b.bro >output2 2>&1 +# @TEST-EXEC-FAIL: bro -b a.zeek >output1 2>&1 +# @TEST-EXEC-FAIL: bro -b a.zeek b.zeek >output2 2>&1 # @TEST-EXEC: btest-diff output1 # @TEST-EXEC: btest-diff output2 -@TEST-START-FILE a.bro +@TEST-START-FILE a.zeek module A; event bro_init() @@ -11,7 +11,7 @@ event bro_init() print "a"; @TEST-END-FILE -@TEST-START-FILE b.bro +@TEST-START-FILE b.zeek module B; event bro_init() diff --git a/testing/btest/language/event-local-var.bro b/testing/btest/language/event-local-var.zeek similarity index 100% rename from testing/btest/language/event-local-var.bro rename to testing/btest/language/event-local-var.zeek diff --git a/testing/btest/language/event.bro b/testing/btest/language/event.zeek similarity index 100% rename from testing/btest/language/event.bro rename to testing/btest/language/event.zeek diff --git a/testing/btest/language/expire-expr-error.bro b/testing/btest/language/expire-expr-error.zeek similarity index 100% rename from testing/btest/language/expire-expr-error.bro rename to testing/btest/language/expire-expr-error.zeek diff --git a/testing/btest/language/expire-func-undef.bro b/testing/btest/language/expire-func-undef.zeek similarity index 100% rename from testing/btest/language/expire-func-undef.bro rename to testing/btest/language/expire-func-undef.zeek diff --git a/testing/btest/language/expire-redef.bro b/testing/btest/language/expire-redef.zeek similarity index 100% rename from testing/btest/language/expire-redef.bro rename to testing/btest/language/expire-redef.zeek diff --git a/testing/btest/language/expire-type-error.bro b/testing/btest/language/expire-type-error.zeek similarity index 100% rename from testing/btest/language/expire-type-error.bro rename to testing/btest/language/expire-type-error.zeek diff --git a/testing/btest/language/expire_func_mod.bro b/testing/btest/language/expire_func_mod.zeek similarity index 100% rename from testing/btest/language/expire_func_mod.bro rename to testing/btest/language/expire_func_mod.zeek diff --git a/testing/btest/language/file.bro b/testing/btest/language/file.zeek similarity index 100% rename from testing/btest/language/file.bro rename to testing/btest/language/file.zeek diff --git a/testing/btest/language/for.bro b/testing/btest/language/for.zeek similarity index 100% rename from testing/btest/language/for.bro rename to testing/btest/language/for.zeek diff --git a/testing/btest/language/func-assignment.bro b/testing/btest/language/func-assignment.zeek similarity index 100% rename from testing/btest/language/func-assignment.bro rename to testing/btest/language/func-assignment.zeek diff --git a/testing/btest/language/function.bro b/testing/btest/language/function.zeek similarity index 100% rename from testing/btest/language/function.bro rename to testing/btest/language/function.zeek diff --git a/testing/btest/language/hook.bro b/testing/btest/language/hook.zeek similarity index 100% rename from testing/btest/language/hook.bro rename to testing/btest/language/hook.zeek diff --git a/testing/btest/language/hook_calls.bro b/testing/btest/language/hook_calls.zeek similarity index 89% rename from testing/btest/language/hook_calls.bro rename to testing/btest/language/hook_calls.zeek index 41ef6f52ae..411e0018bb 100644 --- a/testing/btest/language/hook_calls.bro +++ b/testing/btest/language/hook_calls.zeek @@ -1,11 +1,11 @@ -# @TEST-EXEC: bro -b valid.bro >valid.out +# @TEST-EXEC: bro -b valid.zeek >valid.out # @TEST-EXEC: btest-diff valid.out -# @TEST-EXEC-FAIL: bro -b invalid.bro > invalid.out 2>&1 +# @TEST-EXEC-FAIL: bro -b invalid.zeek > invalid.out 2>&1 # @TEST-EXEC: TEST_DIFF_CANONIFIER=$SCRIPTS/diff-remove-abspath btest-diff invalid.out # hook functions must be called using the "hook" keyword as an operator... -@TEST-START-FILE valid.bro +@TEST-START-FILE valid.zeek hook myhook(i: count) { print "myhook()", i; @@ -59,7 +59,7 @@ event bro_init() @TEST-END-FILE -@TEST-START-FILE invalid.bro +@TEST-START-FILE invalid.zeek hook myhook(i: count) { print "myhook()", i; diff --git a/testing/btest/language/if.bro b/testing/btest/language/if.zeek similarity index 100% rename from testing/btest/language/if.bro rename to testing/btest/language/if.zeek diff --git a/testing/btest/language/index-assignment-invalid.bro b/testing/btest/language/index-assignment-invalid.zeek similarity index 100% rename from testing/btest/language/index-assignment-invalid.bro rename to testing/btest/language/index-assignment-invalid.zeek diff --git a/testing/btest/language/init-in-anon-function.bro b/testing/btest/language/init-in-anon-function.zeek similarity index 100% rename from testing/btest/language/init-in-anon-function.bro rename to testing/btest/language/init-in-anon-function.zeek diff --git a/testing/btest/language/int.bro b/testing/btest/language/int.zeek similarity index 100% rename from testing/btest/language/int.bro rename to testing/btest/language/int.zeek diff --git a/testing/btest/language/interval.bro b/testing/btest/language/interval.zeek similarity index 100% rename from testing/btest/language/interval.bro rename to testing/btest/language/interval.zeek diff --git a/testing/btest/language/invalid_index.bro b/testing/btest/language/invalid_index.zeek similarity index 100% rename from testing/btest/language/invalid_index.bro rename to testing/btest/language/invalid_index.zeek diff --git a/testing/btest/language/ipv6-literals.bro b/testing/btest/language/ipv6-literals.zeek similarity index 100% rename from testing/btest/language/ipv6-literals.bro rename to testing/btest/language/ipv6-literals.zeek diff --git a/testing/btest/language/key-value-for.bro b/testing/btest/language/key-value-for.zeek similarity index 100% rename from testing/btest/language/key-value-for.bro rename to testing/btest/language/key-value-for.zeek diff --git a/testing/btest/language/module.bro b/testing/btest/language/module.zeek similarity index 100% rename from testing/btest/language/module.bro rename to testing/btest/language/module.zeek diff --git a/testing/btest/language/named-record-ctors.bro b/testing/btest/language/named-record-ctors.zeek similarity index 100% rename from testing/btest/language/named-record-ctors.bro rename to testing/btest/language/named-record-ctors.zeek diff --git a/testing/btest/language/named-set-ctors.bro b/testing/btest/language/named-set-ctors.zeek similarity index 100% rename from testing/btest/language/named-set-ctors.bro rename to testing/btest/language/named-set-ctors.zeek diff --git a/testing/btest/language/named-table-ctors.bro b/testing/btest/language/named-table-ctors.zeek similarity index 100% rename from testing/btest/language/named-table-ctors.bro rename to testing/btest/language/named-table-ctors.zeek diff --git a/testing/btest/language/named-vector-ctors.bro b/testing/btest/language/named-vector-ctors.zeek similarity index 100% rename from testing/btest/language/named-vector-ctors.bro rename to testing/btest/language/named-vector-ctors.zeek diff --git a/testing/btest/language/nested-sets.bro b/testing/btest/language/nested-sets.zeek similarity index 100% rename from testing/btest/language/nested-sets.bro rename to testing/btest/language/nested-sets.zeek diff --git a/testing/btest/language/next-test.bro b/testing/btest/language/next-test.zeek similarity index 100% rename from testing/btest/language/next-test.bro rename to testing/btest/language/next-test.zeek diff --git a/testing/btest/language/no-module.bro b/testing/btest/language/no-module.zeek similarity index 100% rename from testing/btest/language/no-module.bro rename to testing/btest/language/no-module.zeek diff --git a/testing/btest/language/null-statement.bro b/testing/btest/language/null-statement.zeek similarity index 100% rename from testing/btest/language/null-statement.bro rename to testing/btest/language/null-statement.zeek diff --git a/testing/btest/language/outer_param_binding.bro b/testing/btest/language/outer_param_binding.zeek similarity index 100% rename from testing/btest/language/outer_param_binding.bro rename to testing/btest/language/outer_param_binding.zeek diff --git a/testing/btest/language/pattern.bro b/testing/btest/language/pattern.zeek similarity index 100% rename from testing/btest/language/pattern.bro rename to testing/btest/language/pattern.zeek diff --git a/testing/btest/language/port.bro b/testing/btest/language/port.zeek similarity index 100% rename from testing/btest/language/port.bro rename to testing/btest/language/port.zeek diff --git a/testing/btest/language/precedence.bro b/testing/btest/language/precedence.zeek similarity index 100% rename from testing/btest/language/precedence.bro rename to testing/btest/language/precedence.zeek diff --git a/testing/btest/language/rec-comp-init.bro b/testing/btest/language/rec-comp-init.zeek similarity index 100% rename from testing/btest/language/rec-comp-init.bro rename to testing/btest/language/rec-comp-init.zeek diff --git a/testing/btest/language/rec-nested-opt.bro b/testing/btest/language/rec-nested-opt.zeek similarity index 100% rename from testing/btest/language/rec-nested-opt.bro rename to testing/btest/language/rec-nested-opt.zeek diff --git a/testing/btest/language/rec-of-tbl.bro b/testing/btest/language/rec-of-tbl.zeek similarity index 100% rename from testing/btest/language/rec-of-tbl.bro rename to testing/btest/language/rec-of-tbl.zeek diff --git a/testing/btest/language/rec-table-default.bro b/testing/btest/language/rec-table-default.zeek similarity index 100% rename from testing/btest/language/rec-table-default.bro rename to testing/btest/language/rec-table-default.zeek diff --git a/testing/btest/language/record-bad-ctor.bro b/testing/btest/language/record-bad-ctor.zeek similarity index 100% rename from testing/btest/language/record-bad-ctor.bro rename to testing/btest/language/record-bad-ctor.zeek diff --git a/testing/btest/language/record-bad-ctor2.bro b/testing/btest/language/record-bad-ctor2.zeek similarity index 100% rename from testing/btest/language/record-bad-ctor2.bro rename to testing/btest/language/record-bad-ctor2.zeek diff --git a/testing/btest/language/record-ceorce-orphan.bro b/testing/btest/language/record-ceorce-orphan.zeek similarity index 100% rename from testing/btest/language/record-ceorce-orphan.bro rename to testing/btest/language/record-ceorce-orphan.zeek diff --git a/testing/btest/language/record-coerce-clash.bro b/testing/btest/language/record-coerce-clash.zeek similarity index 100% rename from testing/btest/language/record-coerce-clash.bro rename to testing/btest/language/record-coerce-clash.zeek diff --git a/testing/btest/language/record-default-coercion.bro b/testing/btest/language/record-default-coercion.zeek similarity index 100% rename from testing/btest/language/record-default-coercion.bro rename to testing/btest/language/record-default-coercion.zeek diff --git a/testing/btest/language/record-default-set-mismatch.bro b/testing/btest/language/record-default-set-mismatch.zeek similarity index 100% rename from testing/btest/language/record-default-set-mismatch.bro rename to testing/btest/language/record-default-set-mismatch.zeek diff --git a/testing/btest/language/record-extension.bro b/testing/btest/language/record-extension.zeek similarity index 100% rename from testing/btest/language/record-extension.bro rename to testing/btest/language/record-extension.zeek diff --git a/testing/btest/language/record-function-recursion.bro b/testing/btest/language/record-function-recursion.zeek similarity index 100% rename from testing/btest/language/record-function-recursion.bro rename to testing/btest/language/record-function-recursion.zeek diff --git a/testing/btest/language/record-index-complex-fields.bro b/testing/btest/language/record-index-complex-fields.zeek similarity index 100% rename from testing/btest/language/record-index-complex-fields.bro rename to testing/btest/language/record-index-complex-fields.zeek diff --git a/testing/btest/language/record-recursive-coercion.bro b/testing/btest/language/record-recursive-coercion.zeek similarity index 100% rename from testing/btest/language/record-recursive-coercion.bro rename to testing/btest/language/record-recursive-coercion.zeek diff --git a/testing/btest/language/record-redef-after-init.bro b/testing/btest/language/record-redef-after-init.zeek similarity index 100% rename from testing/btest/language/record-redef-after-init.bro rename to testing/btest/language/record-redef-after-init.zeek diff --git a/testing/btest/language/record-ref-assign.bro b/testing/btest/language/record-ref-assign.zeek similarity index 100% rename from testing/btest/language/record-ref-assign.bro rename to testing/btest/language/record-ref-assign.zeek diff --git a/testing/btest/language/record-type-checking.bro b/testing/btest/language/record-type-checking.zeek similarity index 100% rename from testing/btest/language/record-type-checking.bro rename to testing/btest/language/record-type-checking.zeek diff --git a/testing/btest/language/redef-same-prefixtable-idx.bro b/testing/btest/language/redef-same-prefixtable-idx.zeek similarity index 100% rename from testing/btest/language/redef-same-prefixtable-idx.bro rename to testing/btest/language/redef-same-prefixtable-idx.zeek diff --git a/testing/btest/language/redef-vector.bro b/testing/btest/language/redef-vector.zeek similarity index 100% rename from testing/btest/language/redef-vector.bro rename to testing/btest/language/redef-vector.zeek diff --git a/testing/btest/language/returnwhen.bro b/testing/btest/language/returnwhen.zeek similarity index 100% rename from testing/btest/language/returnwhen.bro rename to testing/btest/language/returnwhen.zeek diff --git a/testing/btest/language/set-opt-record-index.bro b/testing/btest/language/set-opt-record-index.zeek similarity index 100% rename from testing/btest/language/set-opt-record-index.bro rename to testing/btest/language/set-opt-record-index.zeek diff --git a/testing/btest/language/set-type-checking.bro b/testing/btest/language/set-type-checking.zeek similarity index 100% rename from testing/btest/language/set-type-checking.bro rename to testing/btest/language/set-type-checking.zeek diff --git a/testing/btest/language/set.bro b/testing/btest/language/set.zeek similarity index 100% rename from testing/btest/language/set.bro rename to testing/btest/language/set.zeek diff --git a/testing/btest/language/short-circuit.bro b/testing/btest/language/short-circuit.zeek similarity index 100% rename from testing/btest/language/short-circuit.bro rename to testing/btest/language/short-circuit.zeek diff --git a/testing/btest/language/sizeof.bro b/testing/btest/language/sizeof.zeek similarity index 100% rename from testing/btest/language/sizeof.bro rename to testing/btest/language/sizeof.zeek diff --git a/testing/btest/language/smith-waterman-test.bro b/testing/btest/language/smith-waterman-test.zeek similarity index 100% rename from testing/btest/language/smith-waterman-test.bro rename to testing/btest/language/smith-waterman-test.zeek diff --git a/testing/btest/language/string-indexing.bro b/testing/btest/language/string-indexing.zeek similarity index 100% rename from testing/btest/language/string-indexing.bro rename to testing/btest/language/string-indexing.zeek diff --git a/testing/btest/language/string.bro b/testing/btest/language/string.zeek similarity index 100% rename from testing/btest/language/string.bro rename to testing/btest/language/string.zeek diff --git a/testing/btest/language/strings.bro b/testing/btest/language/strings.zeek similarity index 100% rename from testing/btest/language/strings.bro rename to testing/btest/language/strings.zeek diff --git a/testing/btest/language/subnet-errors.bro b/testing/btest/language/subnet-errors.zeek similarity index 100% rename from testing/btest/language/subnet-errors.bro rename to testing/btest/language/subnet-errors.zeek diff --git a/testing/btest/language/subnet.bro b/testing/btest/language/subnet.zeek similarity index 100% rename from testing/btest/language/subnet.bro rename to testing/btest/language/subnet.zeek diff --git a/testing/btest/language/switch-error-mixed.bro b/testing/btest/language/switch-error-mixed.zeek similarity index 100% rename from testing/btest/language/switch-error-mixed.bro rename to testing/btest/language/switch-error-mixed.zeek diff --git a/testing/btest/language/switch-incomplete.bro b/testing/btest/language/switch-incomplete.zeek similarity index 100% rename from testing/btest/language/switch-incomplete.bro rename to testing/btest/language/switch-incomplete.zeek diff --git a/testing/btest/language/switch-statement.bro b/testing/btest/language/switch-statement.zeek similarity index 100% rename from testing/btest/language/switch-statement.bro rename to testing/btest/language/switch-statement.zeek diff --git a/testing/btest/language/switch-types-error-duplicate.bro b/testing/btest/language/switch-types-error-duplicate.zeek similarity index 100% rename from testing/btest/language/switch-types-error-duplicate.bro rename to testing/btest/language/switch-types-error-duplicate.zeek diff --git a/testing/btest/language/switch-types-error-unsupported.bro b/testing/btest/language/switch-types-error-unsupported.zeek similarity index 100% rename from testing/btest/language/switch-types-error-unsupported.bro rename to testing/btest/language/switch-types-error-unsupported.zeek diff --git a/testing/btest/language/switch-types-vars.bro b/testing/btest/language/switch-types-vars.zeek similarity index 100% rename from testing/btest/language/switch-types-vars.bro rename to testing/btest/language/switch-types-vars.zeek diff --git a/testing/btest/language/switch-types.bro b/testing/btest/language/switch-types.zeek similarity index 100% rename from testing/btest/language/switch-types.bro rename to testing/btest/language/switch-types.zeek diff --git a/testing/btest/language/table-default-record.bro b/testing/btest/language/table-default-record.zeek similarity index 100% rename from testing/btest/language/table-default-record.bro rename to testing/btest/language/table-default-record.zeek diff --git a/testing/btest/language/table-init-attrs.bro b/testing/btest/language/table-init-attrs.zeek similarity index 100% rename from testing/btest/language/table-init-attrs.bro rename to testing/btest/language/table-init-attrs.zeek diff --git a/testing/btest/language/table-init-container-ctors.bro b/testing/btest/language/table-init-container-ctors.zeek similarity index 100% rename from testing/btest/language/table-init-container-ctors.bro rename to testing/btest/language/table-init-container-ctors.zeek diff --git a/testing/btest/language/table-init-record-idx.bro b/testing/btest/language/table-init-record-idx.zeek similarity index 100% rename from testing/btest/language/table-init-record-idx.bro rename to testing/btest/language/table-init-record-idx.zeek diff --git a/testing/btest/language/table-init.bro b/testing/btest/language/table-init.zeek similarity index 100% rename from testing/btest/language/table-init.bro rename to testing/btest/language/table-init.zeek diff --git a/testing/btest/language/table-redef.bro b/testing/btest/language/table-redef.zeek similarity index 100% rename from testing/btest/language/table-redef.bro rename to testing/btest/language/table-redef.zeek diff --git a/testing/btest/language/table-type-checking.bro b/testing/btest/language/table-type-checking.zeek similarity index 100% rename from testing/btest/language/table-type-checking.bro rename to testing/btest/language/table-type-checking.zeek diff --git a/testing/btest/language/table.bro b/testing/btest/language/table.zeek similarity index 100% rename from testing/btest/language/table.bro rename to testing/btest/language/table.zeek diff --git a/testing/btest/language/ternary-record-mismatch.bro b/testing/btest/language/ternary-record-mismatch.zeek similarity index 100% rename from testing/btest/language/ternary-record-mismatch.bro rename to testing/btest/language/ternary-record-mismatch.zeek diff --git a/testing/btest/language/time.bro b/testing/btest/language/time.zeek similarity index 100% rename from testing/btest/language/time.bro rename to testing/btest/language/time.zeek diff --git a/testing/btest/language/timeout.bro b/testing/btest/language/timeout.zeek similarity index 100% rename from testing/btest/language/timeout.bro rename to testing/btest/language/timeout.zeek diff --git a/testing/btest/language/type-cast-any.bro b/testing/btest/language/type-cast-any.zeek similarity index 100% rename from testing/btest/language/type-cast-any.bro rename to testing/btest/language/type-cast-any.zeek diff --git a/testing/btest/language/type-cast-error-dynamic.bro b/testing/btest/language/type-cast-error-dynamic.zeek similarity index 100% rename from testing/btest/language/type-cast-error-dynamic.bro rename to testing/btest/language/type-cast-error-dynamic.zeek diff --git a/testing/btest/language/type-cast-error-static.bro b/testing/btest/language/type-cast-error-static.zeek similarity index 100% rename from testing/btest/language/type-cast-error-static.bro rename to testing/btest/language/type-cast-error-static.zeek diff --git a/testing/btest/language/type-cast-same.bro b/testing/btest/language/type-cast-same.zeek similarity index 100% rename from testing/btest/language/type-cast-same.bro rename to testing/btest/language/type-cast-same.zeek diff --git a/testing/btest/language/type-check-any.bro b/testing/btest/language/type-check-any.zeek similarity index 100% rename from testing/btest/language/type-check-any.bro rename to testing/btest/language/type-check-any.zeek diff --git a/testing/btest/language/type-check-vector.bro b/testing/btest/language/type-check-vector.zeek similarity index 100% rename from testing/btest/language/type-check-vector.bro rename to testing/btest/language/type-check-vector.zeek diff --git a/testing/btest/language/type-type-error.bro b/testing/btest/language/type-type-error.zeek similarity index 100% rename from testing/btest/language/type-type-error.bro rename to testing/btest/language/type-type-error.zeek diff --git a/testing/btest/language/undefined-delete-field.bro b/testing/btest/language/undefined-delete-field.zeek similarity index 100% rename from testing/btest/language/undefined-delete-field.bro rename to testing/btest/language/undefined-delete-field.zeek diff --git a/testing/btest/language/uninitialized-local.bro b/testing/btest/language/uninitialized-local.zeek similarity index 100% rename from testing/btest/language/uninitialized-local.bro rename to testing/btest/language/uninitialized-local.zeek diff --git a/testing/btest/language/uninitialized-local2.bro b/testing/btest/language/uninitialized-local2.zeek similarity index 100% rename from testing/btest/language/uninitialized-local2.bro rename to testing/btest/language/uninitialized-local2.zeek diff --git a/testing/btest/language/vector-any-append.bro b/testing/btest/language/vector-any-append.zeek similarity index 100% rename from testing/btest/language/vector-any-append.bro rename to testing/btest/language/vector-any-append.zeek diff --git a/testing/btest/language/vector-coerce-expr.bro b/testing/btest/language/vector-coerce-expr.zeek similarity index 100% rename from testing/btest/language/vector-coerce-expr.bro rename to testing/btest/language/vector-coerce-expr.zeek diff --git a/testing/btest/language/vector-in-operator.bro b/testing/btest/language/vector-in-operator.zeek similarity index 100% rename from testing/btest/language/vector-in-operator.bro rename to testing/btest/language/vector-in-operator.zeek diff --git a/testing/btest/language/vector-list-init-records.bro b/testing/btest/language/vector-list-init-records.zeek similarity index 100% rename from testing/btest/language/vector-list-init-records.bro rename to testing/btest/language/vector-list-init-records.zeek diff --git a/testing/btest/language/vector-type-checking.bro b/testing/btest/language/vector-type-checking.zeek similarity index 100% rename from testing/btest/language/vector-type-checking.bro rename to testing/btest/language/vector-type-checking.zeek diff --git a/testing/btest/language/vector-unspecified.bro b/testing/btest/language/vector-unspecified.zeek similarity index 100% rename from testing/btest/language/vector-unspecified.bro rename to testing/btest/language/vector-unspecified.zeek diff --git a/testing/btest/language/vector.bro b/testing/btest/language/vector.zeek similarity index 100% rename from testing/btest/language/vector.bro rename to testing/btest/language/vector.zeek diff --git a/testing/btest/language/when-unitialized-rhs.bro b/testing/btest/language/when-unitialized-rhs.zeek similarity index 100% rename from testing/btest/language/when-unitialized-rhs.bro rename to testing/btest/language/when-unitialized-rhs.zeek diff --git a/testing/btest/language/when.bro b/testing/btest/language/when.zeek similarity index 100% rename from testing/btest/language/when.bro rename to testing/btest/language/when.zeek diff --git a/testing/btest/language/while.bro b/testing/btest/language/while.zeek similarity index 100% rename from testing/btest/language/while.bro rename to testing/btest/language/while.zeek diff --git a/testing/btest/language/wrong-delete-field.bro b/testing/btest/language/wrong-delete-field.zeek similarity index 100% rename from testing/btest/language/wrong-delete-field.bro rename to testing/btest/language/wrong-delete-field.zeek diff --git a/testing/btest/language/wrong-record-extension.bro b/testing/btest/language/wrong-record-extension.zeek similarity index 100% rename from testing/btest/language/wrong-record-extension.bro rename to testing/btest/language/wrong-record-extension.zeek diff --git a/testing/btest/plugins/file.bro b/testing/btest/plugins/file.zeek similarity index 100% rename from testing/btest/plugins/file.bro rename to testing/btest/plugins/file.zeek diff --git a/testing/btest/plugins/hooks.bro b/testing/btest/plugins/hooks.zeek similarity index 100% rename from testing/btest/plugins/hooks.bro rename to testing/btest/plugins/hooks.zeek diff --git a/testing/btest/plugins/init-plugin.bro b/testing/btest/plugins/init-plugin.zeek similarity index 100% rename from testing/btest/plugins/init-plugin.bro rename to testing/btest/plugins/init-plugin.zeek diff --git a/testing/btest/plugins/logging-hooks.bro b/testing/btest/plugins/logging-hooks.zeek similarity index 100% rename from testing/btest/plugins/logging-hooks.bro rename to testing/btest/plugins/logging-hooks.zeek diff --git a/testing/btest/plugins/pktdumper.bro b/testing/btest/plugins/pktdumper.zeek similarity index 100% rename from testing/btest/plugins/pktdumper.bro rename to testing/btest/plugins/pktdumper.zeek diff --git a/testing/btest/plugins/pktsrc.bro b/testing/btest/plugins/pktsrc.zeek similarity index 100% rename from testing/btest/plugins/pktsrc.bro rename to testing/btest/plugins/pktsrc.zeek diff --git a/testing/btest/plugins/plugin-nopatchversion.bro b/testing/btest/plugins/plugin-nopatchversion.zeek similarity index 100% rename from testing/btest/plugins/plugin-nopatchversion.bro rename to testing/btest/plugins/plugin-nopatchversion.zeek diff --git a/testing/btest/plugins/plugin-withpatchversion.bro b/testing/btest/plugins/plugin-withpatchversion.zeek similarity index 100% rename from testing/btest/plugins/plugin-withpatchversion.bro rename to testing/btest/plugins/plugin-withpatchversion.zeek diff --git a/testing/btest/plugins/protocol-plugin/scripts/Demo/Foo/base/main.bro b/testing/btest/plugins/protocol-plugin/scripts/Demo/Foo/base/main.zeek similarity index 100% rename from testing/btest/plugins/protocol-plugin/scripts/Demo/Foo/base/main.bro rename to testing/btest/plugins/protocol-plugin/scripts/Demo/Foo/base/main.zeek diff --git a/testing/btest/plugins/protocol.bro b/testing/btest/plugins/protocol.zeek similarity index 100% rename from testing/btest/plugins/protocol.bro rename to testing/btest/plugins/protocol.zeek diff --git a/testing/btest/plugins/reader.bro b/testing/btest/plugins/reader.zeek similarity index 100% rename from testing/btest/plugins/reader.bro rename to testing/btest/plugins/reader.zeek diff --git a/testing/btest/plugins/reporter-hook.bro b/testing/btest/plugins/reporter-hook.zeek similarity index 100% rename from testing/btest/plugins/reporter-hook.bro rename to testing/btest/plugins/reporter-hook.zeek diff --git a/testing/btest/plugins/writer.bro b/testing/btest/plugins/writer.zeek similarity index 100% rename from testing/btest/plugins/writer.bro rename to testing/btest/plugins/writer.zeek diff --git a/testing/btest/scripts/base/files/data_event/basic.bro b/testing/btest/scripts/base/files/data_event/basic.zeek similarity index 100% rename from testing/btest/scripts/base/files/data_event/basic.bro rename to testing/btest/scripts/base/files/data_event/basic.zeek diff --git a/testing/btest/scripts/base/files/extract/limit.bro b/testing/btest/scripts/base/files/extract/limit.zeek similarity index 100% rename from testing/btest/scripts/base/files/extract/limit.bro rename to testing/btest/scripts/base/files/extract/limit.zeek diff --git a/testing/btest/scripts/base/files/unified2/alert.bro b/testing/btest/scripts/base/files/unified2/alert.zeek similarity index 100% rename from testing/btest/scripts/base/files/unified2/alert.bro rename to testing/btest/scripts/base/files/unified2/alert.zeek diff --git a/testing/btest/scripts/base/frameworks/analyzer/disable-analyzer.bro b/testing/btest/scripts/base/frameworks/analyzer/disable-analyzer.zeek similarity index 100% rename from testing/btest/scripts/base/frameworks/analyzer/disable-analyzer.bro rename to testing/btest/scripts/base/frameworks/analyzer/disable-analyzer.zeek diff --git a/testing/btest/scripts/base/frameworks/analyzer/enable-analyzer.bro b/testing/btest/scripts/base/frameworks/analyzer/enable-analyzer.zeek similarity index 100% rename from testing/btest/scripts/base/frameworks/analyzer/enable-analyzer.bro rename to testing/btest/scripts/base/frameworks/analyzer/enable-analyzer.zeek diff --git a/testing/btest/scripts/base/frameworks/analyzer/register-for-port.bro b/testing/btest/scripts/base/frameworks/analyzer/register-for-port.zeek similarity index 100% rename from testing/btest/scripts/base/frameworks/analyzer/register-for-port.bro rename to testing/btest/scripts/base/frameworks/analyzer/register-for-port.zeek diff --git a/testing/btest/scripts/base/frameworks/analyzer/schedule-analyzer.bro b/testing/btest/scripts/base/frameworks/analyzer/schedule-analyzer.zeek similarity index 100% rename from testing/btest/scripts/base/frameworks/analyzer/schedule-analyzer.bro rename to testing/btest/scripts/base/frameworks/analyzer/schedule-analyzer.zeek diff --git a/testing/btest/scripts/base/frameworks/cluster/custom_pool_exclusivity.bro b/testing/btest/scripts/base/frameworks/cluster/custom_pool_exclusivity.zeek similarity index 98% rename from testing/btest/scripts/base/frameworks/cluster/custom_pool_exclusivity.bro rename to testing/btest/scripts/base/frameworks/cluster/custom_pool_exclusivity.zeek index dc2558f2a4..6a9cb6ed00 100644 --- a/testing/btest/scripts/base/frameworks/cluster/custom_pool_exclusivity.bro +++ b/testing/btest/scripts/base/frameworks/cluster/custom_pool_exclusivity.zeek @@ -10,7 +10,7 @@ # @TEST-EXEC: btest-bg-wait 30 # @TEST-EXEC: btest-diff manager-1/.stdout -@TEST-START-FILE cluster-layout.bro +@TEST-START-FILE cluster-layout.zeek redef Cluster::nodes = { ["manager-1"] = [$node_type=Cluster::MANAGER, $ip=127.0.0.1, $p=to_port(getenv("BROKER_PORT1"))], ["proxy-1"] = [$node_type=Cluster::PROXY, $ip=127.0.0.1, $p=to_port(getenv("BROKER_PORT2")), $manager="manager-1"], diff --git a/testing/btest/scripts/base/frameworks/cluster/custom_pool_limits.bro b/testing/btest/scripts/base/frameworks/cluster/custom_pool_limits.zeek similarity index 98% rename from testing/btest/scripts/base/frameworks/cluster/custom_pool_limits.bro rename to testing/btest/scripts/base/frameworks/cluster/custom_pool_limits.zeek index 08202bd727..fdc291ab35 100644 --- a/testing/btest/scripts/base/frameworks/cluster/custom_pool_limits.bro +++ b/testing/btest/scripts/base/frameworks/cluster/custom_pool_limits.zeek @@ -10,7 +10,7 @@ # @TEST-EXEC: btest-bg-wait 30 # @TEST-EXEC: btest-diff manager-1/.stdout -@TEST-START-FILE cluster-layout.bro +@TEST-START-FILE cluster-layout.zeek redef Cluster::nodes = { ["manager-1"] = [$node_type=Cluster::MANAGER, $ip=127.0.0.1, $p=to_port(getenv("BROKER_PORT1"))], ["proxy-1"] = [$node_type=Cluster::PROXY, $ip=127.0.0.1, $p=to_port(getenv("BROKER_PORT2")), $manager="manager-1"], diff --git a/testing/btest/scripts/base/frameworks/cluster/forwarding.bro b/testing/btest/scripts/base/frameworks/cluster/forwarding.zeek similarity index 98% rename from testing/btest/scripts/base/frameworks/cluster/forwarding.bro rename to testing/btest/scripts/base/frameworks/cluster/forwarding.zeek index e62a2ced66..7c679277d4 100644 --- a/testing/btest/scripts/base/frameworks/cluster/forwarding.bro +++ b/testing/btest/scripts/base/frameworks/cluster/forwarding.zeek @@ -16,7 +16,7 @@ # @TEST-EXEC: btest-diff worker-1/.stdout # @TEST-EXEC: btest-diff worker-2/.stdout -@TEST-START-FILE cluster-layout.bro +@TEST-START-FILE cluster-layout.zeek redef Cluster::nodes = { ["manager-1"] = [$node_type=Cluster::MANAGER, $ip=127.0.0.1, $p=to_port(getenv("BROKER_PORT1"))], ["proxy-1"] = [$node_type=Cluster::PROXY, $ip=127.0.0.1, $p=to_port(getenv("BROKER_PORT2")), $manager="manager-1"], diff --git a/testing/btest/scripts/base/frameworks/cluster/log_distribution.bro b/testing/btest/scripts/base/frameworks/cluster/log_distribution.zeek similarity index 98% rename from testing/btest/scripts/base/frameworks/cluster/log_distribution.bro rename to testing/btest/scripts/base/frameworks/cluster/log_distribution.zeek index 199e265674..375665356c 100644 --- a/testing/btest/scripts/base/frameworks/cluster/log_distribution.bro +++ b/testing/btest/scripts/base/frameworks/cluster/log_distribution.zeek @@ -11,7 +11,7 @@ # @TEST-EXEC: btest-diff logger-1/test.log # @TEST-EXEC: btest-diff logger-2/test.log -@TEST-START-FILE cluster-layout.bro +@TEST-START-FILE cluster-layout.zeek redef Cluster::manager_is_logger = F; redef Cluster::nodes = { diff --git a/testing/btest/scripts/base/frameworks/cluster/start-it-up-logger.bro b/testing/btest/scripts/base/frameworks/cluster/start-it-up-logger.zeek similarity index 98% rename from testing/btest/scripts/base/frameworks/cluster/start-it-up-logger.bro rename to testing/btest/scripts/base/frameworks/cluster/start-it-up-logger.zeek index d94875e858..c28f3f0fe3 100644 --- a/testing/btest/scripts/base/frameworks/cluster/start-it-up-logger.bro +++ b/testing/btest/scripts/base/frameworks/cluster/start-it-up-logger.zeek @@ -19,7 +19,7 @@ # @TEST-EXEC: btest-diff worker-1/.stdout # @TEST-EXEC: btest-diff worker-2/.stdout -@TEST-START-FILE cluster-layout.bro +@TEST-START-FILE cluster-layout.zeek redef Cluster::manager_is_logger = F; redef Cluster::nodes = { ["logger-1"] = [$node_type=Cluster::LOGGER, $ip=127.0.0.1, $p=to_port(getenv("BROKER_PORT1"))], diff --git a/testing/btest/scripts/base/frameworks/cluster/start-it-up.bro b/testing/btest/scripts/base/frameworks/cluster/start-it-up.zeek similarity index 98% rename from testing/btest/scripts/base/frameworks/cluster/start-it-up.bro rename to testing/btest/scripts/base/frameworks/cluster/start-it-up.zeek index eee6c29215..4580183d6f 100644 --- a/testing/btest/scripts/base/frameworks/cluster/start-it-up.bro +++ b/testing/btest/scripts/base/frameworks/cluster/start-it-up.zeek @@ -16,7 +16,7 @@ # @TEST-EXEC: btest-diff worker-1/.stdout # @TEST-EXEC: btest-diff worker-2/.stdout -@TEST-START-FILE cluster-layout.bro +@TEST-START-FILE cluster-layout.zeek redef Cluster::nodes = { ["manager-1"] = [$node_type=Cluster::MANAGER, $ip=127.0.0.1, $p=to_port(getenv("BROKER_PORT1"))], ["proxy-1"] = [$node_type=Cluster::PROXY, $ip=127.0.0.1, $p=to_port(getenv("BROKER_PORT2")), $manager="manager-1"], diff --git a/testing/btest/scripts/base/frameworks/cluster/topic_distribution.bro b/testing/btest/scripts/base/frameworks/cluster/topic_distribution.zeek similarity index 98% rename from testing/btest/scripts/base/frameworks/cluster/topic_distribution.bro rename to testing/btest/scripts/base/frameworks/cluster/topic_distribution.zeek index 317a38fbaa..94a78e5304 100644 --- a/testing/btest/scripts/base/frameworks/cluster/topic_distribution.bro +++ b/testing/btest/scripts/base/frameworks/cluster/topic_distribution.zeek @@ -10,7 +10,7 @@ # @TEST-EXEC: btest-bg-wait 30 # @TEST-EXEC: btest-diff manager-1/.stdout -@TEST-START-FILE cluster-layout.bro +@TEST-START-FILE cluster-layout.zeek redef Cluster::nodes = { ["manager-1"] = [$node_type=Cluster::MANAGER, $ip=127.0.0.1, $p=to_port(getenv("BROKER_PORT1"))], ["proxy-1"] = [$node_type=Cluster::PROXY, $ip=127.0.0.1, $p=to_port(getenv("BROKER_PORT2")), $manager="manager-1"], diff --git a/testing/btest/scripts/base/frameworks/cluster/topic_distribution_bifs.bro b/testing/btest/scripts/base/frameworks/cluster/topic_distribution_bifs.zeek similarity index 98% rename from testing/btest/scripts/base/frameworks/cluster/topic_distribution_bifs.bro rename to testing/btest/scripts/base/frameworks/cluster/topic_distribution_bifs.zeek index 35ed52f883..a0b98aeb39 100644 --- a/testing/btest/scripts/base/frameworks/cluster/topic_distribution_bifs.bro +++ b/testing/btest/scripts/base/frameworks/cluster/topic_distribution_bifs.zeek @@ -12,7 +12,7 @@ # @TEST-EXEC: btest-diff proxy-1/.stdout # @TEST-EXEC: btest-diff proxy-2/.stdout -@TEST-START-FILE cluster-layout.bro +@TEST-START-FILE cluster-layout.zeek redef Cluster::nodes = { ["manager-1"] = [$node_type=Cluster::MANAGER, $ip=127.0.0.1, $p=to_port(getenv("BROKER_PORT1"))], ["proxy-1"] = [$node_type=Cluster::PROXY, $ip=127.0.0.1, $p=to_port(getenv("BROKER_PORT2")), $manager="manager-1"], diff --git a/testing/btest/scripts/base/frameworks/config/basic.bro b/testing/btest/scripts/base/frameworks/config/basic.zeek similarity index 100% rename from testing/btest/scripts/base/frameworks/config/basic.bro rename to testing/btest/scripts/base/frameworks/config/basic.zeek diff --git a/testing/btest/scripts/base/frameworks/config/basic_cluster.bro b/testing/btest/scripts/base/frameworks/config/basic_cluster.zeek similarity index 98% rename from testing/btest/scripts/base/frameworks/config/basic_cluster.bro rename to testing/btest/scripts/base/frameworks/config/basic_cluster.zeek index 99f1de8aeb..866901e752 100644 --- a/testing/btest/scripts/base/frameworks/config/basic_cluster.bro +++ b/testing/btest/scripts/base/frameworks/config/basic_cluster.zeek @@ -15,7 +15,7 @@ @load base/frameworks/config -@TEST-START-FILE cluster-layout.bro +@TEST-START-FILE cluster-layout.zeek redef Cluster::nodes = { ["manager-1"] = [$node_type=Cluster::MANAGER, $ip=127.0.0.1, $p=to_port(getenv("BROKER_PORT1"))], ["worker-1"] = [$node_type=Cluster::WORKER, $ip=127.0.0.1, $p=to_port(getenv("BROKER_PORT2")), $manager="manager-1", $interface="eth0"], diff --git a/testing/btest/scripts/base/frameworks/config/cluster_resend.bro b/testing/btest/scripts/base/frameworks/config/cluster_resend.zeek similarity index 98% rename from testing/btest/scripts/base/frameworks/config/cluster_resend.bro rename to testing/btest/scripts/base/frameworks/config/cluster_resend.zeek index c66d5b2ba2..6390eda2c0 100644 --- a/testing/btest/scripts/base/frameworks/config/cluster_resend.bro +++ b/testing/btest/scripts/base/frameworks/config/cluster_resend.zeek @@ -19,7 +19,7 @@ @load base/frameworks/config -@TEST-START-FILE cluster-layout.bro +@TEST-START-FILE cluster-layout.zeek redef Cluster::nodes = { ["manager-1"] = [$node_type=Cluster::MANAGER, $ip=127.0.0.1, $p=to_port(getenv("BROKER_PORT1"))], ["worker-1"] = [$node_type=Cluster::WORKER, $ip=127.0.0.1, $p=to_port(getenv("BROKER_PORT2")), $manager="manager-1", $interface="eth0"], diff --git a/testing/btest/scripts/base/frameworks/config/read_config.bro b/testing/btest/scripts/base/frameworks/config/read_config.zeek similarity index 100% rename from testing/btest/scripts/base/frameworks/config/read_config.bro rename to testing/btest/scripts/base/frameworks/config/read_config.zeek diff --git a/testing/btest/scripts/base/frameworks/config/read_config_cluster.bro b/testing/btest/scripts/base/frameworks/config/read_config_cluster.zeek similarity index 98% rename from testing/btest/scripts/base/frameworks/config/read_config_cluster.bro rename to testing/btest/scripts/base/frameworks/config/read_config_cluster.zeek index 3f77a0fdc3..c5b9bcdbb5 100644 --- a/testing/btest/scripts/base/frameworks/config/read_config_cluster.bro +++ b/testing/btest/scripts/base/frameworks/config/read_config_cluster.zeek @@ -15,7 +15,7 @@ @load base/frameworks/config -@TEST-START-FILE cluster-layout.bro +@TEST-START-FILE cluster-layout.zeek redef Cluster::nodes = { ["manager-1"] = [$node_type=Cluster::MANAGER, $ip=127.0.0.1, $p=to_port(getenv("BROKER_PORT1"))], ["worker-1"] = [$node_type=Cluster::WORKER, $ip=127.0.0.1, $p=to_port(getenv("BROKER_PORT2")), $manager="manager-1", $interface="eth0"], diff --git a/testing/btest/scripts/base/frameworks/config/several-files.bro b/testing/btest/scripts/base/frameworks/config/several-files.zeek similarity index 100% rename from testing/btest/scripts/base/frameworks/config/several-files.bro rename to testing/btest/scripts/base/frameworks/config/several-files.zeek diff --git a/testing/btest/scripts/base/frameworks/config/updates.bro b/testing/btest/scripts/base/frameworks/config/updates.zeek similarity index 100% rename from testing/btest/scripts/base/frameworks/config/updates.bro rename to testing/btest/scripts/base/frameworks/config/updates.zeek diff --git a/testing/btest/scripts/base/frameworks/config/weird.bro b/testing/btest/scripts/base/frameworks/config/weird.zeek similarity index 100% rename from testing/btest/scripts/base/frameworks/config/weird.bro rename to testing/btest/scripts/base/frameworks/config/weird.zeek diff --git a/testing/btest/scripts/base/frameworks/control/configuration_update.bro b/testing/btest/scripts/base/frameworks/control/configuration_update.zeek similarity index 97% rename from testing/btest/scripts/base/frameworks/control/configuration_update.bro rename to testing/btest/scripts/base/frameworks/control/configuration_update.zeek index e90151bcbb..f0bbc6c907 100644 --- a/testing/btest/scripts/base/frameworks/control/configuration_update.bro +++ b/testing/btest/scripts/base/frameworks/control/configuration_update.zeek @@ -7,7 +7,7 @@ const test_var = "ORIGINAL VALUE (this should be printed out first)" &redef; -@TEST-START-FILE test-redef.bro +@TEST-START-FILE test-redef.zeek redef test_var = "NEW VALUE (this should be printed out second)"; @TEST-END-FILE diff --git a/testing/btest/scripts/base/frameworks/control/id_value.bro b/testing/btest/scripts/base/frameworks/control/id_value.zeek similarity index 95% rename from testing/btest/scripts/base/frameworks/control/id_value.bro rename to testing/btest/scripts/base/frameworks/control/id_value.zeek index 2528b28c25..a557f6487e 100644 --- a/testing/btest/scripts/base/frameworks/control/id_value.bro +++ b/testing/btest/scripts/base/frameworks/control/id_value.zeek @@ -8,7 +8,7 @@ # This value shouldn't ever be printed to the controllers stdout. const test_var = "Original value" &redef; -@TEST-START-FILE only-for-controllee.bro +@TEST-START-FILE only-for-controllee.zeek # This is only loaded on the controllee, but it's sent to the controller # and should be printed there. redef test_var = "This is the value from the controllee"; diff --git a/testing/btest/scripts/base/frameworks/control/shutdown.bro b/testing/btest/scripts/base/frameworks/control/shutdown.zeek similarity index 100% rename from testing/btest/scripts/base/frameworks/control/shutdown.bro rename to testing/btest/scripts/base/frameworks/control/shutdown.zeek diff --git a/testing/btest/scripts/base/frameworks/file-analysis/actions/data_event.bro b/testing/btest/scripts/base/frameworks/file-analysis/actions/data_event.zeek similarity index 84% rename from testing/btest/scripts/base/frameworks/file-analysis/actions/data_event.bro rename to testing/btest/scripts/base/frameworks/file-analysis/actions/data_event.zeek index bcecbd8aa3..919d3b62c6 100644 --- a/testing/btest/scripts/base/frameworks/file-analysis/actions/data_event.bro +++ b/testing/btest/scripts/base/frameworks/file-analysis/actions/data_event.zeek @@ -1,4 +1,4 @@ -# @TEST-EXEC: bro -r $TRACES/http/get.trace $SCRIPTS/file-analysis-test.bro %INPUT >out +# @TEST-EXEC: bro -r $TRACES/http/get.trace $SCRIPTS/file-analysis-test.zeek %INPUT >out # @TEST-EXEC: btest-diff out redef test_print_file_data_events = T; diff --git a/testing/btest/scripts/base/frameworks/file-analysis/bifs/file_exists_lookup_file.bro b/testing/btest/scripts/base/frameworks/file-analysis/bifs/file_exists_lookup_file.zeek similarity index 100% rename from testing/btest/scripts/base/frameworks/file-analysis/bifs/file_exists_lookup_file.bro rename to testing/btest/scripts/base/frameworks/file-analysis/bifs/file_exists_lookup_file.zeek diff --git a/testing/btest/scripts/base/frameworks/file-analysis/bifs/register_mime_type.bro b/testing/btest/scripts/base/frameworks/file-analysis/bifs/register_mime_type.zeek similarity index 100% rename from testing/btest/scripts/base/frameworks/file-analysis/bifs/register_mime_type.bro rename to testing/btest/scripts/base/frameworks/file-analysis/bifs/register_mime_type.zeek diff --git a/testing/btest/scripts/base/frameworks/file-analysis/bifs/remove_action.bro b/testing/btest/scripts/base/frameworks/file-analysis/bifs/remove_action.zeek similarity index 94% rename from testing/btest/scripts/base/frameworks/file-analysis/bifs/remove_action.bro rename to testing/btest/scripts/base/frameworks/file-analysis/bifs/remove_action.zeek index a3704618bd..2c6f0a3d07 100644 --- a/testing/btest/scripts/base/frameworks/file-analysis/bifs/remove_action.bro +++ b/testing/btest/scripts/base/frameworks/file-analysis/bifs/remove_action.zeek @@ -1,4 +1,4 @@ -# @TEST-EXEC: bro -r $TRACES/http/get.trace $SCRIPTS/file-analysis-test.bro %INPUT >get.out +# @TEST-EXEC: bro -r $TRACES/http/get.trace $SCRIPTS/file-analysis-test.zeek %INPUT >get.out # @TEST-EXEC: btest-diff get.out redef test_file_analysis_source = "HTTP"; diff --git a/testing/btest/scripts/base/frameworks/file-analysis/bifs/set_timeout_interval.bro b/testing/btest/scripts/base/frameworks/file-analysis/bifs/set_timeout_interval.zeek similarity index 92% rename from testing/btest/scripts/base/frameworks/file-analysis/bifs/set_timeout_interval.bro rename to testing/btest/scripts/base/frameworks/file-analysis/bifs/set_timeout_interval.zeek index c9eac4c31d..c44b1ec66b 100644 --- a/testing/btest/scripts/base/frameworks/file-analysis/bifs/set_timeout_interval.bro +++ b/testing/btest/scripts/base/frameworks/file-analysis/bifs/set_timeout_interval.zeek @@ -1,4 +1,4 @@ -# @TEST-EXEC: btest-bg-run bro bro -r $TRACES/http/206_example_b.pcap $SCRIPTS/file-analysis-test.bro %INPUT +# @TEST-EXEC: btest-bg-run bro bro -r $TRACES/http/206_example_b.pcap $SCRIPTS/file-analysis-test.zeek %INPUT # @TEST-EXEC: btest-bg-wait 8 # @TEST-EXEC: btest-diff bro/.stdout diff --git a/testing/btest/scripts/base/frameworks/file-analysis/bifs/stop.bro b/testing/btest/scripts/base/frameworks/file-analysis/bifs/stop.zeek similarity index 86% rename from testing/btest/scripts/base/frameworks/file-analysis/bifs/stop.bro rename to testing/btest/scripts/base/frameworks/file-analysis/bifs/stop.zeek index dd40c69684..cfd2e0c67b 100644 --- a/testing/btest/scripts/base/frameworks/file-analysis/bifs/stop.bro +++ b/testing/btest/scripts/base/frameworks/file-analysis/bifs/stop.zeek @@ -1,4 +1,4 @@ -# @TEST-EXEC: bro -r $TRACES/http/get.trace $SCRIPTS/file-analysis-test.bro %INPUT >get.out +# @TEST-EXEC: bro -r $TRACES/http/get.trace $SCRIPTS/file-analysis-test.zeek %INPUT >get.out # @TEST-EXEC: btest-diff get.out # @TEST-EXEC: test ! -s Cx92a0ym5R8-file diff --git a/testing/btest/scripts/base/frameworks/file-analysis/big-bof-buffer.bro b/testing/btest/scripts/base/frameworks/file-analysis/big-bof-buffer.zeek similarity index 100% rename from testing/btest/scripts/base/frameworks/file-analysis/big-bof-buffer.bro rename to testing/btest/scripts/base/frameworks/file-analysis/big-bof-buffer.zeek diff --git a/testing/btest/scripts/base/frameworks/file-analysis/byteranges.bro b/testing/btest/scripts/base/frameworks/file-analysis/byteranges.zeek similarity index 100% rename from testing/btest/scripts/base/frameworks/file-analysis/byteranges.bro rename to testing/btest/scripts/base/frameworks/file-analysis/byteranges.zeek diff --git a/testing/btest/scripts/base/frameworks/file-analysis/ftp.bro b/testing/btest/scripts/base/frameworks/file-analysis/ftp.zeek similarity index 91% rename from testing/btest/scripts/base/frameworks/file-analysis/ftp.bro rename to testing/btest/scripts/base/frameworks/file-analysis/ftp.zeek index 2c2da188fe..a25fde74e5 100644 --- a/testing/btest/scripts/base/frameworks/file-analysis/ftp.bro +++ b/testing/btest/scripts/base/frameworks/file-analysis/ftp.zeek @@ -1,4 +1,4 @@ -# @TEST-EXEC: bro -r $TRACES/ftp/retr.trace $SCRIPTS/file-analysis-test.bro %INPUT >out +# @TEST-EXEC: bro -r $TRACES/ftp/retr.trace $SCRIPTS/file-analysis-test.zeek %INPUT >out # @TEST-EXEC: btest-diff out # @TEST-EXEC: btest-diff thefile diff --git a/testing/btest/scripts/base/frameworks/file-analysis/http/get.bro b/testing/btest/scripts/base/frameworks/file-analysis/http/get.zeek similarity index 84% rename from testing/btest/scripts/base/frameworks/file-analysis/http/get.bro rename to testing/btest/scripts/base/frameworks/file-analysis/http/get.zeek index f7f4a0395b..d90e08e08b 100644 --- a/testing/btest/scripts/base/frameworks/file-analysis/http/get.bro +++ b/testing/btest/scripts/base/frameworks/file-analysis/http/get.zeek @@ -1,5 +1,5 @@ -# @TEST-EXEC: bro -r $TRACES/http/get.trace $SCRIPTS/file-analysis-test.bro %INPUT c=1 >get.out -# @TEST-EXEC: bro -r $TRACES/http/get-gzip.trace $SCRIPTS/file-analysis-test.bro %INPUT c=2 >get-gzip.out +# @TEST-EXEC: bro -r $TRACES/http/get.trace $SCRIPTS/file-analysis-test.zeek %INPUT c=1 >get.out +# @TEST-EXEC: bro -r $TRACES/http/get-gzip.trace $SCRIPTS/file-analysis-test.zeek %INPUT c=2 >get-gzip.out # @TEST-EXEC: btest-diff get.out # @TEST-EXEC: btest-diff get-gzip.out # @TEST-EXEC: btest-diff 1-file diff --git a/testing/btest/scripts/base/frameworks/file-analysis/http/multipart.bro b/testing/btest/scripts/base/frameworks/file-analysis/http/multipart.zeek similarity index 92% rename from testing/btest/scripts/base/frameworks/file-analysis/http/multipart.bro rename to testing/btest/scripts/base/frameworks/file-analysis/http/multipart.zeek index 57fe2348c2..400b787b52 100644 --- a/testing/btest/scripts/base/frameworks/file-analysis/http/multipart.bro +++ b/testing/btest/scripts/base/frameworks/file-analysis/http/multipart.zeek @@ -1,4 +1,4 @@ -# @TEST-EXEC: bro -r $TRACES/http/multipart.trace $SCRIPTS/file-analysis-test.bro %INPUT >out +# @TEST-EXEC: bro -r $TRACES/http/multipart.trace $SCRIPTS/file-analysis-test.zeek %INPUT >out # @TEST-EXEC: btest-diff out # @TEST-EXEC: btest-diff 1-file # @TEST-EXEC: btest-diff 2-file diff --git a/testing/btest/scripts/base/frameworks/file-analysis/http/partial-content.bro b/testing/btest/scripts/base/frameworks/file-analysis/http/partial-content.zeek similarity index 87% rename from testing/btest/scripts/base/frameworks/file-analysis/http/partial-content.bro rename to testing/btest/scripts/base/frameworks/file-analysis/http/partial-content.zeek index 93443f0ca8..bb5ef7f800 100644 --- a/testing/btest/scripts/base/frameworks/file-analysis/http/partial-content.bro +++ b/testing/btest/scripts/base/frameworks/file-analysis/http/partial-content.zeek @@ -1,14 +1,14 @@ -# @TEST-EXEC: bro -r $TRACES/http/206_example_a.pcap $SCRIPTS/file-analysis-test.bro %INPUT >a.out +# @TEST-EXEC: bro -r $TRACES/http/206_example_a.pcap $SCRIPTS/file-analysis-test.zeek %INPUT >a.out # @TEST-EXEC: btest-diff a.out # @TEST-EXEC: wc -c file-0 | sed 's/^[ \t]* //g' >a.size # @TEST-EXEC: btest-diff a.size -# @TEST-EXEC: bro -r $TRACES/http/206_example_b.pcap $SCRIPTS/file-analysis-test.bro %INPUT >b.out +# @TEST-EXEC: bro -r $TRACES/http/206_example_b.pcap $SCRIPTS/file-analysis-test.zeek %INPUT >b.out # @TEST-EXEC: btest-diff b.out # @TEST-EXEC: wc -c file-0 | sed 's/^[ \t]* //g' >b.size # @TEST-EXEC: btest-diff b.size -# @TEST-EXEC: bro -r $TRACES/http/206_example_c.pcap $SCRIPTS/file-analysis-test.bro %INPUT >c.out +# @TEST-EXEC: bro -r $TRACES/http/206_example_c.pcap $SCRIPTS/file-analysis-test.zeek %INPUT >c.out # @TEST-EXEC: btest-diff c.out # @TEST-EXEC: wc -c file-0 | sed 's/^[ \t]* //g' >c.size # @TEST-EXEC: btest-diff c.size diff --git a/testing/btest/scripts/base/frameworks/file-analysis/http/pipeline.bro b/testing/btest/scripts/base/frameworks/file-analysis/http/pipeline.zeek similarity index 90% rename from testing/btest/scripts/base/frameworks/file-analysis/http/pipeline.bro rename to testing/btest/scripts/base/frameworks/file-analysis/http/pipeline.zeek index 36743a8bad..cdd69b84a9 100644 --- a/testing/btest/scripts/base/frameworks/file-analysis/http/pipeline.bro +++ b/testing/btest/scripts/base/frameworks/file-analysis/http/pipeline.zeek @@ -1,4 +1,4 @@ -# @TEST-EXEC: bro -r $TRACES/http/pipelined-requests.trace $SCRIPTS/file-analysis-test.bro %INPUT >out +# @TEST-EXEC: bro -r $TRACES/http/pipelined-requests.trace $SCRIPTS/file-analysis-test.zeek %INPUT >out # @TEST-EXEC: btest-diff out # @TEST-EXEC: btest-diff 1-file # @TEST-EXEC: btest-diff 2-file diff --git a/testing/btest/scripts/base/frameworks/file-analysis/http/post.bro b/testing/btest/scripts/base/frameworks/file-analysis/http/post.zeek similarity index 92% rename from testing/btest/scripts/base/frameworks/file-analysis/http/post.bro rename to testing/btest/scripts/base/frameworks/file-analysis/http/post.zeek index 79ac1cb5c1..75efb27781 100644 --- a/testing/btest/scripts/base/frameworks/file-analysis/http/post.bro +++ b/testing/btest/scripts/base/frameworks/file-analysis/http/post.zeek @@ -1,4 +1,4 @@ -# @TEST-EXEC: bro -r $TRACES/http/post.trace $SCRIPTS/file-analysis-test.bro %INPUT >out +# @TEST-EXEC: bro -r $TRACES/http/post.trace $SCRIPTS/file-analysis-test.zeek %INPUT >out # @TEST-EXEC: btest-diff out # @TEST-EXEC: btest-diff 1-file # @TEST-EXEC: btest-diff 2-file diff --git a/testing/btest/scripts/base/frameworks/file-analysis/input/basic.bro b/testing/btest/scripts/base/frameworks/file-analysis/input/basic.zeek similarity index 98% rename from testing/btest/scripts/base/frameworks/file-analysis/input/basic.bro rename to testing/btest/scripts/base/frameworks/file-analysis/input/basic.zeek index 053341c840..27be2b943c 100644 --- a/testing/btest/scripts/base/frameworks/file-analysis/input/basic.bro +++ b/testing/btest/scripts/base/frameworks/file-analysis/input/basic.zeek @@ -1,4 +1,4 @@ -# @TEST-EXEC: btest-bg-run bro bro -b $SCRIPTS/file-analysis-test.bro %INPUT +# @TEST-EXEC: btest-bg-run bro bro -b $SCRIPTS/file-analysis-test.zeek %INPUT # @TEST-EXEC: btest-bg-wait 8 # @TEST-EXEC: btest-diff bro/.stdout # @TEST-EXEC: diff -q bro/FK8WqY1Q9U1rVxnDge-file input.log diff --git a/testing/btest/scripts/base/frameworks/file-analysis/irc.bro b/testing/btest/scripts/base/frameworks/file-analysis/irc.zeek similarity index 92% rename from testing/btest/scripts/base/frameworks/file-analysis/irc.bro rename to testing/btest/scripts/base/frameworks/file-analysis/irc.zeek index 9fd8e06613..a1fd1e36d5 100644 --- a/testing/btest/scripts/base/frameworks/file-analysis/irc.bro +++ b/testing/btest/scripts/base/frameworks/file-analysis/irc.zeek @@ -1,4 +1,4 @@ -# @TEST-EXEC: bro -r $TRACES/irc-dcc-send.trace $SCRIPTS/file-analysis-test.bro %INPUT >out +# @TEST-EXEC: bro -r $TRACES/irc-dcc-send.trace $SCRIPTS/file-analysis-test.zeek %INPUT >out # @TEST-EXEC: btest-diff out # @TEST-EXEC: btest-diff thefile diff --git a/testing/btest/scripts/base/frameworks/file-analysis/logging.bro b/testing/btest/scripts/base/frameworks/file-analysis/logging.zeek similarity index 92% rename from testing/btest/scripts/base/frameworks/file-analysis/logging.bro rename to testing/btest/scripts/base/frameworks/file-analysis/logging.zeek index 1d1f5fd721..597f8a26bb 100644 --- a/testing/btest/scripts/base/frameworks/file-analysis/logging.bro +++ b/testing/btest/scripts/base/frameworks/file-analysis/logging.zeek @@ -1,4 +1,4 @@ -# @TEST-EXEC: bro -r $TRACES/http/get.trace $SCRIPTS/file-analysis-test.bro %INPUT +# @TEST-EXEC: bro -r $TRACES/http/get.trace $SCRIPTS/file-analysis-test.zeek %INPUT # @TEST-EXEC: btest-diff files.log redef test_file_analysis_source = "HTTP"; diff --git a/testing/btest/scripts/base/frameworks/file-analysis/smtp.bro b/testing/btest/scripts/base/frameworks/file-analysis/smtp.zeek similarity index 95% rename from testing/btest/scripts/base/frameworks/file-analysis/smtp.bro rename to testing/btest/scripts/base/frameworks/file-analysis/smtp.zeek index 79b929c4cd..9edec8abc1 100644 --- a/testing/btest/scripts/base/frameworks/file-analysis/smtp.bro +++ b/testing/btest/scripts/base/frameworks/file-analysis/smtp.zeek @@ -1,4 +1,4 @@ -# @TEST-EXEC: bro -r $TRACES/smtp.trace $SCRIPTS/file-analysis-test.bro %INPUT >out +# @TEST-EXEC: bro -r $TRACES/smtp.trace $SCRIPTS/file-analysis-test.zeek %INPUT >out # @TEST-EXEC: btest-diff out # @TEST-EXEC: btest-diff thefile0 # @TEST-EXEC: btest-diff thefile1 diff --git a/testing/btest/scripts/base/frameworks/input/basic.bro b/testing/btest/scripts/base/frameworks/input/basic.zeek similarity index 100% rename from testing/btest/scripts/base/frameworks/input/basic.bro rename to testing/btest/scripts/base/frameworks/input/basic.zeek diff --git a/testing/btest/scripts/base/frameworks/input/bignumber.bro b/testing/btest/scripts/base/frameworks/input/bignumber.zeek similarity index 100% rename from testing/btest/scripts/base/frameworks/input/bignumber.bro rename to testing/btest/scripts/base/frameworks/input/bignumber.zeek diff --git a/testing/btest/scripts/base/frameworks/input/binary.bro b/testing/btest/scripts/base/frameworks/input/binary.zeek similarity index 100% rename from testing/btest/scripts/base/frameworks/input/binary.bro rename to testing/btest/scripts/base/frameworks/input/binary.zeek diff --git a/testing/btest/scripts/base/frameworks/input/config/basic.bro b/testing/btest/scripts/base/frameworks/input/config/basic.zeek similarity index 100% rename from testing/btest/scripts/base/frameworks/input/config/basic.bro rename to testing/btest/scripts/base/frameworks/input/config/basic.zeek diff --git a/testing/btest/scripts/base/frameworks/input/config/errors.bro b/testing/btest/scripts/base/frameworks/input/config/errors.zeek similarity index 100% rename from testing/btest/scripts/base/frameworks/input/config/errors.bro rename to testing/btest/scripts/base/frameworks/input/config/errors.zeek diff --git a/testing/btest/scripts/base/frameworks/input/config/spaces.bro b/testing/btest/scripts/base/frameworks/input/config/spaces.zeek similarity index 100% rename from testing/btest/scripts/base/frameworks/input/config/spaces.bro rename to testing/btest/scripts/base/frameworks/input/config/spaces.zeek diff --git a/testing/btest/scripts/base/frameworks/input/default.bro b/testing/btest/scripts/base/frameworks/input/default.zeek similarity index 100% rename from testing/btest/scripts/base/frameworks/input/default.bro rename to testing/btest/scripts/base/frameworks/input/default.zeek diff --git a/testing/btest/scripts/base/frameworks/input/empty-values-hashing.bro b/testing/btest/scripts/base/frameworks/input/empty-values-hashing.zeek similarity index 100% rename from testing/btest/scripts/base/frameworks/input/empty-values-hashing.bro rename to testing/btest/scripts/base/frameworks/input/empty-values-hashing.zeek diff --git a/testing/btest/scripts/base/frameworks/input/emptyvals.bro b/testing/btest/scripts/base/frameworks/input/emptyvals.zeek similarity index 100% rename from testing/btest/scripts/base/frameworks/input/emptyvals.bro rename to testing/btest/scripts/base/frameworks/input/emptyvals.zeek diff --git a/testing/btest/scripts/base/frameworks/input/errors.bro b/testing/btest/scripts/base/frameworks/input/errors.zeek similarity index 100% rename from testing/btest/scripts/base/frameworks/input/errors.bro rename to testing/btest/scripts/base/frameworks/input/errors.zeek diff --git a/testing/btest/scripts/base/frameworks/input/event.bro b/testing/btest/scripts/base/frameworks/input/event.zeek similarity index 100% rename from testing/btest/scripts/base/frameworks/input/event.bro rename to testing/btest/scripts/base/frameworks/input/event.zeek diff --git a/testing/btest/scripts/base/frameworks/input/invalid-lines.bro b/testing/btest/scripts/base/frameworks/input/invalid-lines.zeek similarity index 100% rename from testing/btest/scripts/base/frameworks/input/invalid-lines.bro rename to testing/btest/scripts/base/frameworks/input/invalid-lines.zeek diff --git a/testing/btest/scripts/base/frameworks/input/invalidnumbers.bro b/testing/btest/scripts/base/frameworks/input/invalidnumbers.zeek similarity index 100% rename from testing/btest/scripts/base/frameworks/input/invalidnumbers.bro rename to testing/btest/scripts/base/frameworks/input/invalidnumbers.zeek diff --git a/testing/btest/scripts/base/frameworks/input/invalidset.bro b/testing/btest/scripts/base/frameworks/input/invalidset.zeek similarity index 100% rename from testing/btest/scripts/base/frameworks/input/invalidset.bro rename to testing/btest/scripts/base/frameworks/input/invalidset.zeek diff --git a/testing/btest/scripts/base/frameworks/input/invalidtext.bro b/testing/btest/scripts/base/frameworks/input/invalidtext.zeek similarity index 100% rename from testing/btest/scripts/base/frameworks/input/invalidtext.bro rename to testing/btest/scripts/base/frameworks/input/invalidtext.zeek diff --git a/testing/btest/scripts/base/frameworks/input/missing-enum.bro b/testing/btest/scripts/base/frameworks/input/missing-enum.zeek similarity index 100% rename from testing/btest/scripts/base/frameworks/input/missing-enum.bro rename to testing/btest/scripts/base/frameworks/input/missing-enum.zeek diff --git a/testing/btest/scripts/base/frameworks/input/missing-file-initially.bro b/testing/btest/scripts/base/frameworks/input/missing-file-initially.zeek similarity index 100% rename from testing/btest/scripts/base/frameworks/input/missing-file-initially.bro rename to testing/btest/scripts/base/frameworks/input/missing-file-initially.zeek diff --git a/testing/btest/scripts/base/frameworks/input/missing-file.bro b/testing/btest/scripts/base/frameworks/input/missing-file.zeek similarity index 100% rename from testing/btest/scripts/base/frameworks/input/missing-file.bro rename to testing/btest/scripts/base/frameworks/input/missing-file.zeek diff --git a/testing/btest/scripts/base/frameworks/input/onecolumn-norecord.bro b/testing/btest/scripts/base/frameworks/input/onecolumn-norecord.zeek similarity index 100% rename from testing/btest/scripts/base/frameworks/input/onecolumn-norecord.bro rename to testing/btest/scripts/base/frameworks/input/onecolumn-norecord.zeek diff --git a/testing/btest/scripts/base/frameworks/input/onecolumn-record.bro b/testing/btest/scripts/base/frameworks/input/onecolumn-record.zeek similarity index 100% rename from testing/btest/scripts/base/frameworks/input/onecolumn-record.bro rename to testing/btest/scripts/base/frameworks/input/onecolumn-record.zeek diff --git a/testing/btest/scripts/base/frameworks/input/optional.bro b/testing/btest/scripts/base/frameworks/input/optional.zeek similarity index 100% rename from testing/btest/scripts/base/frameworks/input/optional.bro rename to testing/btest/scripts/base/frameworks/input/optional.zeek diff --git a/testing/btest/scripts/base/frameworks/input/path-prefix/absolute-prefix.bro b/testing/btest/scripts/base/frameworks/input/path-prefix/absolute-prefix.zeek similarity index 92% rename from testing/btest/scripts/base/frameworks/input/path-prefix/absolute-prefix.bro rename to testing/btest/scripts/base/frameworks/input/path-prefix/absolute-prefix.zeek index df8a68613d..68805679a9 100644 --- a/testing/btest/scripts/base/frameworks/input/path-prefix/absolute-prefix.bro +++ b/testing/btest/scripts/base/frameworks/input/path-prefix/absolute-prefix.zeek @@ -19,7 +19,7 @@ 127.0.3.3 value @TEST-END-FILE -@load path-prefix-common-table.bro +@load path-prefix-common-table.zeek redef InputAscii::path_prefix = "@path_prefix@"; event bro_init() @@ -32,7 +32,7 @@ event bro_init() # # The same test, but using event streams for input. -@load path-prefix-common-event.bro +@load path-prefix-common-event.zeek redef InputAscii::path_prefix = "@path_prefix@"; event bro_init() @@ -45,7 +45,7 @@ event bro_init() # # The same test again, but using file analysis w/ binary readers. -@load path-prefix-common-analysis.bro +@load path-prefix-common-analysis.zeek redef InputBinary::path_prefix = "@path_prefix@"; event bro_init() diff --git a/testing/btest/scripts/base/frameworks/input/path-prefix/absolute-source.bro b/testing/btest/scripts/base/frameworks/input/path-prefix/absolute-source.zeek similarity index 91% rename from testing/btest/scripts/base/frameworks/input/path-prefix/absolute-source.bro rename to testing/btest/scripts/base/frameworks/input/path-prefix/absolute-source.zeek index 06d711a5e8..238150ffef 100644 --- a/testing/btest/scripts/base/frameworks/input/path-prefix/absolute-source.bro +++ b/testing/btest/scripts/base/frameworks/input/path-prefix/absolute-source.zeek @@ -13,7 +13,7 @@ 127.0.4.3 value @TEST-END-FILE -@load path-prefix-common-table.bro +@load path-prefix-common-table.zeek redef InputAscii::path_prefix = "/this/does/not/exist"; event bro_init() @@ -26,7 +26,7 @@ event bro_init() # # The same test, but using event streams for input. -@load path-prefix-common-event.bro +@load path-prefix-common-event.zeek redef InputAscii::path_prefix = "/this/does/not/exist"; event bro_init() @@ -39,7 +39,7 @@ event bro_init() # # The same test again, but using file analysis w/ binary readers. -@load path-prefix-common-analysis.bro +@load path-prefix-common-analysis.zeek redef InputBinary::path_prefix = "/this/does/not/exist"; event bro_init() diff --git a/testing/btest/scripts/base/frameworks/input/path-prefix/no-paths.bro b/testing/btest/scripts/base/frameworks/input/path-prefix/no-paths.zeek similarity index 89% rename from testing/btest/scripts/base/frameworks/input/path-prefix/no-paths.bro rename to testing/btest/scripts/base/frameworks/input/path-prefix/no-paths.zeek index dd38fd7796..ed1cccbda8 100644 --- a/testing/btest/scripts/base/frameworks/input/path-prefix/no-paths.bro +++ b/testing/btest/scripts/base/frameworks/input/path-prefix/no-paths.zeek @@ -11,7 +11,7 @@ 127.0.0.3 value @TEST-END-FILE -@load path-prefix-common-table.bro +@load path-prefix-common-table.zeek event bro_init() { @@ -23,7 +23,7 @@ event bro_init() # # The same test, but using event streams for input. -@load path-prefix-common-event.bro +@load path-prefix-common-event.zeek event bro_init() { @@ -35,7 +35,7 @@ event bro_init() # # The same test again, but using file analysis w/ binary readers. -@load path-prefix-common-analysis.bro +@load path-prefix-common-analysis.zeek event bro_init() { diff --git a/testing/btest/scripts/base/frameworks/input/path-prefix/path-prefix-common-analysis.bro b/testing/btest/scripts/base/frameworks/input/path-prefix/path-prefix-common-analysis.zeek similarity index 100% rename from testing/btest/scripts/base/frameworks/input/path-prefix/path-prefix-common-analysis.bro rename to testing/btest/scripts/base/frameworks/input/path-prefix/path-prefix-common-analysis.zeek diff --git a/testing/btest/scripts/base/frameworks/input/path-prefix/path-prefix-common-event.bro b/testing/btest/scripts/base/frameworks/input/path-prefix/path-prefix-common-event.zeek similarity index 100% rename from testing/btest/scripts/base/frameworks/input/path-prefix/path-prefix-common-event.bro rename to testing/btest/scripts/base/frameworks/input/path-prefix/path-prefix-common-event.zeek diff --git a/testing/btest/scripts/base/frameworks/input/path-prefix/path-prefix-common-table.bro b/testing/btest/scripts/base/frameworks/input/path-prefix/path-prefix-common-table.zeek similarity index 100% rename from testing/btest/scripts/base/frameworks/input/path-prefix/path-prefix-common-table.bro rename to testing/btest/scripts/base/frameworks/input/path-prefix/path-prefix-common-table.zeek diff --git a/testing/btest/scripts/base/frameworks/input/path-prefix/relative-prefix.bro b/testing/btest/scripts/base/frameworks/input/path-prefix/relative-prefix.zeek similarity index 91% rename from testing/btest/scripts/base/frameworks/input/path-prefix/relative-prefix.bro rename to testing/btest/scripts/base/frameworks/input/path-prefix/relative-prefix.zeek index 52ae233289..8706ade3f5 100644 --- a/testing/btest/scripts/base/frameworks/input/path-prefix/relative-prefix.bro +++ b/testing/btest/scripts/base/frameworks/input/path-prefix/relative-prefix.zeek @@ -13,7 +13,7 @@ 127.0.1.3 value @TEST-END-FILE -@load path-prefix-common-table.bro +@load path-prefix-common-table.zeek redef InputAscii::path_prefix = "alternative"; event bro_init() @@ -26,7 +26,7 @@ event bro_init() # # The same test, but using event streams for input. -@load path-prefix-common-event.bro +@load path-prefix-common-event.zeek redef InputAscii::path_prefix = "alternative"; event bro_init() @@ -39,7 +39,7 @@ event bro_init() # # The same test again, but using file analysis w/ binary readers. -@load path-prefix-common-analysis.bro +@load path-prefix-common-analysis.zeek redef InputBinary::path_prefix = "alternative"; event bro_init() diff --git a/testing/btest/scripts/base/frameworks/input/port-embedded.bro b/testing/btest/scripts/base/frameworks/input/port-embedded.zeek similarity index 100% rename from testing/btest/scripts/base/frameworks/input/port-embedded.bro rename to testing/btest/scripts/base/frameworks/input/port-embedded.zeek diff --git a/testing/btest/scripts/base/frameworks/input/port.bro b/testing/btest/scripts/base/frameworks/input/port.zeek similarity index 100% rename from testing/btest/scripts/base/frameworks/input/port.bro rename to testing/btest/scripts/base/frameworks/input/port.zeek diff --git a/testing/btest/scripts/base/frameworks/input/predicate-stream.bro b/testing/btest/scripts/base/frameworks/input/predicate-stream.zeek similarity index 100% rename from testing/btest/scripts/base/frameworks/input/predicate-stream.bro rename to testing/btest/scripts/base/frameworks/input/predicate-stream.zeek diff --git a/testing/btest/scripts/base/frameworks/input/predicate.bro b/testing/btest/scripts/base/frameworks/input/predicate.zeek similarity index 100% rename from testing/btest/scripts/base/frameworks/input/predicate.bro rename to testing/btest/scripts/base/frameworks/input/predicate.zeek diff --git a/testing/btest/scripts/base/frameworks/input/predicatemodify.bro b/testing/btest/scripts/base/frameworks/input/predicatemodify.zeek similarity index 100% rename from testing/btest/scripts/base/frameworks/input/predicatemodify.bro rename to testing/btest/scripts/base/frameworks/input/predicatemodify.zeek diff --git a/testing/btest/scripts/base/frameworks/input/predicatemodifyandreread.bro b/testing/btest/scripts/base/frameworks/input/predicatemodifyandreread.zeek similarity index 100% rename from testing/btest/scripts/base/frameworks/input/predicatemodifyandreread.bro rename to testing/btest/scripts/base/frameworks/input/predicatemodifyandreread.zeek diff --git a/testing/btest/scripts/base/frameworks/input/predicaterefusesecondsamerecord.bro b/testing/btest/scripts/base/frameworks/input/predicaterefusesecondsamerecord.zeek similarity index 100% rename from testing/btest/scripts/base/frameworks/input/predicaterefusesecondsamerecord.bro rename to testing/btest/scripts/base/frameworks/input/predicaterefusesecondsamerecord.zeek diff --git a/testing/btest/scripts/base/frameworks/input/raw/basic.bro b/testing/btest/scripts/base/frameworks/input/raw/basic.zeek similarity index 100% rename from testing/btest/scripts/base/frameworks/input/raw/basic.bro rename to testing/btest/scripts/base/frameworks/input/raw/basic.zeek diff --git a/testing/btest/scripts/base/frameworks/input/raw/execute.bro b/testing/btest/scripts/base/frameworks/input/raw/execute.zeek similarity index 100% rename from testing/btest/scripts/base/frameworks/input/raw/execute.bro rename to testing/btest/scripts/base/frameworks/input/raw/execute.zeek diff --git a/testing/btest/scripts/base/frameworks/input/raw/executestdin.bro b/testing/btest/scripts/base/frameworks/input/raw/executestdin.zeek similarity index 100% rename from testing/btest/scripts/base/frameworks/input/raw/executestdin.bro rename to testing/btest/scripts/base/frameworks/input/raw/executestdin.zeek diff --git a/testing/btest/scripts/base/frameworks/input/raw/executestream.bro b/testing/btest/scripts/base/frameworks/input/raw/executestream.zeek similarity index 100% rename from testing/btest/scripts/base/frameworks/input/raw/executestream.bro rename to testing/btest/scripts/base/frameworks/input/raw/executestream.zeek diff --git a/testing/btest/scripts/base/frameworks/input/raw/long.bro b/testing/btest/scripts/base/frameworks/input/raw/long.zeek similarity index 100% rename from testing/btest/scripts/base/frameworks/input/raw/long.bro rename to testing/btest/scripts/base/frameworks/input/raw/long.zeek diff --git a/testing/btest/scripts/base/frameworks/input/raw/offset.bro b/testing/btest/scripts/base/frameworks/input/raw/offset.zeek similarity index 100% rename from testing/btest/scripts/base/frameworks/input/raw/offset.bro rename to testing/btest/scripts/base/frameworks/input/raw/offset.zeek diff --git a/testing/btest/scripts/base/frameworks/input/raw/rereadraw.bro b/testing/btest/scripts/base/frameworks/input/raw/rereadraw.zeek similarity index 100% rename from testing/btest/scripts/base/frameworks/input/raw/rereadraw.bro rename to testing/btest/scripts/base/frameworks/input/raw/rereadraw.zeek diff --git a/testing/btest/scripts/base/frameworks/input/raw/stderr.bro b/testing/btest/scripts/base/frameworks/input/raw/stderr.zeek similarity index 100% rename from testing/btest/scripts/base/frameworks/input/raw/stderr.bro rename to testing/btest/scripts/base/frameworks/input/raw/stderr.zeek diff --git a/testing/btest/scripts/base/frameworks/input/raw/streamraw.bro b/testing/btest/scripts/base/frameworks/input/raw/streamraw.zeek similarity index 100% rename from testing/btest/scripts/base/frameworks/input/raw/streamraw.bro rename to testing/btest/scripts/base/frameworks/input/raw/streamraw.zeek diff --git a/testing/btest/scripts/base/frameworks/input/repeat.bro b/testing/btest/scripts/base/frameworks/input/repeat.zeek similarity index 100% rename from testing/btest/scripts/base/frameworks/input/repeat.bro rename to testing/btest/scripts/base/frameworks/input/repeat.zeek diff --git a/testing/btest/scripts/base/frameworks/input/reread.bro b/testing/btest/scripts/base/frameworks/input/reread.zeek similarity index 100% rename from testing/btest/scripts/base/frameworks/input/reread.bro rename to testing/btest/scripts/base/frameworks/input/reread.zeek diff --git a/testing/btest/scripts/base/frameworks/input/set.bro b/testing/btest/scripts/base/frameworks/input/set.zeek similarity index 100% rename from testing/btest/scripts/base/frameworks/input/set.bro rename to testing/btest/scripts/base/frameworks/input/set.zeek diff --git a/testing/btest/scripts/base/frameworks/input/setseparator.bro b/testing/btest/scripts/base/frameworks/input/setseparator.zeek similarity index 100% rename from testing/btest/scripts/base/frameworks/input/setseparator.bro rename to testing/btest/scripts/base/frameworks/input/setseparator.zeek diff --git a/testing/btest/scripts/base/frameworks/input/setspecialcases.bro b/testing/btest/scripts/base/frameworks/input/setspecialcases.zeek similarity index 100% rename from testing/btest/scripts/base/frameworks/input/setspecialcases.bro rename to testing/btest/scripts/base/frameworks/input/setspecialcases.zeek diff --git a/testing/btest/scripts/base/frameworks/input/sqlite/basic.bro b/testing/btest/scripts/base/frameworks/input/sqlite/basic.zeek similarity index 100% rename from testing/btest/scripts/base/frameworks/input/sqlite/basic.bro rename to testing/btest/scripts/base/frameworks/input/sqlite/basic.zeek diff --git a/testing/btest/scripts/base/frameworks/input/sqlite/error.bro b/testing/btest/scripts/base/frameworks/input/sqlite/error.zeek similarity index 100% rename from testing/btest/scripts/base/frameworks/input/sqlite/error.bro rename to testing/btest/scripts/base/frameworks/input/sqlite/error.zeek diff --git a/testing/btest/scripts/base/frameworks/input/sqlite/port.bro b/testing/btest/scripts/base/frameworks/input/sqlite/port.zeek similarity index 100% rename from testing/btest/scripts/base/frameworks/input/sqlite/port.bro rename to testing/btest/scripts/base/frameworks/input/sqlite/port.zeek diff --git a/testing/btest/scripts/base/frameworks/input/sqlite/types.bro b/testing/btest/scripts/base/frameworks/input/sqlite/types.zeek similarity index 100% rename from testing/btest/scripts/base/frameworks/input/sqlite/types.bro rename to testing/btest/scripts/base/frameworks/input/sqlite/types.zeek diff --git a/testing/btest/scripts/base/frameworks/input/stream.bro b/testing/btest/scripts/base/frameworks/input/stream.zeek similarity index 100% rename from testing/btest/scripts/base/frameworks/input/stream.bro rename to testing/btest/scripts/base/frameworks/input/stream.zeek diff --git a/testing/btest/scripts/base/frameworks/input/subrecord-event.bro b/testing/btest/scripts/base/frameworks/input/subrecord-event.zeek similarity index 100% rename from testing/btest/scripts/base/frameworks/input/subrecord-event.bro rename to testing/btest/scripts/base/frameworks/input/subrecord-event.zeek diff --git a/testing/btest/scripts/base/frameworks/input/subrecord.bro b/testing/btest/scripts/base/frameworks/input/subrecord.zeek similarity index 100% rename from testing/btest/scripts/base/frameworks/input/subrecord.bro rename to testing/btest/scripts/base/frameworks/input/subrecord.zeek diff --git a/testing/btest/scripts/base/frameworks/input/tableevent.bro b/testing/btest/scripts/base/frameworks/input/tableevent.zeek similarity index 100% rename from testing/btest/scripts/base/frameworks/input/tableevent.bro rename to testing/btest/scripts/base/frameworks/input/tableevent.zeek diff --git a/testing/btest/scripts/base/frameworks/input/twotables.bro b/testing/btest/scripts/base/frameworks/input/twotables.zeek similarity index 100% rename from testing/btest/scripts/base/frameworks/input/twotables.bro rename to testing/btest/scripts/base/frameworks/input/twotables.zeek diff --git a/testing/btest/scripts/base/frameworks/input/unsupported_types.bro b/testing/btest/scripts/base/frameworks/input/unsupported_types.zeek similarity index 100% rename from testing/btest/scripts/base/frameworks/input/unsupported_types.bro rename to testing/btest/scripts/base/frameworks/input/unsupported_types.zeek diff --git a/testing/btest/scripts/base/frameworks/input/windows.bro b/testing/btest/scripts/base/frameworks/input/windows.zeek similarity index 100% rename from testing/btest/scripts/base/frameworks/input/windows.bro rename to testing/btest/scripts/base/frameworks/input/windows.zeek diff --git a/testing/btest/scripts/base/frameworks/intel/cluster-transparency-with-proxy.bro b/testing/btest/scripts/base/frameworks/intel/cluster-transparency-with-proxy.zeek similarity index 98% rename from testing/btest/scripts/base/frameworks/intel/cluster-transparency-with-proxy.bro rename to testing/btest/scripts/base/frameworks/intel/cluster-transparency-with-proxy.zeek index b81cac9bac..98fc45c29d 100644 --- a/testing/btest/scripts/base/frameworks/intel/cluster-transparency-with-proxy.bro +++ b/testing/btest/scripts/base/frameworks/intel/cluster-transparency-with-proxy.zeek @@ -13,7 +13,7 @@ # @TEST-EXEC: TEST_DIFF_CANONIFIER=$SCRIPTS/diff-sort btest-diff worker-2/.stdout # @TEST-EXEC: btest-diff manager-1/intel.log -@TEST-START-FILE cluster-layout.bro +@TEST-START-FILE cluster-layout.zeek redef Cluster::nodes = { ["manager-1"] = [$node_type=Cluster::MANAGER, $ip=127.0.0.1, $p=to_port(getenv("BROKER_PORT1"))], ["worker-1"] = [$node_type=Cluster::WORKER, $ip=127.0.0.1, $p=to_port(getenv("BROKER_PORT2")), $manager="manager-1"], diff --git a/testing/btest/scripts/base/frameworks/intel/cluster-transparency.bro b/testing/btest/scripts/base/frameworks/intel/cluster-transparency.zeek similarity index 98% rename from testing/btest/scripts/base/frameworks/intel/cluster-transparency.bro rename to testing/btest/scripts/base/frameworks/intel/cluster-transparency.zeek index 5362886cd7..ecec5a0831 100644 --- a/testing/btest/scripts/base/frameworks/intel/cluster-transparency.bro +++ b/testing/btest/scripts/base/frameworks/intel/cluster-transparency.zeek @@ -11,7 +11,7 @@ # @TEST-EXEC: TEST_DIFF_CANONIFIER=$SCRIPTS/diff-sort btest-diff worker-2/.stdout # @TEST-EXEC: btest-diff manager-1/intel.log -@TEST-START-FILE cluster-layout.bro +@TEST-START-FILE cluster-layout.zeek redef Cluster::nodes = { ["manager-1"] = [$node_type=Cluster::MANAGER, $ip=127.0.0.1, $p=to_port(getenv("BROKER_PORT1"))], ["worker-1"] = [$node_type=Cluster::WORKER, $ip=127.0.0.1, $p=to_port(getenv("BROKER_PORT2")), $manager="manager-1"], diff --git a/testing/btest/scripts/base/frameworks/intel/expire-item.bro b/testing/btest/scripts/base/frameworks/intel/expire-item.zeek similarity index 100% rename from testing/btest/scripts/base/frameworks/intel/expire-item.bro rename to testing/btest/scripts/base/frameworks/intel/expire-item.zeek diff --git a/testing/btest/scripts/base/frameworks/intel/filter-item.bro b/testing/btest/scripts/base/frameworks/intel/filter-item.zeek similarity index 100% rename from testing/btest/scripts/base/frameworks/intel/filter-item.bro rename to testing/btest/scripts/base/frameworks/intel/filter-item.zeek diff --git a/testing/btest/scripts/base/frameworks/intel/input-and-match.bro b/testing/btest/scripts/base/frameworks/intel/input-and-match.zeek similarity index 100% rename from testing/btest/scripts/base/frameworks/intel/input-and-match.bro rename to testing/btest/scripts/base/frameworks/intel/input-and-match.zeek diff --git a/testing/btest/scripts/base/frameworks/intel/match-subnet.bro b/testing/btest/scripts/base/frameworks/intel/match-subnet.zeek similarity index 100% rename from testing/btest/scripts/base/frameworks/intel/match-subnet.bro rename to testing/btest/scripts/base/frameworks/intel/match-subnet.zeek diff --git a/testing/btest/scripts/base/frameworks/intel/path-prefix/input-intel-absolute-prefixes.bro b/testing/btest/scripts/base/frameworks/intel/path-prefix/input-intel-absolute-prefixes.zeek similarity index 96% rename from testing/btest/scripts/base/frameworks/intel/path-prefix/input-intel-absolute-prefixes.bro rename to testing/btest/scripts/base/frameworks/intel/path-prefix/input-intel-absolute-prefixes.zeek index 14ce01d32e..e637ebb3c5 100644 --- a/testing/btest/scripts/base/frameworks/intel/path-prefix/input-intel-absolute-prefixes.bro +++ b/testing/btest/scripts/base/frameworks/intel/path-prefix/input-intel-absolute-prefixes.zeek @@ -16,7 +16,7 @@ 127.0.2.3 Intel::ADDR this btest @TEST-END-FILE -@load path-prefix-common.bro +@load path-prefix-common.zeek redef Intel::read_files += { "test.data" }; redef InputAscii::path_prefix = "/this/does/not/exist"; diff --git a/testing/btest/scripts/base/frameworks/intel/path-prefix/input-intel-relative-prefixes.bro b/testing/btest/scripts/base/frameworks/intel/path-prefix/input-intel-relative-prefixes.zeek similarity index 95% rename from testing/btest/scripts/base/frameworks/intel/path-prefix/input-intel-relative-prefixes.bro rename to testing/btest/scripts/base/frameworks/intel/path-prefix/input-intel-relative-prefixes.zeek index 346f3bad81..1e7050aee9 100644 --- a/testing/btest/scripts/base/frameworks/intel/path-prefix/input-intel-relative-prefixes.bro +++ b/testing/btest/scripts/base/frameworks/intel/path-prefix/input-intel-relative-prefixes.zeek @@ -13,7 +13,7 @@ 127.0.1.3 Intel::ADDR this btest @TEST-END-FILE -@load path-prefix-common.bro +@load path-prefix-common.zeek redef Intel::read_files += { "test.data" }; redef InputAscii::path_prefix = "input"; diff --git a/testing/btest/scripts/base/frameworks/intel/path-prefix/input-prefix.bro b/testing/btest/scripts/base/frameworks/intel/path-prefix/input-prefix.zeek similarity index 95% rename from testing/btest/scripts/base/frameworks/intel/path-prefix/input-prefix.bro rename to testing/btest/scripts/base/frameworks/intel/path-prefix/input-prefix.zeek index 19828ea8af..2e602752f1 100644 --- a/testing/btest/scripts/base/frameworks/intel/path-prefix/input-prefix.bro +++ b/testing/btest/scripts/base/frameworks/intel/path-prefix/input-prefix.zeek @@ -14,7 +14,7 @@ 127.0.0.3 Intel::ADDR this btest @TEST-END-FILE -@load path-prefix-common.bro +@load path-prefix-common.zeek redef Intel::read_files += { "test.data" }; redef InputAscii::path_prefix = "alternative"; diff --git a/testing/btest/scripts/base/frameworks/intel/path-prefix/no-paths.bro b/testing/btest/scripts/base/frameworks/intel/path-prefix/no-paths.zeek similarity index 94% rename from testing/btest/scripts/base/frameworks/intel/path-prefix/no-paths.bro rename to testing/btest/scripts/base/frameworks/intel/path-prefix/no-paths.zeek index 7148c1e857..7d02a0ac6a 100644 --- a/testing/btest/scripts/base/frameworks/intel/path-prefix/no-paths.bro +++ b/testing/btest/scripts/base/frameworks/intel/path-prefix/no-paths.zeek @@ -11,6 +11,6 @@ 127.0.0.3 Intel::ADDR this btest @TEST-END-FILE -@load path-prefix-common.bro +@load path-prefix-common.zeek redef Intel::read_files += { "test.data" }; diff --git a/testing/btest/scripts/base/frameworks/intel/path-prefix/path-prefix-common.bro b/testing/btest/scripts/base/frameworks/intel/path-prefix/path-prefix-common.zeek similarity index 100% rename from testing/btest/scripts/base/frameworks/intel/path-prefix/path-prefix-common.bro rename to testing/btest/scripts/base/frameworks/intel/path-prefix/path-prefix-common.zeek diff --git a/testing/btest/scripts/base/frameworks/intel/read-file-dist-cluster.bro b/testing/btest/scripts/base/frameworks/intel/read-file-dist-cluster.zeek similarity index 98% rename from testing/btest/scripts/base/frameworks/intel/read-file-dist-cluster.bro rename to testing/btest/scripts/base/frameworks/intel/read-file-dist-cluster.zeek index a4becfb2b3..f262898966 100644 --- a/testing/btest/scripts/base/frameworks/intel/read-file-dist-cluster.bro +++ b/testing/btest/scripts/base/frameworks/intel/read-file-dist-cluster.zeek @@ -11,7 +11,7 @@ # @TEST-EXEC: btest-diff worker-1/.stdout # @TEST-EXEC: btest-diff worker-2/.stdout -@TEST-START-FILE cluster-layout.bro +@TEST-START-FILE cluster-layout.zeek redef Cluster::nodes = { ["manager-1"] = [$node_type=Cluster::MANAGER, $ip=127.0.0.1, $p=to_port(getenv("BROKER_PORT1"))], ["worker-1"] = [$node_type=Cluster::WORKER, $ip=127.0.0.1, $p=to_port(getenv("BROKER_PORT2")), $manager="manager-1"], diff --git a/testing/btest/scripts/base/frameworks/intel/remove-item-cluster.bro b/testing/btest/scripts/base/frameworks/intel/remove-item-cluster.zeek similarity index 98% rename from testing/btest/scripts/base/frameworks/intel/remove-item-cluster.bro rename to testing/btest/scripts/base/frameworks/intel/remove-item-cluster.zeek index 5241231e1f..16ec0df4a4 100644 --- a/testing/btest/scripts/base/frameworks/intel/remove-item-cluster.bro +++ b/testing/btest/scripts/base/frameworks/intel/remove-item-cluster.zeek @@ -8,7 +8,7 @@ # @TEST-EXEC: TEST_DIFF_CANONIFIER=$SCRIPTS/diff-sort btest-diff worker-1/.stdout # @TEST-EXEC: btest-diff manager-1/intel.log -# @TEST-START-FILE cluster-layout.bro +# @TEST-START-FILE cluster-layout.zeek redef Cluster::nodes = { ["manager-1"] = [$node_type=Cluster::MANAGER, $ip=127.0.0.1, $p=to_port(getenv("BROKER_PORT1"))], ["worker-1"] = [$node_type=Cluster::WORKER, $ip=127.0.0.1, $p=to_port(getenv("BROKER_PORT2")), $manager="manager-1"], diff --git a/testing/btest/scripts/base/frameworks/intel/remove-non-existing.bro b/testing/btest/scripts/base/frameworks/intel/remove-non-existing.zeek similarity index 100% rename from testing/btest/scripts/base/frameworks/intel/remove-non-existing.bro rename to testing/btest/scripts/base/frameworks/intel/remove-non-existing.zeek diff --git a/testing/btest/scripts/base/frameworks/intel/updated-match.bro b/testing/btest/scripts/base/frameworks/intel/updated-match.zeek similarity index 100% rename from testing/btest/scripts/base/frameworks/intel/updated-match.bro rename to testing/btest/scripts/base/frameworks/intel/updated-match.zeek diff --git a/testing/btest/scripts/base/frameworks/logging/adapt-filter.bro b/testing/btest/scripts/base/frameworks/logging/adapt-filter.zeek similarity index 100% rename from testing/btest/scripts/base/frameworks/logging/adapt-filter.bro rename to testing/btest/scripts/base/frameworks/logging/adapt-filter.zeek diff --git a/testing/btest/scripts/base/frameworks/logging/ascii-binary.bro b/testing/btest/scripts/base/frameworks/logging/ascii-binary.zeek similarity index 100% rename from testing/btest/scripts/base/frameworks/logging/ascii-binary.bro rename to testing/btest/scripts/base/frameworks/logging/ascii-binary.zeek diff --git a/testing/btest/scripts/base/frameworks/logging/ascii-double.bro b/testing/btest/scripts/base/frameworks/logging/ascii-double.zeek similarity index 95% rename from testing/btest/scripts/base/frameworks/logging/ascii-double.bro rename to testing/btest/scripts/base/frameworks/logging/ascii-double.zeek index b824d93676..86a9716312 100644 --- a/testing/btest/scripts/base/frameworks/logging/ascii-double.bro +++ b/testing/btest/scripts/base/frameworks/logging/ascii-double.zeek @@ -1,6 +1,6 @@ # @TEST-DOC: Test that the ASCII writer logs values of type "double" correctly. # -# @TEST-EXEC: bro -b %INPUT test-json.bro +# @TEST-EXEC: bro -b %INPUT test-json.zeek # @TEST-EXEC: mv test.log json.log # @TEST-EXEC: bro -b %INPUT # @TEST-EXEC: btest-diff test.log @@ -78,7 +78,7 @@ event bro_init() logwrite(d); } -# @TEST-START-FILE test-json.bro +# @TEST-START-FILE test-json.zeek redef LogAscii::use_json = T; diff --git a/testing/btest/scripts/base/frameworks/logging/ascii-empty.bro b/testing/btest/scripts/base/frameworks/logging/ascii-empty.zeek similarity index 100% rename from testing/btest/scripts/base/frameworks/logging/ascii-empty.bro rename to testing/btest/scripts/base/frameworks/logging/ascii-empty.zeek diff --git a/testing/btest/scripts/base/frameworks/logging/ascii-escape-binary.bro b/testing/btest/scripts/base/frameworks/logging/ascii-escape-binary.zeek similarity index 100% rename from testing/btest/scripts/base/frameworks/logging/ascii-escape-binary.bro rename to testing/btest/scripts/base/frameworks/logging/ascii-escape-binary.zeek diff --git a/testing/btest/scripts/base/frameworks/logging/ascii-escape-empty-str.bro b/testing/btest/scripts/base/frameworks/logging/ascii-escape-empty-str.zeek similarity index 100% rename from testing/btest/scripts/base/frameworks/logging/ascii-escape-empty-str.bro rename to testing/btest/scripts/base/frameworks/logging/ascii-escape-empty-str.zeek diff --git a/testing/btest/scripts/base/frameworks/logging/ascii-escape-notset-str.bro b/testing/btest/scripts/base/frameworks/logging/ascii-escape-notset-str.zeek similarity index 100% rename from testing/btest/scripts/base/frameworks/logging/ascii-escape-notset-str.bro rename to testing/btest/scripts/base/frameworks/logging/ascii-escape-notset-str.zeek diff --git a/testing/btest/scripts/base/frameworks/logging/ascii-escape-odd-url.bro b/testing/btest/scripts/base/frameworks/logging/ascii-escape-odd-url.zeek similarity index 100% rename from testing/btest/scripts/base/frameworks/logging/ascii-escape-odd-url.bro rename to testing/btest/scripts/base/frameworks/logging/ascii-escape-odd-url.zeek diff --git a/testing/btest/scripts/base/frameworks/logging/ascii-escape-set-separator.bro b/testing/btest/scripts/base/frameworks/logging/ascii-escape-set-separator.zeek similarity index 100% rename from testing/btest/scripts/base/frameworks/logging/ascii-escape-set-separator.bro rename to testing/btest/scripts/base/frameworks/logging/ascii-escape-set-separator.zeek diff --git a/testing/btest/scripts/base/frameworks/logging/ascii-escape.bro b/testing/btest/scripts/base/frameworks/logging/ascii-escape.zeek similarity index 100% rename from testing/btest/scripts/base/frameworks/logging/ascii-escape.bro rename to testing/btest/scripts/base/frameworks/logging/ascii-escape.zeek diff --git a/testing/btest/scripts/base/frameworks/logging/ascii-gz-rotate.bro b/testing/btest/scripts/base/frameworks/logging/ascii-gz-rotate.zeek similarity index 100% rename from testing/btest/scripts/base/frameworks/logging/ascii-gz-rotate.bro rename to testing/btest/scripts/base/frameworks/logging/ascii-gz-rotate.zeek diff --git a/testing/btest/scripts/base/frameworks/logging/ascii-gz.bro b/testing/btest/scripts/base/frameworks/logging/ascii-gz.zeek similarity index 100% rename from testing/btest/scripts/base/frameworks/logging/ascii-gz.bro rename to testing/btest/scripts/base/frameworks/logging/ascii-gz.zeek diff --git a/testing/btest/scripts/base/frameworks/logging/ascii-json-iso-timestamps.bro b/testing/btest/scripts/base/frameworks/logging/ascii-json-iso-timestamps.zeek similarity index 100% rename from testing/btest/scripts/base/frameworks/logging/ascii-json-iso-timestamps.bro rename to testing/btest/scripts/base/frameworks/logging/ascii-json-iso-timestamps.zeek diff --git a/testing/btest/scripts/base/frameworks/logging/ascii-json-optional.bro b/testing/btest/scripts/base/frameworks/logging/ascii-json-optional.zeek similarity index 100% rename from testing/btest/scripts/base/frameworks/logging/ascii-json-optional.bro rename to testing/btest/scripts/base/frameworks/logging/ascii-json-optional.zeek diff --git a/testing/btest/scripts/base/frameworks/logging/ascii-json.bro b/testing/btest/scripts/base/frameworks/logging/ascii-json.zeek similarity index 100% rename from testing/btest/scripts/base/frameworks/logging/ascii-json.bro rename to testing/btest/scripts/base/frameworks/logging/ascii-json.zeek diff --git a/testing/btest/scripts/base/frameworks/logging/ascii-line-like-comment.bro b/testing/btest/scripts/base/frameworks/logging/ascii-line-like-comment.zeek similarity index 100% rename from testing/btest/scripts/base/frameworks/logging/ascii-line-like-comment.bro rename to testing/btest/scripts/base/frameworks/logging/ascii-line-like-comment.zeek diff --git a/testing/btest/scripts/base/frameworks/logging/ascii-options.bro b/testing/btest/scripts/base/frameworks/logging/ascii-options.zeek similarity index 100% rename from testing/btest/scripts/base/frameworks/logging/ascii-options.bro rename to testing/btest/scripts/base/frameworks/logging/ascii-options.zeek diff --git a/testing/btest/scripts/base/frameworks/logging/ascii-timestamps.bro b/testing/btest/scripts/base/frameworks/logging/ascii-timestamps.zeek similarity index 100% rename from testing/btest/scripts/base/frameworks/logging/ascii-timestamps.bro rename to testing/btest/scripts/base/frameworks/logging/ascii-timestamps.zeek diff --git a/testing/btest/scripts/base/frameworks/logging/ascii-tsv.bro b/testing/btest/scripts/base/frameworks/logging/ascii-tsv.zeek similarity index 100% rename from testing/btest/scripts/base/frameworks/logging/ascii-tsv.bro rename to testing/btest/scripts/base/frameworks/logging/ascii-tsv.zeek diff --git a/testing/btest/scripts/base/frameworks/logging/attr-extend.bro b/testing/btest/scripts/base/frameworks/logging/attr-extend.zeek similarity index 100% rename from testing/btest/scripts/base/frameworks/logging/attr-extend.bro rename to testing/btest/scripts/base/frameworks/logging/attr-extend.zeek diff --git a/testing/btest/scripts/base/frameworks/logging/attr.bro b/testing/btest/scripts/base/frameworks/logging/attr.zeek similarity index 100% rename from testing/btest/scripts/base/frameworks/logging/attr.bro rename to testing/btest/scripts/base/frameworks/logging/attr.zeek diff --git a/testing/btest/scripts/base/frameworks/logging/disable-stream.bro b/testing/btest/scripts/base/frameworks/logging/disable-stream.zeek similarity index 100% rename from testing/btest/scripts/base/frameworks/logging/disable-stream.bro rename to testing/btest/scripts/base/frameworks/logging/disable-stream.zeek diff --git a/testing/btest/scripts/base/frameworks/logging/empty-event.bro b/testing/btest/scripts/base/frameworks/logging/empty-event.zeek similarity index 100% rename from testing/btest/scripts/base/frameworks/logging/empty-event.bro rename to testing/btest/scripts/base/frameworks/logging/empty-event.zeek diff --git a/testing/btest/scripts/base/frameworks/logging/enable-stream.bro b/testing/btest/scripts/base/frameworks/logging/enable-stream.zeek similarity index 100% rename from testing/btest/scripts/base/frameworks/logging/enable-stream.bro rename to testing/btest/scripts/base/frameworks/logging/enable-stream.zeek diff --git a/testing/btest/scripts/base/frameworks/logging/events.bro b/testing/btest/scripts/base/frameworks/logging/events.zeek similarity index 100% rename from testing/btest/scripts/base/frameworks/logging/events.bro rename to testing/btest/scripts/base/frameworks/logging/events.zeek diff --git a/testing/btest/scripts/base/frameworks/logging/exclude.bro b/testing/btest/scripts/base/frameworks/logging/exclude.zeek similarity index 100% rename from testing/btest/scripts/base/frameworks/logging/exclude.bro rename to testing/btest/scripts/base/frameworks/logging/exclude.zeek diff --git a/testing/btest/scripts/base/frameworks/logging/field-extension-cluster-error.bro b/testing/btest/scripts/base/frameworks/logging/field-extension-cluster-error.zeek similarity index 87% rename from testing/btest/scripts/base/frameworks/logging/field-extension-cluster-error.bro rename to testing/btest/scripts/base/frameworks/logging/field-extension-cluster-error.zeek index dd30ad4c6f..a974a3e195 100644 --- a/testing/btest/scripts/base/frameworks/logging/field-extension-cluster-error.bro +++ b/testing/btest/scripts/base/frameworks/logging/field-extension-cluster-error.zeek @@ -1,15 +1,15 @@ # @TEST-PORT: BROKER_PORT1 # @TEST-PORT: BROKER_PORT2 # -# @TEST-EXEC: btest-bg-run manager-1 "cp ../cluster-layout.bro . && CLUSTER_NODE=manager-1 bro %INPUT" -# @TEST-EXEC: btest-bg-run worker-1 "cp ../cluster-layout.bro . && CLUSTER_NODE=worker-1 bro --pseudo-realtime -C -r $TRACES/wikipedia.trace %INPUT" +# @TEST-EXEC: btest-bg-run manager-1 "cp ../cluster-layout.zeek . && CLUSTER_NODE=manager-1 bro %INPUT" +# @TEST-EXEC: btest-bg-run worker-1 "cp ../cluster-layout.zeek . && CLUSTER_NODE=worker-1 bro --pseudo-realtime -C -r $TRACES/wikipedia.trace %INPUT" # @TEST-EXEC: btest-bg-wait 20 # @TEST-EXEC: grep qux manager-1/reporter.log | sed 's#line ..#line XX#g' > manager-reporter.log # @TEST-EXEC: grep qux manager-1/reporter-2.log | sed 's#line ..*#line XX#g' >> manager-reporter.log # @TEST-EXEC: TEST_DIFF_CANONIFIER="$SCRIPTS/diff-canonifier | $SCRIPTS/diff-remove-abspath | grep -v ^# | $SCRIPTS/diff-sort" btest-diff manager-reporter.log -@TEST-START-FILE cluster-layout.bro +@TEST-START-FILE cluster-layout.zeek redef Cluster::nodes = { ["manager-1"] = [$node_type=Cluster::MANAGER, $ip=127.0.0.1, $p=to_port(getenv("BROKER_PORT1"))], ["worker-1"] = [$node_type=Cluster::WORKER, $ip=127.0.0.1, $p=to_port(getenv("BROKER_PORT2")), $manager="manager-1", $interface="eth0"], diff --git a/testing/btest/scripts/base/frameworks/logging/field-extension-cluster.bro b/testing/btest/scripts/base/frameworks/logging/field-extension-cluster.zeek similarity index 84% rename from testing/btest/scripts/base/frameworks/logging/field-extension-cluster.bro rename to testing/btest/scripts/base/frameworks/logging/field-extension-cluster.zeek index d38b5b744b..4159d91c59 100644 --- a/testing/btest/scripts/base/frameworks/logging/field-extension-cluster.bro +++ b/testing/btest/scripts/base/frameworks/logging/field-extension-cluster.zeek @@ -1,13 +1,13 @@ # @TEST-PORT: BROKER_PORT1 # @TEST-PORT: BROKER_PORT2 # -# @TEST-EXEC: btest-bg-run manager-1 "cp ../cluster-layout.bro . && CLUSTER_NODE=manager-1 bro %INPUT" -# @TEST-EXEC: btest-bg-run worker-1 "cp ../cluster-layout.bro . && CLUSTER_NODE=worker-1 bro --pseudo-realtime -C -r $TRACES/wikipedia.trace %INPUT" +# @TEST-EXEC: btest-bg-run manager-1 "cp ../cluster-layout.zeek . && CLUSTER_NODE=manager-1 bro %INPUT" +# @TEST-EXEC: btest-bg-run worker-1 "cp ../cluster-layout.zeek . && CLUSTER_NODE=worker-1 bro --pseudo-realtime -C -r $TRACES/wikipedia.trace %INPUT" # @TEST-EXEC: btest-bg-wait 20 # @TEST-EXEC: btest-diff manager-1/http.log -@TEST-START-FILE cluster-layout.bro +@TEST-START-FILE cluster-layout.zeek redef Cluster::nodes = { ["manager-1"] = [$node_type=Cluster::MANAGER, $ip=127.0.0.1, $p=to_port(getenv("BROKER_PORT1"))], ["worker-1"] = [$node_type=Cluster::WORKER, $ip=127.0.0.1, $p=to_port(getenv("BROKER_PORT2")), $manager="manager-1", $interface="eth0"], diff --git a/testing/btest/scripts/base/frameworks/logging/field-extension-complex.bro b/testing/btest/scripts/base/frameworks/logging/field-extension-complex.zeek similarity index 100% rename from testing/btest/scripts/base/frameworks/logging/field-extension-complex.bro rename to testing/btest/scripts/base/frameworks/logging/field-extension-complex.zeek diff --git a/testing/btest/scripts/base/frameworks/logging/field-extension-invalid.bro b/testing/btest/scripts/base/frameworks/logging/field-extension-invalid.zeek similarity index 100% rename from testing/btest/scripts/base/frameworks/logging/field-extension-invalid.bro rename to testing/btest/scripts/base/frameworks/logging/field-extension-invalid.zeek diff --git a/testing/btest/scripts/base/frameworks/logging/field-extension-optional.bro b/testing/btest/scripts/base/frameworks/logging/field-extension-optional.zeek similarity index 100% rename from testing/btest/scripts/base/frameworks/logging/field-extension-optional.bro rename to testing/btest/scripts/base/frameworks/logging/field-extension-optional.zeek diff --git a/testing/btest/scripts/base/frameworks/logging/field-extension-table.bro b/testing/btest/scripts/base/frameworks/logging/field-extension-table.zeek similarity index 100% rename from testing/btest/scripts/base/frameworks/logging/field-extension-table.bro rename to testing/btest/scripts/base/frameworks/logging/field-extension-table.zeek diff --git a/testing/btest/scripts/base/frameworks/logging/field-extension.bro b/testing/btest/scripts/base/frameworks/logging/field-extension.zeek similarity index 100% rename from testing/btest/scripts/base/frameworks/logging/field-extension.bro rename to testing/btest/scripts/base/frameworks/logging/field-extension.zeek diff --git a/testing/btest/scripts/base/frameworks/logging/field-name-map.bro b/testing/btest/scripts/base/frameworks/logging/field-name-map.zeek similarity index 100% rename from testing/btest/scripts/base/frameworks/logging/field-name-map.bro rename to testing/btest/scripts/base/frameworks/logging/field-name-map.zeek diff --git a/testing/btest/scripts/base/frameworks/logging/field-name-map2.bro b/testing/btest/scripts/base/frameworks/logging/field-name-map2.zeek similarity index 100% rename from testing/btest/scripts/base/frameworks/logging/field-name-map2.bro rename to testing/btest/scripts/base/frameworks/logging/field-name-map2.zeek diff --git a/testing/btest/scripts/base/frameworks/logging/file.bro b/testing/btest/scripts/base/frameworks/logging/file.zeek similarity index 100% rename from testing/btest/scripts/base/frameworks/logging/file.bro rename to testing/btest/scripts/base/frameworks/logging/file.zeek diff --git a/testing/btest/scripts/base/frameworks/logging/include.bro b/testing/btest/scripts/base/frameworks/logging/include.zeek similarity index 100% rename from testing/btest/scripts/base/frameworks/logging/include.bro rename to testing/btest/scripts/base/frameworks/logging/include.zeek diff --git a/testing/btest/scripts/base/frameworks/logging/no-local.bro b/testing/btest/scripts/base/frameworks/logging/no-local.zeek similarity index 100% rename from testing/btest/scripts/base/frameworks/logging/no-local.bro rename to testing/btest/scripts/base/frameworks/logging/no-local.zeek diff --git a/testing/btest/scripts/base/frameworks/logging/none-debug.bro b/testing/btest/scripts/base/frameworks/logging/none-debug.zeek similarity index 100% rename from testing/btest/scripts/base/frameworks/logging/none-debug.bro rename to testing/btest/scripts/base/frameworks/logging/none-debug.zeek diff --git a/testing/btest/scripts/base/frameworks/logging/path-func-column-demote.bro b/testing/btest/scripts/base/frameworks/logging/path-func-column-demote.zeek similarity index 100% rename from testing/btest/scripts/base/frameworks/logging/path-func-column-demote.bro rename to testing/btest/scripts/base/frameworks/logging/path-func-column-demote.zeek diff --git a/testing/btest/scripts/base/frameworks/logging/path-func.bro b/testing/btest/scripts/base/frameworks/logging/path-func.zeek similarity index 100% rename from testing/btest/scripts/base/frameworks/logging/path-func.bro rename to testing/btest/scripts/base/frameworks/logging/path-func.zeek diff --git a/testing/btest/scripts/base/frameworks/logging/pred.bro b/testing/btest/scripts/base/frameworks/logging/pred.zeek similarity index 100% rename from testing/btest/scripts/base/frameworks/logging/pred.bro rename to testing/btest/scripts/base/frameworks/logging/pred.zeek diff --git a/testing/btest/scripts/base/frameworks/logging/remove.bro b/testing/btest/scripts/base/frameworks/logging/remove.zeek similarity index 100% rename from testing/btest/scripts/base/frameworks/logging/remove.bro rename to testing/btest/scripts/base/frameworks/logging/remove.zeek diff --git a/testing/btest/scripts/base/frameworks/logging/rotate-custom.bro b/testing/btest/scripts/base/frameworks/logging/rotate-custom.zeek similarity index 100% rename from testing/btest/scripts/base/frameworks/logging/rotate-custom.bro rename to testing/btest/scripts/base/frameworks/logging/rotate-custom.zeek diff --git a/testing/btest/scripts/base/frameworks/logging/rotate.bro b/testing/btest/scripts/base/frameworks/logging/rotate.zeek similarity index 100% rename from testing/btest/scripts/base/frameworks/logging/rotate.bro rename to testing/btest/scripts/base/frameworks/logging/rotate.zeek diff --git a/testing/btest/scripts/base/frameworks/logging/scope_sep.bro b/testing/btest/scripts/base/frameworks/logging/scope_sep.zeek similarity index 100% rename from testing/btest/scripts/base/frameworks/logging/scope_sep.bro rename to testing/btest/scripts/base/frameworks/logging/scope_sep.zeek diff --git a/testing/btest/scripts/base/frameworks/logging/scope_sep_and_field_name_map.bro b/testing/btest/scripts/base/frameworks/logging/scope_sep_and_field_name_map.zeek similarity index 100% rename from testing/btest/scripts/base/frameworks/logging/scope_sep_and_field_name_map.bro rename to testing/btest/scripts/base/frameworks/logging/scope_sep_and_field_name_map.zeek diff --git a/testing/btest/scripts/base/frameworks/logging/sqlite/error.bro b/testing/btest/scripts/base/frameworks/logging/sqlite/error.zeek similarity index 100% rename from testing/btest/scripts/base/frameworks/logging/sqlite/error.bro rename to testing/btest/scripts/base/frameworks/logging/sqlite/error.zeek diff --git a/testing/btest/scripts/base/frameworks/logging/sqlite/set.bro b/testing/btest/scripts/base/frameworks/logging/sqlite/set.zeek similarity index 100% rename from testing/btest/scripts/base/frameworks/logging/sqlite/set.bro rename to testing/btest/scripts/base/frameworks/logging/sqlite/set.zeek diff --git a/testing/btest/scripts/base/frameworks/logging/sqlite/simultaneous-writes.bro b/testing/btest/scripts/base/frameworks/logging/sqlite/simultaneous-writes.zeek similarity index 100% rename from testing/btest/scripts/base/frameworks/logging/sqlite/simultaneous-writes.bro rename to testing/btest/scripts/base/frameworks/logging/sqlite/simultaneous-writes.zeek diff --git a/testing/btest/scripts/base/frameworks/logging/sqlite/types.bro b/testing/btest/scripts/base/frameworks/logging/sqlite/types.zeek similarity index 100% rename from testing/btest/scripts/base/frameworks/logging/sqlite/types.bro rename to testing/btest/scripts/base/frameworks/logging/sqlite/types.zeek diff --git a/testing/btest/scripts/base/frameworks/logging/sqlite/wikipedia.bro b/testing/btest/scripts/base/frameworks/logging/sqlite/wikipedia.zeek similarity index 100% rename from testing/btest/scripts/base/frameworks/logging/sqlite/wikipedia.bro rename to testing/btest/scripts/base/frameworks/logging/sqlite/wikipedia.zeek diff --git a/testing/btest/scripts/base/frameworks/logging/stdout.bro b/testing/btest/scripts/base/frameworks/logging/stdout.zeek similarity index 100% rename from testing/btest/scripts/base/frameworks/logging/stdout.bro rename to testing/btest/scripts/base/frameworks/logging/stdout.zeek diff --git a/testing/btest/scripts/base/frameworks/logging/test-logging.bro b/testing/btest/scripts/base/frameworks/logging/test-logging.zeek similarity index 100% rename from testing/btest/scripts/base/frameworks/logging/test-logging.bro rename to testing/btest/scripts/base/frameworks/logging/test-logging.zeek diff --git a/testing/btest/scripts/base/frameworks/logging/types.bro b/testing/btest/scripts/base/frameworks/logging/types.zeek similarity index 100% rename from testing/btest/scripts/base/frameworks/logging/types.bro rename to testing/btest/scripts/base/frameworks/logging/types.zeek diff --git a/testing/btest/scripts/base/frameworks/logging/unset-record.bro b/testing/btest/scripts/base/frameworks/logging/unset-record.zeek similarity index 100% rename from testing/btest/scripts/base/frameworks/logging/unset-record.bro rename to testing/btest/scripts/base/frameworks/logging/unset-record.zeek diff --git a/testing/btest/scripts/base/frameworks/logging/vec.bro b/testing/btest/scripts/base/frameworks/logging/vec.zeek similarity index 100% rename from testing/btest/scripts/base/frameworks/logging/vec.bro rename to testing/btest/scripts/base/frameworks/logging/vec.zeek diff --git a/testing/btest/scripts/base/frameworks/logging/writer-path-conflict.bro b/testing/btest/scripts/base/frameworks/logging/writer-path-conflict.zeek similarity index 100% rename from testing/btest/scripts/base/frameworks/logging/writer-path-conflict.bro rename to testing/btest/scripts/base/frameworks/logging/writer-path-conflict.zeek diff --git a/testing/btest/scripts/base/frameworks/netcontrol/acld-hook.bro b/testing/btest/scripts/base/frameworks/netcontrol/acld-hook.zeek similarity index 95% rename from testing/btest/scripts/base/frameworks/netcontrol/acld-hook.bro rename to testing/btest/scripts/base/frameworks/netcontrol/acld-hook.zeek index 9e0db8531a..4aadb33417 100644 --- a/testing/btest/scripts/base/frameworks/netcontrol/acld-hook.bro +++ b/testing/btest/scripts/base/frameworks/netcontrol/acld-hook.zeek @@ -1,12 +1,12 @@ # @TEST-PORT: BROKER_PORT -# @TEST-EXEC: btest-bg-run recv "bro -b ../recv.bro >recv.out" -# @TEST-EXEC: btest-bg-run send "bro -b -r $TRACES/tls/ecdhe.pcap --pseudo-realtime ../send.bro >send.out" +# @TEST-EXEC: btest-bg-run recv "bro -b ../recv.zeek >recv.out" +# @TEST-EXEC: btest-bg-run send "bro -b -r $TRACES/tls/ecdhe.pcap --pseudo-realtime ../send.zeek >send.out" # @TEST-EXEC: btest-bg-wait 20 # @TEST-EXEC: btest-diff recv/recv.out # @TEST-EXEC: btest-diff send/send.out -@TEST-START-FILE send.bro +@TEST-START-FILE send.zeek @load base/frameworks/netcontrol @@ -89,7 +89,7 @@ event NetControl::rule_removed(r: NetControl::Rule, p: NetControl::PluginState, @TEST-END-FILE -@TEST-START-FILE recv.bro +@TEST-START-FILE recv.zeek @load base/frameworks/netcontrol @load base/frameworks/broker diff --git a/testing/btest/scripts/base/frameworks/netcontrol/acld.bro b/testing/btest/scripts/base/frameworks/netcontrol/acld.zeek similarity index 95% rename from testing/btest/scripts/base/frameworks/netcontrol/acld.bro rename to testing/btest/scripts/base/frameworks/netcontrol/acld.zeek index 243e5e9b7c..91591336c3 100644 --- a/testing/btest/scripts/base/frameworks/netcontrol/acld.bro +++ b/testing/btest/scripts/base/frameworks/netcontrol/acld.zeek @@ -1,13 +1,13 @@ # @TEST-PORT: BROKER_PORT -# @TEST-EXEC: btest-bg-run recv "bro -b ../recv.bro >recv.out" -# @TEST-EXEC: btest-bg-run send "bro -b -r $TRACES/tls/ecdhe.pcap --pseudo-realtime ../send.bro >send.out" +# @TEST-EXEC: btest-bg-run recv "bro -b ../recv.zeek >recv.out" +# @TEST-EXEC: btest-bg-run send "bro -b -r $TRACES/tls/ecdhe.pcap --pseudo-realtime ../send.zeek >send.out" # @TEST-EXEC: btest-bg-wait 20 # @TEST-EXEC: btest-diff send/netcontrol.log # @TEST-EXEC: btest-diff recv/recv.out # @TEST-EXEC: btest-diff send/send.out -@TEST-START-FILE send.bro +@TEST-START-FILE send.zeek @load base/frameworks/netcontrol @@ -94,7 +94,7 @@ event NetControl::rule_error(r: NetControl::Rule, p: NetControl::PluginState, ms @TEST-END-FILE -@TEST-START-FILE recv.bro +@TEST-START-FILE recv.zeek @load base/frameworks/netcontrol @load base/frameworks/broker diff --git a/testing/btest/scripts/base/frameworks/netcontrol/basic-cluster.bro b/testing/btest/scripts/base/frameworks/netcontrol/basic-cluster.zeek similarity index 81% rename from testing/btest/scripts/base/frameworks/netcontrol/basic-cluster.bro rename to testing/btest/scripts/base/frameworks/netcontrol/basic-cluster.zeek index 50c04433ad..ec619f5b6b 100644 --- a/testing/btest/scripts/base/frameworks/netcontrol/basic-cluster.bro +++ b/testing/btest/scripts/base/frameworks/netcontrol/basic-cluster.zeek @@ -2,17 +2,17 @@ # @TEST-PORT: BROKER_PORT2 # @TEST-PORT: BROKER_PORT3 # -# @TEST-EXEC: btest-bg-run manager-1 "cp ../cluster-layout.bro . && CLUSTER_NODE=manager-1 bro %INPUT" -# @TEST-EXEC: btest-bg-run worker-1 "cp ../cluster-layout.bro . && CLUSTER_NODE=worker-1 bro --pseudo-realtime -C -r $TRACES/tls/ecdhe.pcap %INPUT" +# @TEST-EXEC: btest-bg-run manager-1 "cp ../cluster-layout.zeek . && CLUSTER_NODE=manager-1 bro %INPUT" +# @TEST-EXEC: btest-bg-run worker-1 "cp ../cluster-layout.zeek . && CLUSTER_NODE=worker-1 bro --pseudo-realtime -C -r $TRACES/tls/ecdhe.pcap %INPUT" # @TEST-EXEC: $SCRIPTS/wait-for-pid $(cat worker-1/.pid) 10 || (btest-bg-wait -k 1 && false) -# @TEST-EXEC: btest-bg-run worker-2 "cp ../cluster-layout.bro . && CLUSTER_NODE=worker-2 bro --pseudo-realtime -C -r $TRACES/tls/ecdhe.pcap %INPUT" +# @TEST-EXEC: btest-bg-run worker-2 "cp ../cluster-layout.zeek . && CLUSTER_NODE=worker-2 bro --pseudo-realtime -C -r $TRACES/tls/ecdhe.pcap %INPUT" # @TEST-EXEC: btest-bg-wait 20 # @TEST-EXEC: btest-diff worker-1/.stdout # @TEST-EXEC: btest-diff worker-2/.stdout -@TEST-START-FILE cluster-layout.bro +@TEST-START-FILE cluster-layout.zeek redef Cluster::nodes = { ["manager-1"] = [$node_type=Cluster::MANAGER, $ip=127.0.0.1, $p=to_port(getenv("BROKER_PORT1"))], ["worker-1"] = [$node_type=Cluster::WORKER, $ip=127.0.0.1, $p=to_port(getenv("BROKER_PORT2")), $manager="manager-1", $interface="eth0"], diff --git a/testing/btest/scripts/base/frameworks/netcontrol/basic.bro b/testing/btest/scripts/base/frameworks/netcontrol/basic.zeek similarity index 100% rename from testing/btest/scripts/base/frameworks/netcontrol/basic.bro rename to testing/btest/scripts/base/frameworks/netcontrol/basic.zeek diff --git a/testing/btest/scripts/base/frameworks/netcontrol/broker.bro b/testing/btest/scripts/base/frameworks/netcontrol/broker.zeek similarity index 95% rename from testing/btest/scripts/base/frameworks/netcontrol/broker.bro rename to testing/btest/scripts/base/frameworks/netcontrol/broker.zeek index 4d232c3325..9933e635c6 100644 --- a/testing/btest/scripts/base/frameworks/netcontrol/broker.bro +++ b/testing/btest/scripts/base/frameworks/netcontrol/broker.zeek @@ -1,13 +1,13 @@ # @TEST-PORT: BROKER_PORT -# @TEST-EXEC: btest-bg-run recv "bro -b ../recv.bro >recv.out" -# @TEST-EXEC: btest-bg-run send "bro -b -r $TRACES/smtp.trace --pseudo-realtime ../send.bro >send.out" +# @TEST-EXEC: btest-bg-run recv "bro -b ../recv.zeek >recv.out" +# @TEST-EXEC: btest-bg-run send "bro -b -r $TRACES/smtp.trace --pseudo-realtime ../send.zeek >send.out" # @TEST-EXEC: btest-bg-wait 20 # @TEST-EXEC: btest-diff send/netcontrol.log # @TEST-EXEC: btest-diff recv/recv.out # @TEST-EXEC: btest-diff send/send.out -@TEST-START-FILE send.bro +@TEST-START-FILE send.zeek @load base/frameworks/netcontrol @@ -78,7 +78,7 @@ event NetControl::rule_timeout(r: NetControl::Rule, i: NetControl::FlowInfo, p: @TEST-END-FILE -@TEST-START-FILE recv.bro +@TEST-START-FILE recv.zeek @load base/frameworks/netcontrol @load base/frameworks/broker diff --git a/testing/btest/scripts/base/frameworks/netcontrol/catch-and-release-forgotten.bro b/testing/btest/scripts/base/frameworks/netcontrol/catch-and-release-forgotten.zeek similarity index 100% rename from testing/btest/scripts/base/frameworks/netcontrol/catch-and-release-forgotten.bro rename to testing/btest/scripts/base/frameworks/netcontrol/catch-and-release-forgotten.zeek diff --git a/testing/btest/scripts/base/frameworks/netcontrol/catch-and-release.bro b/testing/btest/scripts/base/frameworks/netcontrol/catch-and-release.zeek similarity index 100% rename from testing/btest/scripts/base/frameworks/netcontrol/catch-and-release.bro rename to testing/btest/scripts/base/frameworks/netcontrol/catch-and-release.zeek diff --git a/testing/btest/scripts/base/frameworks/netcontrol/delete-internal-state.bro b/testing/btest/scripts/base/frameworks/netcontrol/delete-internal-state.zeek similarity index 100% rename from testing/btest/scripts/base/frameworks/netcontrol/delete-internal-state.bro rename to testing/btest/scripts/base/frameworks/netcontrol/delete-internal-state.zeek diff --git a/testing/btest/scripts/base/frameworks/netcontrol/duplicate.bro b/testing/btest/scripts/base/frameworks/netcontrol/duplicate.zeek similarity index 100% rename from testing/btest/scripts/base/frameworks/netcontrol/duplicate.bro rename to testing/btest/scripts/base/frameworks/netcontrol/duplicate.zeek diff --git a/testing/btest/scripts/base/frameworks/netcontrol/find-rules.bro b/testing/btest/scripts/base/frameworks/netcontrol/find-rules.zeek similarity index 100% rename from testing/btest/scripts/base/frameworks/netcontrol/find-rules.bro rename to testing/btest/scripts/base/frameworks/netcontrol/find-rules.zeek diff --git a/testing/btest/scripts/base/frameworks/netcontrol/hook.bro b/testing/btest/scripts/base/frameworks/netcontrol/hook.zeek similarity index 100% rename from testing/btest/scripts/base/frameworks/netcontrol/hook.bro rename to testing/btest/scripts/base/frameworks/netcontrol/hook.zeek diff --git a/testing/btest/scripts/base/frameworks/netcontrol/multiple.bro b/testing/btest/scripts/base/frameworks/netcontrol/multiple.zeek similarity index 100% rename from testing/btest/scripts/base/frameworks/netcontrol/multiple.bro rename to testing/btest/scripts/base/frameworks/netcontrol/multiple.zeek diff --git a/testing/btest/scripts/base/frameworks/netcontrol/openflow.bro b/testing/btest/scripts/base/frameworks/netcontrol/openflow.zeek similarity index 100% rename from testing/btest/scripts/base/frameworks/netcontrol/openflow.bro rename to testing/btest/scripts/base/frameworks/netcontrol/openflow.zeek diff --git a/testing/btest/scripts/base/frameworks/netcontrol/packetfilter.bro b/testing/btest/scripts/base/frameworks/netcontrol/packetfilter.zeek similarity index 100% rename from testing/btest/scripts/base/frameworks/netcontrol/packetfilter.bro rename to testing/btest/scripts/base/frameworks/netcontrol/packetfilter.zeek diff --git a/testing/btest/scripts/base/frameworks/netcontrol/quarantine-openflow.bro b/testing/btest/scripts/base/frameworks/netcontrol/quarantine-openflow.zeek similarity index 100% rename from testing/btest/scripts/base/frameworks/netcontrol/quarantine-openflow.bro rename to testing/btest/scripts/base/frameworks/netcontrol/quarantine-openflow.zeek diff --git a/testing/btest/scripts/base/frameworks/netcontrol/timeout.bro b/testing/btest/scripts/base/frameworks/netcontrol/timeout.zeek similarity index 100% rename from testing/btest/scripts/base/frameworks/netcontrol/timeout.bro rename to testing/btest/scripts/base/frameworks/netcontrol/timeout.zeek diff --git a/testing/btest/scripts/base/frameworks/notice/cluster.bro b/testing/btest/scripts/base/frameworks/notice/cluster.zeek similarity index 97% rename from testing/btest/scripts/base/frameworks/notice/cluster.bro rename to testing/btest/scripts/base/frameworks/notice/cluster.zeek index 69d1ac8364..cda5fc857e 100644 --- a/testing/btest/scripts/base/frameworks/notice/cluster.bro +++ b/testing/btest/scripts/base/frameworks/notice/cluster.zeek @@ -8,7 +8,7 @@ # @TEST-EXEC: btest-bg-wait 20 # @TEST-EXEC: btest-diff manager-1/notice.log -@TEST-START-FILE cluster-layout.bro +@TEST-START-FILE cluster-layout.zeek redef Cluster::nodes = { ["manager-1"] = [$node_type=Cluster::MANAGER, $ip=127.0.0.1, $p=to_port(getenv("BROKER_PORT1"))], ["proxy-1"] = [$node_type=Cluster::PROXY, $ip=127.0.0.1, $p=to_port(getenv("BROKER_PORT2")), $manager="manager-1"], diff --git a/testing/btest/scripts/base/frameworks/notice/mail-alarms.bro b/testing/btest/scripts/base/frameworks/notice/mail-alarms.zeek similarity index 100% rename from testing/btest/scripts/base/frameworks/notice/mail-alarms.bro rename to testing/btest/scripts/base/frameworks/notice/mail-alarms.zeek diff --git a/testing/btest/scripts/base/frameworks/notice/suppression-cluster.bro b/testing/btest/scripts/base/frameworks/notice/suppression-cluster.zeek similarity index 98% rename from testing/btest/scripts/base/frameworks/notice/suppression-cluster.bro rename to testing/btest/scripts/base/frameworks/notice/suppression-cluster.zeek index e9b31e1756..73cd65cfe9 100644 --- a/testing/btest/scripts/base/frameworks/notice/suppression-cluster.bro +++ b/testing/btest/scripts/base/frameworks/notice/suppression-cluster.zeek @@ -10,7 +10,7 @@ # @TEST-EXEC: btest-bg-wait 20 # @TEST-EXEC: btest-diff manager-1/notice.log -@TEST-START-FILE cluster-layout.bro +@TEST-START-FILE cluster-layout.zeek redef Cluster::nodes = { ["manager-1"] = [$node_type=Cluster::MANAGER, $ip=127.0.0.1, $p=to_port(getenv("BROKER_PORT1"))], ["proxy-1"] = [$node_type=Cluster::PROXY, $ip=127.0.0.1, $p=to_port(getenv("BROKER_PORT2")), $manager="manager-1"], diff --git a/testing/btest/scripts/base/frameworks/notice/suppression-disable.bro b/testing/btest/scripts/base/frameworks/notice/suppression-disable.zeek similarity index 100% rename from testing/btest/scripts/base/frameworks/notice/suppression-disable.bro rename to testing/btest/scripts/base/frameworks/notice/suppression-disable.zeek diff --git a/testing/btest/scripts/base/frameworks/notice/suppression.bro b/testing/btest/scripts/base/frameworks/notice/suppression.zeek similarity index 100% rename from testing/btest/scripts/base/frameworks/notice/suppression.bro rename to testing/btest/scripts/base/frameworks/notice/suppression.zeek diff --git a/testing/btest/scripts/base/frameworks/openflow/broker-basic.bro b/testing/btest/scripts/base/frameworks/openflow/broker-basic.zeek similarity index 94% rename from testing/btest/scripts/base/frameworks/openflow/broker-basic.bro rename to testing/btest/scripts/base/frameworks/openflow/broker-basic.zeek index 9d43089b93..c46c00d2f3 100644 --- a/testing/btest/scripts/base/frameworks/openflow/broker-basic.bro +++ b/testing/btest/scripts/base/frameworks/openflow/broker-basic.zeek @@ -1,12 +1,12 @@ # @TEST-PORT: BROKER_PORT -# @TEST-EXEC: btest-bg-run recv "bro -b ../recv.bro >recv.out" -# @TEST-EXEC: btest-bg-run send "bro -b -r $TRACES/smtp.trace --pseudo-realtime ../send.bro >send.out" +# @TEST-EXEC: btest-bg-run recv "bro -b ../recv.zeek >recv.out" +# @TEST-EXEC: btest-bg-run send "bro -b -r $TRACES/smtp.trace --pseudo-realtime ../send.zeek >send.out" # @TEST-EXEC: btest-bg-wait 20 # @TEST-EXEC: btest-diff recv/recv.out # @TEST-EXEC: btest-diff send/send.out -@TEST-START-FILE send.bro +@TEST-START-FILE send.zeek @load base/protocols/conn @load base/frameworks/openflow @@ -67,7 +67,7 @@ event OpenFlow::flow_mod_failure(name: string, match: OpenFlow::ofp_match, flow_ @TEST-END-FILE -@TEST-START-FILE recv.bro +@TEST-START-FILE recv.zeek @load base/frameworks/openflow diff --git a/testing/btest/scripts/base/frameworks/openflow/log-basic.bro b/testing/btest/scripts/base/frameworks/openflow/log-basic.zeek similarity index 100% rename from testing/btest/scripts/base/frameworks/openflow/log-basic.bro rename to testing/btest/scripts/base/frameworks/openflow/log-basic.zeek diff --git a/testing/btest/scripts/base/frameworks/openflow/log-cluster.bro b/testing/btest/scripts/base/frameworks/openflow/log-cluster.zeek similarity index 84% rename from testing/btest/scripts/base/frameworks/openflow/log-cluster.bro rename to testing/btest/scripts/base/frameworks/openflow/log-cluster.zeek index 33f20f8ce5..08cfbb581d 100644 --- a/testing/btest/scripts/base/frameworks/openflow/log-cluster.bro +++ b/testing/btest/scripts/base/frameworks/openflow/log-cluster.zeek @@ -1,12 +1,12 @@ # @TEST-PORT: BROKER_PORT1 # @TEST-PORT: BROKER_PORT2 # -# @TEST-EXEC: btest-bg-run manager-1 "cp ../cluster-layout.bro . && CLUSTER_NODE=manager-1 bro %INPUT" -# @TEST-EXEC: btest-bg-run worker-1 "cp ../cluster-layout.bro . && CLUSTER_NODE=worker-1 bro --pseudo-realtime -C -r $TRACES/smtp.trace %INPUT" +# @TEST-EXEC: btest-bg-run manager-1 "cp ../cluster-layout.zeek . && CLUSTER_NODE=manager-1 bro %INPUT" +# @TEST-EXEC: btest-bg-run worker-1 "cp ../cluster-layout.zeek . && CLUSTER_NODE=worker-1 bro --pseudo-realtime -C -r $TRACES/smtp.trace %INPUT" # @TEST-EXEC: btest-bg-wait 20 # @TEST-EXEC: btest-diff manager-1/openflow.log -@TEST-START-FILE cluster-layout.bro +@TEST-START-FILE cluster-layout.zeek redef Cluster::nodes = { ["manager-1"] = [$node_type=Cluster::MANAGER, $ip=127.0.0.1, $p=to_port(getenv("BROKER_PORT1"))], ["worker-1"] = [$node_type=Cluster::WORKER, $ip=127.0.0.1, $p=to_port(getenv("BROKER_PORT2")), $manager="manager-1", $interface="eth0"], diff --git a/testing/btest/scripts/base/frameworks/openflow/ryu-basic.bro b/testing/btest/scripts/base/frameworks/openflow/ryu-basic.zeek similarity index 100% rename from testing/btest/scripts/base/frameworks/openflow/ryu-basic.bro rename to testing/btest/scripts/base/frameworks/openflow/ryu-basic.zeek diff --git a/testing/btest/scripts/base/frameworks/reporter/disable-stderr.bro b/testing/btest/scripts/base/frameworks/reporter/disable-stderr.zeek similarity index 100% rename from testing/btest/scripts/base/frameworks/reporter/disable-stderr.bro rename to testing/btest/scripts/base/frameworks/reporter/disable-stderr.zeek diff --git a/testing/btest/scripts/base/frameworks/reporter/stderr.bro b/testing/btest/scripts/base/frameworks/reporter/stderr.zeek similarity index 100% rename from testing/btest/scripts/base/frameworks/reporter/stderr.bro rename to testing/btest/scripts/base/frameworks/reporter/stderr.zeek diff --git a/testing/btest/scripts/base/frameworks/software/version-parsing.bro b/testing/btest/scripts/base/frameworks/software/version-parsing.zeek similarity index 100% rename from testing/btest/scripts/base/frameworks/software/version-parsing.bro rename to testing/btest/scripts/base/frameworks/software/version-parsing.zeek diff --git a/testing/btest/scripts/base/frameworks/sumstats/basic-cluster.bro b/testing/btest/scripts/base/frameworks/sumstats/basic-cluster.zeek similarity index 98% rename from testing/btest/scripts/base/frameworks/sumstats/basic-cluster.bro rename to testing/btest/scripts/base/frameworks/sumstats/basic-cluster.zeek index 8f4bd26ef1..d611d29907 100644 --- a/testing/btest/scripts/base/frameworks/sumstats/basic-cluster.bro +++ b/testing/btest/scripts/base/frameworks/sumstats/basic-cluster.zeek @@ -9,7 +9,7 @@ # @TEST-EXEC: btest-diff manager-1/.stdout -@TEST-START-FILE cluster-layout.bro +@TEST-START-FILE cluster-layout.zeek redef Cluster::nodes = { ["manager-1"] = [$node_type=Cluster::MANAGER, $ip=127.0.0.1, $p=to_port(getenv("BROKER_PORT1"))], ["worker-1"] = [$node_type=Cluster::WORKER, $ip=127.0.0.1, $p=to_port(getenv("BROKER_PORT2")), $manager="manager-1", $interface="eth0"], diff --git a/testing/btest/scripts/base/frameworks/sumstats/basic.bro b/testing/btest/scripts/base/frameworks/sumstats/basic.zeek similarity index 100% rename from testing/btest/scripts/base/frameworks/sumstats/basic.bro rename to testing/btest/scripts/base/frameworks/sumstats/basic.zeek diff --git a/testing/btest/scripts/base/frameworks/sumstats/cluster-intermediate-update.bro b/testing/btest/scripts/base/frameworks/sumstats/cluster-intermediate-update.zeek similarity index 98% rename from testing/btest/scripts/base/frameworks/sumstats/cluster-intermediate-update.bro rename to testing/btest/scripts/base/frameworks/sumstats/cluster-intermediate-update.zeek index 949fcb3644..5bda9e3705 100644 --- a/testing/btest/scripts/base/frameworks/sumstats/cluster-intermediate-update.bro +++ b/testing/btest/scripts/base/frameworks/sumstats/cluster-intermediate-update.zeek @@ -8,7 +8,7 @@ # @TEST-EXEC: btest-bg-wait 20 # @TEST-EXEC: btest-diff manager-1/.stdout -@TEST-START-FILE cluster-layout.bro +@TEST-START-FILE cluster-layout.zeek redef Cluster::nodes = { ["manager-1"] = [$node_type=Cluster::MANAGER, $ip=127.0.0.1, $p=to_port(getenv("BROKER_PORT1"))], ["worker-1"] = [$node_type=Cluster::WORKER, $ip=127.0.0.1, $p=to_port(getenv("BROKER_PORT2")), $manager="manager-1", $interface="eth0"], diff --git a/testing/btest/scripts/base/frameworks/sumstats/last-cluster.bro b/testing/btest/scripts/base/frameworks/sumstats/last-cluster.zeek similarity index 98% rename from testing/btest/scripts/base/frameworks/sumstats/last-cluster.bro rename to testing/btest/scripts/base/frameworks/sumstats/last-cluster.zeek index da8f8fb80f..00dab1212b 100644 --- a/testing/btest/scripts/base/frameworks/sumstats/last-cluster.bro +++ b/testing/btest/scripts/base/frameworks/sumstats/last-cluster.zeek @@ -7,7 +7,7 @@ # @TEST-EXEC: btest-diff manager-1/.stdout # -@TEST-START-FILE cluster-layout.bro +@TEST-START-FILE cluster-layout.zeek redef Cluster::nodes = { ["manager-1"] = [$node_type=Cluster::MANAGER, $ip=127.0.0.1, $p=to_port(getenv("BROKER_PORT1"))], ["worker-1"] = [$node_type=Cluster::WORKER, $ip=127.0.0.1, $p=to_port(getenv("BROKER_PORT2")), $manager="manager-1", $interface="eth0"], diff --git a/testing/btest/scripts/base/frameworks/sumstats/on-demand-cluster.bro b/testing/btest/scripts/base/frameworks/sumstats/on-demand-cluster.zeek similarity index 98% rename from testing/btest/scripts/base/frameworks/sumstats/on-demand-cluster.bro rename to testing/btest/scripts/base/frameworks/sumstats/on-demand-cluster.zeek index bb429a52cb..2c5621743f 100644 --- a/testing/btest/scripts/base/frameworks/sumstats/on-demand-cluster.bro +++ b/testing/btest/scripts/base/frameworks/sumstats/on-demand-cluster.zeek @@ -10,7 +10,7 @@ # @TEST-EXEC: btest-diff manager-1/.stdout # -@TEST-START-FILE cluster-layout.bro +@TEST-START-FILE cluster-layout.zeek redef Cluster::nodes = { ["manager-1"] = [$node_type=Cluster::MANAGER, $ip=127.0.0.1, $p=to_port(getenv("BROKER_PORT1"))], ["worker-1"] = [$node_type=Cluster::WORKER, $ip=127.0.0.1, $p=to_port(getenv("BROKER_PORT2")), $manager="manager-1", $interface="eth0"], diff --git a/testing/btest/scripts/base/frameworks/sumstats/on-demand.bro b/testing/btest/scripts/base/frameworks/sumstats/on-demand.zeek similarity index 100% rename from testing/btest/scripts/base/frameworks/sumstats/on-demand.bro rename to testing/btest/scripts/base/frameworks/sumstats/on-demand.zeek diff --git a/testing/btest/scripts/base/frameworks/sumstats/sample-cluster.bro b/testing/btest/scripts/base/frameworks/sumstats/sample-cluster.zeek similarity index 99% rename from testing/btest/scripts/base/frameworks/sumstats/sample-cluster.bro rename to testing/btest/scripts/base/frameworks/sumstats/sample-cluster.zeek index 227313635a..088b3c9c14 100644 --- a/testing/btest/scripts/base/frameworks/sumstats/sample-cluster.bro +++ b/testing/btest/scripts/base/frameworks/sumstats/sample-cluster.zeek @@ -8,7 +8,7 @@ # @TEST-EXEC: btest-bg-wait 15 # @TEST-EXEC: btest-diff manager-1/.stdout -@TEST-START-FILE cluster-layout.bro +@TEST-START-FILE cluster-layout.zeek redef Cluster::nodes = { ["manager-1"] = [$node_type=Cluster::MANAGER, $ip=127.0.0.1, $p=to_port(getenv("BROKER_PORT1"))], ["worker-1"] = [$node_type=Cluster::WORKER, $ip=127.0.0.1, $p=to_port(getenv("BROKER_PORT2")), $manager="manager-1", $interface="eth0"], diff --git a/testing/btest/scripts/base/frameworks/sumstats/sample.bro b/testing/btest/scripts/base/frameworks/sumstats/sample.zeek similarity index 100% rename from testing/btest/scripts/base/frameworks/sumstats/sample.bro rename to testing/btest/scripts/base/frameworks/sumstats/sample.zeek diff --git a/testing/btest/scripts/base/frameworks/sumstats/thresholding.bro b/testing/btest/scripts/base/frameworks/sumstats/thresholding.zeek similarity index 100% rename from testing/btest/scripts/base/frameworks/sumstats/thresholding.bro rename to testing/btest/scripts/base/frameworks/sumstats/thresholding.zeek diff --git a/testing/btest/scripts/base/frameworks/sumstats/topk-cluster.bro b/testing/btest/scripts/base/frameworks/sumstats/topk-cluster.zeek similarity index 98% rename from testing/btest/scripts/base/frameworks/sumstats/topk-cluster.bro rename to testing/btest/scripts/base/frameworks/sumstats/topk-cluster.zeek index 8a3a9bcf1b..f26eca11cf 100644 --- a/testing/btest/scripts/base/frameworks/sumstats/topk-cluster.bro +++ b/testing/btest/scripts/base/frameworks/sumstats/topk-cluster.zeek @@ -9,7 +9,7 @@ # @TEST-EXEC: btest-diff manager-1/.stdout # -@TEST-START-FILE cluster-layout.bro +@TEST-START-FILE cluster-layout.zeek redef Cluster::nodes = { ["manager-1"] = [$node_type=Cluster::MANAGER, $ip=127.0.0.1, $p=to_port(getenv("BROKER_PORT1"))], ["worker-1"] = [$node_type=Cluster::WORKER, $ip=127.0.0.1, $p=to_port(getenv("BROKER_PORT2")), $manager="manager-1", $interface="eth0"], diff --git a/testing/btest/scripts/base/frameworks/sumstats/topk.bro b/testing/btest/scripts/base/frameworks/sumstats/topk.zeek similarity index 100% rename from testing/btest/scripts/base/frameworks/sumstats/topk.bro rename to testing/btest/scripts/base/frameworks/sumstats/topk.zeek diff --git a/testing/btest/scripts/base/misc/version.bro b/testing/btest/scripts/base/misc/version.zeek similarity index 100% rename from testing/btest/scripts/base/misc/version.bro rename to testing/btest/scripts/base/misc/version.zeek diff --git a/testing/btest/scripts/base/protocols/conn/new_connection_contents.bro b/testing/btest/scripts/base/protocols/conn/new_connection_contents.zeek similarity index 100% rename from testing/btest/scripts/base/protocols/conn/new_connection_contents.bro rename to testing/btest/scripts/base/protocols/conn/new_connection_contents.zeek diff --git a/testing/btest/scripts/base/protocols/conn/threshold.bro b/testing/btest/scripts/base/protocols/conn/threshold.zeek similarity index 100% rename from testing/btest/scripts/base/protocols/conn/threshold.bro rename to testing/btest/scripts/base/protocols/conn/threshold.zeek diff --git a/testing/btest/scripts/base/protocols/dce-rpc/context.bro b/testing/btest/scripts/base/protocols/dce-rpc/context.zeek similarity index 100% rename from testing/btest/scripts/base/protocols/dce-rpc/context.bro rename to testing/btest/scripts/base/protocols/dce-rpc/context.zeek diff --git a/testing/btest/scripts/base/protocols/dnp3/dnp3_del_measure.bro b/testing/btest/scripts/base/protocols/dnp3/dnp3_del_measure.zeek similarity index 96% rename from testing/btest/scripts/base/protocols/dnp3/dnp3_del_measure.bro rename to testing/btest/scripts/base/protocols/dnp3/dnp3_del_measure.zeek index 533bfd8e0b..e551bbf7d6 100644 --- a/testing/btest/scripts/base/protocols/dnp3/dnp3_del_measure.bro +++ b/testing/btest/scripts/base/protocols/dnp3/dnp3_del_measure.zeek @@ -1,5 +1,5 @@ # -# @TEST-EXEC: bro -r $TRACES/dnp3/dnp3_del_measure.pcap %DIR/events.bro >output +# @TEST-EXEC: bro -r $TRACES/dnp3/dnp3_del_measure.pcap %DIR/events.zeek >output # @TEST-EXEC: btest-diff output # @TEST-EXEC: cat output | awk '{print $1}' | sort | uniq | wc -l >covered # @TEST-EXEC: cat ${DIST}/src/analyzer/protocol/dnp3/events.bif | grep "^event dnp3_" | wc -l >total diff --git a/testing/btest/scripts/base/protocols/dnp3/dnp3_en_spon.bro b/testing/btest/scripts/base/protocols/dnp3/dnp3_en_spon.zeek similarity index 97% rename from testing/btest/scripts/base/protocols/dnp3/dnp3_en_spon.bro rename to testing/btest/scripts/base/protocols/dnp3/dnp3_en_spon.zeek index 3e8c4f56d4..489be56505 100644 --- a/testing/btest/scripts/base/protocols/dnp3/dnp3_en_spon.bro +++ b/testing/btest/scripts/base/protocols/dnp3/dnp3_en_spon.zeek @@ -1,5 +1,5 @@ # -# @TEST-EXEC: bro -r $TRACES/dnp3/dnp3_en_spon.pcap %DIR/events.bro >output +# @TEST-EXEC: bro -r $TRACES/dnp3/dnp3_en_spon.pcap %DIR/events.zeek >output # @TEST-EXEC: btest-diff output # @TEST-EXEC: cat output | awk '{print $1}' | sort | uniq | wc -l >covered # @TEST-EXEC: cat ${DIST}/src/analyzer/protocol/dnp3/events.bif | grep "^event dnp3_" | wc -l >total diff --git a/testing/btest/scripts/base/protocols/dnp3/dnp3_file_del.bro b/testing/btest/scripts/base/protocols/dnp3/dnp3_file_del.zeek similarity index 96% rename from testing/btest/scripts/base/protocols/dnp3/dnp3_file_del.bro rename to testing/btest/scripts/base/protocols/dnp3/dnp3_file_del.zeek index e95637b67d..9155ea0174 100644 --- a/testing/btest/scripts/base/protocols/dnp3/dnp3_file_del.bro +++ b/testing/btest/scripts/base/protocols/dnp3/dnp3_file_del.zeek @@ -1,5 +1,5 @@ # -# @TEST-EXEC: bro -r $TRACES/dnp3/dnp3_file_del.pcap %DIR/events.bro >output +# @TEST-EXEC: bro -r $TRACES/dnp3/dnp3_file_del.pcap %DIR/events.zeek >output # @TEST-EXEC: btest-diff output # @TEST-EXEC: cat output | awk '{print $1}' | sort | uniq | wc -l >covered # @TEST-EXEC: cat ${DIST}/src/analyzer/protocol/dnp3/events.bif | grep "^event dnp3_" | wc -l >total diff --git a/testing/btest/scripts/base/protocols/dnp3/dnp3_file_read.bro b/testing/btest/scripts/base/protocols/dnp3/dnp3_file_read.zeek similarity index 96% rename from testing/btest/scripts/base/protocols/dnp3/dnp3_file_read.bro rename to testing/btest/scripts/base/protocols/dnp3/dnp3_file_read.zeek index 8da9f078a4..87140ec1fe 100644 --- a/testing/btest/scripts/base/protocols/dnp3/dnp3_file_read.bro +++ b/testing/btest/scripts/base/protocols/dnp3/dnp3_file_read.zeek @@ -1,5 +1,5 @@ # -# @TEST-EXEC: bro -r $TRACES/dnp3/dnp3_file_read.pcap %DIR/events.bro >output +# @TEST-EXEC: bro -r $TRACES/dnp3/dnp3_file_read.pcap %DIR/events.zeek >output # @TEST-EXEC: btest-diff output # @TEST-EXEC: cat output | awk '{print $1}' | sort | uniq | wc -l >covered # @TEST-EXEC: cat ${DIST}/src/analyzer/protocol/dnp3/events.bif | grep "^event dnp3_" | wc -l >total diff --git a/testing/btest/scripts/base/protocols/dnp3/dnp3_file_write.bro b/testing/btest/scripts/base/protocols/dnp3/dnp3_file_write.zeek similarity index 96% rename from testing/btest/scripts/base/protocols/dnp3/dnp3_file_write.bro rename to testing/btest/scripts/base/protocols/dnp3/dnp3_file_write.zeek index 60761360ed..8ca9e3107d 100644 --- a/testing/btest/scripts/base/protocols/dnp3/dnp3_file_write.bro +++ b/testing/btest/scripts/base/protocols/dnp3/dnp3_file_write.zeek @@ -1,5 +1,5 @@ # -# @TEST-EXEC: bro -r $TRACES/dnp3/dnp3_file_write.pcap %DIR/events.bro >output +# @TEST-EXEC: bro -r $TRACES/dnp3/dnp3_file_write.pcap %DIR/events.zeek >output # @TEST-EXEC: btest-diff output # @TEST-EXEC: cat output | awk '{print $1}' | sort | uniq | wc -l >covered # @TEST-EXEC: cat ${DIST}/src/analyzer/protocol/dnp3/events.bif | grep "^event dnp3_" | wc -l >total diff --git a/testing/btest/scripts/base/protocols/dnp3/dnp3_link_only.bro b/testing/btest/scripts/base/protocols/dnp3/dnp3_link_only.zeek similarity index 95% rename from testing/btest/scripts/base/protocols/dnp3/dnp3_link_only.bro rename to testing/btest/scripts/base/protocols/dnp3/dnp3_link_only.zeek index 867382148b..868ce39cc0 100644 --- a/testing/btest/scripts/base/protocols/dnp3/dnp3_link_only.bro +++ b/testing/btest/scripts/base/protocols/dnp3/dnp3_link_only.zeek @@ -1,5 +1,5 @@ # -# @TEST-EXEC: bro -C -r $TRACES/dnp3/dnp3_link_only.pcap %DIR/events.bro >output +# @TEST-EXEC: bro -C -r $TRACES/dnp3/dnp3_link_only.pcap %DIR/events.zeek >output # @TEST-EXEC: btest-diff output # @TEST-EXEC: cat output | awk '{print $1}' | sort | uniq | wc -l >covered # @TEST-EXEC: cat ${DIST}/src/analyzer/protocol/dnp3/events.bif | grep "^event dnp3_" | wc -l >total diff --git a/testing/btest/scripts/base/protocols/dnp3/dnp3_write.bro b/testing/btest/scripts/base/protocols/dnp3/dnp3_read.zeek similarity index 83% rename from testing/btest/scripts/base/protocols/dnp3/dnp3_write.bro rename to testing/btest/scripts/base/protocols/dnp3/dnp3_read.zeek index 8669d701b2..340e2b3132 100644 --- a/testing/btest/scripts/base/protocols/dnp3/dnp3_write.bro +++ b/testing/btest/scripts/base/protocols/dnp3/dnp3_read.zeek @@ -1,5 +1,5 @@ # -# @TEST-EXEC: bro -r $TRACES/dnp3/dnp3_write.pcap %DIR/events.bro >output +# @TEST-EXEC: bro -r $TRACES/dnp3/dnp3_read.pcap %DIR/events.zeek >output # @TEST-EXEC: btest-diff output # @TEST-EXEC: cat output | awk '{print $1}' | sort | uniq | wc -l >covered # @TEST-EXEC: cat ${DIST}/src/analyzer/protocol/dnp3/events.bif | grep "^event dnp3_" | wc -l >total diff --git a/testing/btest/scripts/base/protocols/dnp3/dnp3_rec_time.bro b/testing/btest/scripts/base/protocols/dnp3/dnp3_rec_time.zeek similarity index 96% rename from testing/btest/scripts/base/protocols/dnp3/dnp3_rec_time.bro rename to testing/btest/scripts/base/protocols/dnp3/dnp3_rec_time.zeek index d97d37d0ce..f88c262d54 100644 --- a/testing/btest/scripts/base/protocols/dnp3/dnp3_rec_time.bro +++ b/testing/btest/scripts/base/protocols/dnp3/dnp3_rec_time.zeek @@ -1,5 +1,5 @@ # -# @TEST-EXEC: bro -r $TRACES/dnp3/dnp3_rec_time.pcap %DIR/events.bro >output +# @TEST-EXEC: bro -r $TRACES/dnp3/dnp3_rec_time.pcap %DIR/events.zeek >output # @TEST-EXEC: btest-diff output # @TEST-EXEC: cat output | awk '{print $1}' | sort | uniq | wc -l >covered # @TEST-EXEC: cat ${DIST}/src/analyzer/protocol/dnp3/events.bif | grep "^event dnp3_" | wc -l >total diff --git a/testing/btest/scripts/base/protocols/dnp3/dnp3_select_operate.bro b/testing/btest/scripts/base/protocols/dnp3/dnp3_select_operate.zeek similarity index 95% rename from testing/btest/scripts/base/protocols/dnp3/dnp3_select_operate.bro rename to testing/btest/scripts/base/protocols/dnp3/dnp3_select_operate.zeek index a8acf4755c..9119c33a97 100644 --- a/testing/btest/scripts/base/protocols/dnp3/dnp3_select_operate.bro +++ b/testing/btest/scripts/base/protocols/dnp3/dnp3_select_operate.zeek @@ -1,5 +1,5 @@ # -# @TEST-EXEC: bro -r $TRACES/dnp3/dnp3_select_operate.pcap %DIR/events.bro >output +# @TEST-EXEC: bro -r $TRACES/dnp3/dnp3_select_operate.pcap %DIR/events.zeek >output # @TEST-EXEC: btest-diff output # @TEST-EXEC: cat output | awk '{print $1}' | sort | uniq | wc -l >covered # @TEST-EXEC: cat ${DIST}/src/analyzer/protocol/dnp3/events.bif | grep "^event dnp3_" | wc -l >total diff --git a/testing/btest/scripts/base/protocols/dnp3/dnp3_udp_en_spon.bro b/testing/btest/scripts/base/protocols/dnp3/dnp3_udp_en_spon.zeek similarity index 96% rename from testing/btest/scripts/base/protocols/dnp3/dnp3_udp_en_spon.bro rename to testing/btest/scripts/base/protocols/dnp3/dnp3_udp_en_spon.zeek index a5f1f895cc..07479c92a2 100644 --- a/testing/btest/scripts/base/protocols/dnp3/dnp3_udp_en_spon.bro +++ b/testing/btest/scripts/base/protocols/dnp3/dnp3_udp_en_spon.zeek @@ -1,5 +1,5 @@ # -# @TEST-EXEC: bro -r $TRACES/dnp3/dnp3_udp_en_spon.pcap %DIR/events.bro >output +# @TEST-EXEC: bro -r $TRACES/dnp3/dnp3_udp_en_spon.pcap %DIR/events.zeek >output # @TEST-EXEC: btest-diff output # @TEST-EXEC: cat output | awk '{print $1}' | sort | uniq | wc -l >covered # @TEST-EXEC: cat ${DIST}/src/analyzer/protocol/dnp3/events.bif | grep "^event dnp3_" | wc -l >total diff --git a/testing/btest/scripts/base/protocols/dnp3/dnp3_udp_read.bro b/testing/btest/scripts/base/protocols/dnp3/dnp3_udp_read.zeek similarity index 96% rename from testing/btest/scripts/base/protocols/dnp3/dnp3_udp_read.bro rename to testing/btest/scripts/base/protocols/dnp3/dnp3_udp_read.zeek index 073e758df4..cf64179dfe 100644 --- a/testing/btest/scripts/base/protocols/dnp3/dnp3_udp_read.bro +++ b/testing/btest/scripts/base/protocols/dnp3/dnp3_udp_read.zeek @@ -1,5 +1,5 @@ # -# @TEST-EXEC: bro -r $TRACES/dnp3/dnp3_udp_read.pcap %DIR/events.bro >output +# @TEST-EXEC: bro -r $TRACES/dnp3/dnp3_udp_read.pcap %DIR/events.zeek >output # @TEST-EXEC: btest-diff output # @TEST-EXEC: cat output | awk '{print $1}' | sort | uniq | wc -l >covered # @TEST-EXEC: cat ${DIST}/src/analyzer/protocol/dnp3/events.bif | grep "^event dnp3_" | wc -l >total diff --git a/testing/btest/scripts/base/protocols/dnp3/dnp3_udp_select_operate.bro b/testing/btest/scripts/base/protocols/dnp3/dnp3_udp_select_operate.zeek similarity index 94% rename from testing/btest/scripts/base/protocols/dnp3/dnp3_udp_select_operate.bro rename to testing/btest/scripts/base/protocols/dnp3/dnp3_udp_select_operate.zeek index c8708b10cd..c6deb5eb69 100644 --- a/testing/btest/scripts/base/protocols/dnp3/dnp3_udp_select_operate.bro +++ b/testing/btest/scripts/base/protocols/dnp3/dnp3_udp_select_operate.zeek @@ -1,5 +1,5 @@ # -# @TEST-EXEC: bro -r $TRACES/dnp3/dnp3_udp_select_operate.pcap %DIR/events.bro >output +# @TEST-EXEC: bro -r $TRACES/dnp3/dnp3_udp_select_operate.pcap %DIR/events.zeek >output # @TEST-EXEC: btest-diff output # @TEST-EXEC: cat output | awk '{print $1}' | sort | uniq | wc -l >covered # @TEST-EXEC: cat ${DIST}/src/analyzer/protocol/dnp3/events.bif | grep "^event dnp3_" | wc -l >total diff --git a/testing/btest/scripts/base/protocols/dnp3/dnp3_udp_write.bro b/testing/btest/scripts/base/protocols/dnp3/dnp3_udp_write.zeek similarity index 96% rename from testing/btest/scripts/base/protocols/dnp3/dnp3_udp_write.bro rename to testing/btest/scripts/base/protocols/dnp3/dnp3_udp_write.zeek index d832d937a7..f88e04f37a 100644 --- a/testing/btest/scripts/base/protocols/dnp3/dnp3_udp_write.bro +++ b/testing/btest/scripts/base/protocols/dnp3/dnp3_udp_write.zeek @@ -1,5 +1,5 @@ # -# @TEST-EXEC: bro -r $TRACES/dnp3/dnp3_udp_write.pcap %DIR/events.bro >output +# @TEST-EXEC: bro -r $TRACES/dnp3/dnp3_udp_write.pcap %DIR/events.zeek >output # @TEST-EXEC: btest-diff output # @TEST-EXEC: cat output | awk '{print $1}' | sort | uniq | wc -l >covered # @TEST-EXEC: cat ${DIST}/src/analyzer/protocol/dnp3/events.bif | grep "^event dnp3_" | wc -l >total diff --git a/testing/btest/scripts/base/protocols/dnp3/dnp3_read.bro b/testing/btest/scripts/base/protocols/dnp3/dnp3_write.zeek similarity index 82% rename from testing/btest/scripts/base/protocols/dnp3/dnp3_read.bro rename to testing/btest/scripts/base/protocols/dnp3/dnp3_write.zeek index ffb0e03653..86b99a11c7 100644 --- a/testing/btest/scripts/base/protocols/dnp3/dnp3_read.bro +++ b/testing/btest/scripts/base/protocols/dnp3/dnp3_write.zeek @@ -1,5 +1,5 @@ # -# @TEST-EXEC: bro -r $TRACES/dnp3/dnp3_read.pcap %DIR/events.bro >output +# @TEST-EXEC: bro -r $TRACES/dnp3/dnp3_write.pcap %DIR/events.zeek >output # @TEST-EXEC: btest-diff output # @TEST-EXEC: cat output | awk '{print $1}' | sort | uniq | wc -l >covered # @TEST-EXEC: cat ${DIST}/src/analyzer/protocol/dnp3/events.bif | grep "^event dnp3_" | wc -l >total diff --git a/testing/btest/scripts/base/protocols/dnp3/events.bro b/testing/btest/scripts/base/protocols/dnp3/events.zeek similarity index 100% rename from testing/btest/scripts/base/protocols/dnp3/events.bro rename to testing/btest/scripts/base/protocols/dnp3/events.zeek diff --git a/testing/btest/scripts/base/protocols/dns/caa.bro b/testing/btest/scripts/base/protocols/dns/caa.zeek similarity index 100% rename from testing/btest/scripts/base/protocols/dns/caa.bro rename to testing/btest/scripts/base/protocols/dns/caa.zeek diff --git a/testing/btest/scripts/base/protocols/dns/dns-key.bro b/testing/btest/scripts/base/protocols/dns/dns-key.zeek similarity index 100% rename from testing/btest/scripts/base/protocols/dns/dns-key.bro rename to testing/btest/scripts/base/protocols/dns/dns-key.zeek diff --git a/testing/btest/scripts/base/protocols/dns/dnskey.bro b/testing/btest/scripts/base/protocols/dns/dnskey.zeek similarity index 100% rename from testing/btest/scripts/base/protocols/dns/dnskey.bro rename to testing/btest/scripts/base/protocols/dns/dnskey.zeek diff --git a/testing/btest/scripts/base/protocols/dns/ds.bro b/testing/btest/scripts/base/protocols/dns/ds.zeek similarity index 100% rename from testing/btest/scripts/base/protocols/dns/ds.bro rename to testing/btest/scripts/base/protocols/dns/ds.zeek diff --git a/testing/btest/scripts/base/protocols/dns/duplicate-reponses.bro b/testing/btest/scripts/base/protocols/dns/duplicate-reponses.zeek similarity index 100% rename from testing/btest/scripts/base/protocols/dns/duplicate-reponses.bro rename to testing/btest/scripts/base/protocols/dns/duplicate-reponses.zeek diff --git a/testing/btest/scripts/base/protocols/dns/flip.bro b/testing/btest/scripts/base/protocols/dns/flip.zeek similarity index 100% rename from testing/btest/scripts/base/protocols/dns/flip.bro rename to testing/btest/scripts/base/protocols/dns/flip.zeek diff --git a/testing/btest/scripts/base/protocols/dns/huge-ttl.bro b/testing/btest/scripts/base/protocols/dns/huge-ttl.zeek similarity index 100% rename from testing/btest/scripts/base/protocols/dns/huge-ttl.bro rename to testing/btest/scripts/base/protocols/dns/huge-ttl.zeek diff --git a/testing/btest/scripts/base/protocols/dns/multiple-txt-strings.bro b/testing/btest/scripts/base/protocols/dns/multiple-txt-strings.zeek similarity index 100% rename from testing/btest/scripts/base/protocols/dns/multiple-txt-strings.bro rename to testing/btest/scripts/base/protocols/dns/multiple-txt-strings.zeek diff --git a/testing/btest/scripts/base/protocols/dns/nsec.bro b/testing/btest/scripts/base/protocols/dns/nsec.zeek similarity index 100% rename from testing/btest/scripts/base/protocols/dns/nsec.bro rename to testing/btest/scripts/base/protocols/dns/nsec.zeek diff --git a/testing/btest/scripts/base/protocols/dns/nsec3.bro b/testing/btest/scripts/base/protocols/dns/nsec3.zeek similarity index 100% rename from testing/btest/scripts/base/protocols/dns/nsec3.bro rename to testing/btest/scripts/base/protocols/dns/nsec3.zeek diff --git a/testing/btest/scripts/base/protocols/dns/rrsig.bro b/testing/btest/scripts/base/protocols/dns/rrsig.zeek similarity index 100% rename from testing/btest/scripts/base/protocols/dns/rrsig.bro rename to testing/btest/scripts/base/protocols/dns/rrsig.zeek diff --git a/testing/btest/scripts/base/protocols/dns/tsig.bro b/testing/btest/scripts/base/protocols/dns/tsig.zeek similarity index 100% rename from testing/btest/scripts/base/protocols/dns/tsig.bro rename to testing/btest/scripts/base/protocols/dns/tsig.zeek diff --git a/testing/btest/scripts/base/protocols/dns/zero-responses.bro b/testing/btest/scripts/base/protocols/dns/zero-responses.zeek similarity index 100% rename from testing/btest/scripts/base/protocols/dns/zero-responses.bro rename to testing/btest/scripts/base/protocols/dns/zero-responses.zeek diff --git a/testing/btest/scripts/base/protocols/ftp/cwd-navigation.bro b/testing/btest/scripts/base/protocols/ftp/cwd-navigation.zeek similarity index 100% rename from testing/btest/scripts/base/protocols/ftp/cwd-navigation.bro rename to testing/btest/scripts/base/protocols/ftp/cwd-navigation.zeek diff --git a/testing/btest/scripts/base/protocols/ftp/ftp-get-file-size.bro b/testing/btest/scripts/base/protocols/ftp/ftp-get-file-size.zeek similarity index 100% rename from testing/btest/scripts/base/protocols/ftp/ftp-get-file-size.bro rename to testing/btest/scripts/base/protocols/ftp/ftp-get-file-size.zeek diff --git a/testing/btest/scripts/base/protocols/ftp/ftp-ipv4.bro b/testing/btest/scripts/base/protocols/ftp/ftp-ipv4.zeek similarity index 100% rename from testing/btest/scripts/base/protocols/ftp/ftp-ipv4.bro rename to testing/btest/scripts/base/protocols/ftp/ftp-ipv4.zeek diff --git a/testing/btest/scripts/base/protocols/ftp/ftp-ipv6.bro b/testing/btest/scripts/base/protocols/ftp/ftp-ipv6.zeek similarity index 100% rename from testing/btest/scripts/base/protocols/ftp/ftp-ipv6.bro rename to testing/btest/scripts/base/protocols/ftp/ftp-ipv6.zeek diff --git a/testing/btest/scripts/base/protocols/http/100-continue.bro b/testing/btest/scripts/base/protocols/http/100-continue.zeek similarity index 100% rename from testing/btest/scripts/base/protocols/http/100-continue.bro rename to testing/btest/scripts/base/protocols/http/100-continue.zeek diff --git a/testing/btest/scripts/base/protocols/http/101-switching-protocols.bro b/testing/btest/scripts/base/protocols/http/101-switching-protocols.zeek similarity index 100% rename from testing/btest/scripts/base/protocols/http/101-switching-protocols.bro rename to testing/btest/scripts/base/protocols/http/101-switching-protocols.zeek diff --git a/testing/btest/scripts/base/protocols/http/content-range-gap-skip.bro b/testing/btest/scripts/base/protocols/http/content-range-gap-skip.zeek similarity index 100% rename from testing/btest/scripts/base/protocols/http/content-range-gap-skip.bro rename to testing/btest/scripts/base/protocols/http/content-range-gap-skip.zeek diff --git a/testing/btest/scripts/base/protocols/http/content-range-gap.bro b/testing/btest/scripts/base/protocols/http/content-range-gap.zeek similarity index 100% rename from testing/btest/scripts/base/protocols/http/content-range-gap.bro rename to testing/btest/scripts/base/protocols/http/content-range-gap.zeek diff --git a/testing/btest/scripts/base/protocols/http/content-range-less-than-len.bro b/testing/btest/scripts/base/protocols/http/content-range-less-than-len.zeek similarity index 100% rename from testing/btest/scripts/base/protocols/http/content-range-less-than-len.bro rename to testing/btest/scripts/base/protocols/http/content-range-less-than-len.zeek diff --git a/testing/btest/scripts/base/protocols/http/entity-gap.bro b/testing/btest/scripts/base/protocols/http/entity-gap.zeek similarity index 100% rename from testing/btest/scripts/base/protocols/http/entity-gap.bro rename to testing/btest/scripts/base/protocols/http/entity-gap.zeek diff --git a/testing/btest/scripts/base/protocols/http/entity-gap2.bro b/testing/btest/scripts/base/protocols/http/entity-gap2.zeek similarity index 100% rename from testing/btest/scripts/base/protocols/http/entity-gap2.bro rename to testing/btest/scripts/base/protocols/http/entity-gap2.zeek diff --git a/testing/btest/scripts/base/protocols/http/fake-content-length.bro b/testing/btest/scripts/base/protocols/http/fake-content-length.zeek similarity index 100% rename from testing/btest/scripts/base/protocols/http/fake-content-length.bro rename to testing/btest/scripts/base/protocols/http/fake-content-length.zeek diff --git a/testing/btest/scripts/base/protocols/http/http-bad-request-with-version.bro b/testing/btest/scripts/base/protocols/http/http-bad-request-with-version.zeek similarity index 100% rename from testing/btest/scripts/base/protocols/http/http-bad-request-with-version.bro rename to testing/btest/scripts/base/protocols/http/http-bad-request-with-version.zeek diff --git a/testing/btest/scripts/base/protocols/http/http-connect-with-header.bro b/testing/btest/scripts/base/protocols/http/http-connect-with-header.zeek similarity index 100% rename from testing/btest/scripts/base/protocols/http/http-connect-with-header.bro rename to testing/btest/scripts/base/protocols/http/http-connect-with-header.zeek diff --git a/testing/btest/scripts/base/protocols/http/http-connect.bro b/testing/btest/scripts/base/protocols/http/http-connect.zeek similarity index 100% rename from testing/btest/scripts/base/protocols/http/http-connect.bro rename to testing/btest/scripts/base/protocols/http/http-connect.zeek diff --git a/testing/btest/scripts/base/protocols/http/http-filename.bro b/testing/btest/scripts/base/protocols/http/http-filename.zeek similarity index 100% rename from testing/btest/scripts/base/protocols/http/http-filename.bro rename to testing/btest/scripts/base/protocols/http/http-filename.zeek diff --git a/testing/btest/scripts/base/protocols/http/http-header-crlf.bro b/testing/btest/scripts/base/protocols/http/http-header-crlf.zeek similarity index 100% rename from testing/btest/scripts/base/protocols/http/http-header-crlf.bro rename to testing/btest/scripts/base/protocols/http/http-header-crlf.zeek diff --git a/testing/btest/scripts/base/protocols/http/http-methods.bro b/testing/btest/scripts/base/protocols/http/http-methods.zeek similarity index 100% rename from testing/btest/scripts/base/protocols/http/http-methods.bro rename to testing/btest/scripts/base/protocols/http/http-methods.zeek diff --git a/testing/btest/scripts/base/protocols/http/http-pipelining.bro b/testing/btest/scripts/base/protocols/http/http-pipelining.zeek similarity index 100% rename from testing/btest/scripts/base/protocols/http/http-pipelining.bro rename to testing/btest/scripts/base/protocols/http/http-pipelining.zeek diff --git a/testing/btest/scripts/base/protocols/http/missing-zlib-header.bro b/testing/btest/scripts/base/protocols/http/missing-zlib-header.zeek similarity index 100% rename from testing/btest/scripts/base/protocols/http/missing-zlib-header.bro rename to testing/btest/scripts/base/protocols/http/missing-zlib-header.zeek diff --git a/testing/btest/scripts/base/protocols/http/multipart-extract.bro b/testing/btest/scripts/base/protocols/http/multipart-extract.zeek similarity index 100% rename from testing/btest/scripts/base/protocols/http/multipart-extract.bro rename to testing/btest/scripts/base/protocols/http/multipart-extract.zeek diff --git a/testing/btest/scripts/base/protocols/http/multipart-file-limit.bro b/testing/btest/scripts/base/protocols/http/multipart-file-limit.zeek similarity index 100% rename from testing/btest/scripts/base/protocols/http/multipart-file-limit.bro rename to testing/btest/scripts/base/protocols/http/multipart-file-limit.zeek diff --git a/testing/btest/scripts/base/protocols/http/no-uri.bro b/testing/btest/scripts/base/protocols/http/no-uri.zeek similarity index 100% rename from testing/btest/scripts/base/protocols/http/no-uri.bro rename to testing/btest/scripts/base/protocols/http/no-uri.zeek diff --git a/testing/btest/scripts/base/protocols/http/no-version.bro b/testing/btest/scripts/base/protocols/http/no-version.zeek similarity index 100% rename from testing/btest/scripts/base/protocols/http/no-version.bro rename to testing/btest/scripts/base/protocols/http/no-version.zeek diff --git a/testing/btest/scripts/base/protocols/http/percent-end-of-line.bro b/testing/btest/scripts/base/protocols/http/percent-end-of-line.zeek similarity index 100% rename from testing/btest/scripts/base/protocols/http/percent-end-of-line.bro rename to testing/btest/scripts/base/protocols/http/percent-end-of-line.zeek diff --git a/testing/btest/scripts/base/protocols/http/x-gzip.bro b/testing/btest/scripts/base/protocols/http/x-gzip.zeek similarity index 100% rename from testing/btest/scripts/base/protocols/http/x-gzip.bro rename to testing/btest/scripts/base/protocols/http/x-gzip.zeek diff --git a/testing/btest/scripts/base/protocols/http/zero-length-bodies-with-drops.bro b/testing/btest/scripts/base/protocols/http/zero-length-bodies-with-drops.zeek similarity index 100% rename from testing/btest/scripts/base/protocols/http/zero-length-bodies-with-drops.bro rename to testing/btest/scripts/base/protocols/http/zero-length-bodies-with-drops.zeek diff --git a/testing/btest/scripts/base/protocols/irc/names-weird.bro b/testing/btest/scripts/base/protocols/irc/names-weird.zeek similarity index 100% rename from testing/btest/scripts/base/protocols/irc/names-weird.bro rename to testing/btest/scripts/base/protocols/irc/names-weird.zeek diff --git a/testing/btest/scripts/base/protocols/modbus/coil_parsing_big.bro b/testing/btest/scripts/base/protocols/modbus/coil_parsing_big.zeek similarity index 100% rename from testing/btest/scripts/base/protocols/modbus/coil_parsing_big.bro rename to testing/btest/scripts/base/protocols/modbus/coil_parsing_big.zeek diff --git a/testing/btest/scripts/base/protocols/modbus/coil_parsing_small.bro b/testing/btest/scripts/base/protocols/modbus/coil_parsing_small.zeek similarity index 100% rename from testing/btest/scripts/base/protocols/modbus/coil_parsing_small.bro rename to testing/btest/scripts/base/protocols/modbus/coil_parsing_small.zeek diff --git a/testing/btest/scripts/base/protocols/modbus/events.bro b/testing/btest/scripts/base/protocols/modbus/events.zeek similarity index 100% rename from testing/btest/scripts/base/protocols/modbus/events.bro rename to testing/btest/scripts/base/protocols/modbus/events.zeek diff --git a/testing/btest/scripts/base/protocols/modbus/length_mismatch.bro b/testing/btest/scripts/base/protocols/modbus/length_mismatch.zeek similarity index 100% rename from testing/btest/scripts/base/protocols/modbus/length_mismatch.bro rename to testing/btest/scripts/base/protocols/modbus/length_mismatch.zeek diff --git a/testing/btest/scripts/base/protocols/modbus/policy.bro b/testing/btest/scripts/base/protocols/modbus/policy.zeek similarity index 100% rename from testing/btest/scripts/base/protocols/modbus/policy.bro rename to testing/btest/scripts/base/protocols/modbus/policy.zeek diff --git a/testing/btest/scripts/base/protocols/modbus/register_parsing.bro b/testing/btest/scripts/base/protocols/modbus/register_parsing.zeek similarity index 100% rename from testing/btest/scripts/base/protocols/modbus/register_parsing.bro rename to testing/btest/scripts/base/protocols/modbus/register_parsing.zeek diff --git a/testing/btest/scripts/base/protocols/ncp/event.bro b/testing/btest/scripts/base/protocols/ncp/event.zeek similarity index 100% rename from testing/btest/scripts/base/protocols/ncp/event.bro rename to testing/btest/scripts/base/protocols/ncp/event.zeek diff --git a/testing/btest/scripts/base/protocols/ncp/frame_size_tuning.bro b/testing/btest/scripts/base/protocols/ncp/frame_size_tuning.zeek similarity index 100% rename from testing/btest/scripts/base/protocols/ncp/frame_size_tuning.bro rename to testing/btest/scripts/base/protocols/ncp/frame_size_tuning.zeek diff --git a/testing/btest/scripts/base/protocols/pop3/starttls.bro b/testing/btest/scripts/base/protocols/pop3/starttls.zeek similarity index 100% rename from testing/btest/scripts/base/protocols/pop3/starttls.bro rename to testing/btest/scripts/base/protocols/pop3/starttls.zeek diff --git a/testing/btest/scripts/base/protocols/rdp/rdp-proprietary-encryption.bro b/testing/btest/scripts/base/protocols/rdp/rdp-proprietary-encryption.zeek similarity index 100% rename from testing/btest/scripts/base/protocols/rdp/rdp-proprietary-encryption.bro rename to testing/btest/scripts/base/protocols/rdp/rdp-proprietary-encryption.zeek diff --git a/testing/btest/scripts/base/protocols/rdp/rdp-to-ssl.bro b/testing/btest/scripts/base/protocols/rdp/rdp-to-ssl.zeek similarity index 100% rename from testing/btest/scripts/base/protocols/rdp/rdp-to-ssl.bro rename to testing/btest/scripts/base/protocols/rdp/rdp-to-ssl.zeek diff --git a/testing/btest/scripts/base/protocols/rdp/rdp-x509.bro b/testing/btest/scripts/base/protocols/rdp/rdp-x509.zeek similarity index 100% rename from testing/btest/scripts/base/protocols/rdp/rdp-x509.bro rename to testing/btest/scripts/base/protocols/rdp/rdp-x509.zeek diff --git a/testing/btest/scripts/base/protocols/smb/smb2-read-write.bro b/testing/btest/scripts/base/protocols/smb/smb2-read-write.zeek similarity index 100% rename from testing/btest/scripts/base/protocols/smb/smb2-read-write.bro rename to testing/btest/scripts/base/protocols/smb/smb2-read-write.zeek diff --git a/testing/btest/scripts/base/protocols/snmp/snmp-addr.bro b/testing/btest/scripts/base/protocols/snmp/snmp-addr.zeek similarity index 100% rename from testing/btest/scripts/base/protocols/snmp/snmp-addr.bro rename to testing/btest/scripts/base/protocols/snmp/snmp-addr.zeek diff --git a/testing/btest/scripts/base/protocols/snmp/v1.bro b/testing/btest/scripts/base/protocols/snmp/v1.zeek similarity index 78% rename from testing/btest/scripts/base/protocols/snmp/v1.bro rename to testing/btest/scripts/base/protocols/snmp/v1.zeek index 7dd5bd4a68..09f86a28e4 100644 --- a/testing/btest/scripts/base/protocols/snmp/v1.bro +++ b/testing/btest/scripts/base/protocols/snmp/v1.zeek @@ -1,7 +1,7 @@ -# @TEST-EXEC: bro -b -r $TRACES/snmp/snmpv1_get.pcap %INPUT $SCRIPTS/snmp-test.bro >out1 -# @TEST-EXEC: bro -b -r $TRACES/snmp/snmpv1_get_short.pcap %INPUT $SCRIPTS/snmp-test.bro >out2 -# @TEST-EXEC: bro -b -r $TRACES/snmp/snmpv1_set.pcap %INPUT $SCRIPTS/snmp-test.bro >out3 -# @TEST-EXEC: bro -b -r $TRACES/snmp/snmpv1_trap.pcap %INPUT $SCRIPTS/snmp-test.bro >out4 +# @TEST-EXEC: bro -b -r $TRACES/snmp/snmpv1_get.pcap %INPUT $SCRIPTS/snmp-test.zeek >out1 +# @TEST-EXEC: bro -b -r $TRACES/snmp/snmpv1_get_short.pcap %INPUT $SCRIPTS/snmp-test.zeek >out2 +# @TEST-EXEC: bro -b -r $TRACES/snmp/snmpv1_set.pcap %INPUT $SCRIPTS/snmp-test.zeek >out3 +# @TEST-EXEC: bro -b -r $TRACES/snmp/snmpv1_trap.pcap %INPUT $SCRIPTS/snmp-test.zeek >out4 # @TEST-EXEC: btest-diff out1 # @TEST-EXEC: btest-diff out2 diff --git a/testing/btest/scripts/base/protocols/snmp/v2.bro b/testing/btest/scripts/base/protocols/snmp/v2.zeek similarity index 77% rename from testing/btest/scripts/base/protocols/snmp/v2.bro rename to testing/btest/scripts/base/protocols/snmp/v2.zeek index a2b9885fbb..58491d33b2 100644 --- a/testing/btest/scripts/base/protocols/snmp/v2.bro +++ b/testing/btest/scripts/base/protocols/snmp/v2.zeek @@ -1,6 +1,6 @@ -# @TEST-EXEC: bro -b -r $TRACES/snmp/snmpv2_get.pcap %INPUT $SCRIPTS/snmp-test.bro >out1 -# @TEST-EXEC: bro -b -r $TRACES/snmp/snmpv2_get_bulk.pcap %INPUT $SCRIPTS/snmp-test.bro >out2 -# @TEST-EXEC: bro -b -r $TRACES/snmp/snmpv2_get_next.pcap %INPUT $SCRIPTS/snmp-test.bro >out3 +# @TEST-EXEC: bro -b -r $TRACES/snmp/snmpv2_get.pcap %INPUT $SCRIPTS/snmp-test.zeek >out1 +# @TEST-EXEC: bro -b -r $TRACES/snmp/snmpv2_get_bulk.pcap %INPUT $SCRIPTS/snmp-test.zeek >out2 +# @TEST-EXEC: bro -b -r $TRACES/snmp/snmpv2_get_next.pcap %INPUT $SCRIPTS/snmp-test.zeek >out3 # @TEST-EXEC: btest-diff out1 # @TEST-EXEC: btest-diff out2 diff --git a/testing/btest/scripts/base/protocols/snmp/v3.bro b/testing/btest/scripts/base/protocols/snmp/v3.zeek similarity index 79% rename from testing/btest/scripts/base/protocols/snmp/v3.bro rename to testing/btest/scripts/base/protocols/snmp/v3.zeek index 43edbdc2df..4d72b6476d 100644 --- a/testing/btest/scripts/base/protocols/snmp/v3.bro +++ b/testing/btest/scripts/base/protocols/snmp/v3.zeek @@ -1,4 +1,4 @@ -# @TEST-EXEC: bro -b -r $TRACES/snmp/snmpv3_get_next.pcap %INPUT $SCRIPTS/snmp-test.bro >out1 +# @TEST-EXEC: bro -b -r $TRACES/snmp/snmpv3_get_next.pcap %INPUT $SCRIPTS/snmp-test.zeek >out1 # @TEST-EXEC: btest-diff out1 diff --git a/testing/btest/scripts/base/protocols/socks/socks-auth.bro b/testing/btest/scripts/base/protocols/socks/socks-auth.zeek similarity index 100% rename from testing/btest/scripts/base/protocols/socks/socks-auth.bro rename to testing/btest/scripts/base/protocols/socks/socks-auth.zeek diff --git a/testing/btest/scripts/base/protocols/syslog/missing-pri.bro b/testing/btest/scripts/base/protocols/syslog/missing-pri.zeek similarity index 100% rename from testing/btest/scripts/base/protocols/syslog/missing-pri.bro rename to testing/btest/scripts/base/protocols/syslog/missing-pri.zeek diff --git a/testing/btest/scripts/base/protocols/tcp/pending.bro b/testing/btest/scripts/base/protocols/tcp/pending.zeek similarity index 100% rename from testing/btest/scripts/base/protocols/tcp/pending.bro rename to testing/btest/scripts/base/protocols/tcp/pending.zeek diff --git a/testing/btest/scripts/base/utils/decompose_uri.bro b/testing/btest/scripts/base/utils/decompose_uri.zeek similarity index 100% rename from testing/btest/scripts/base/utils/decompose_uri.bro rename to testing/btest/scripts/base/utils/decompose_uri.zeek diff --git a/testing/btest/scripts/base/utils/dir.test b/testing/btest/scripts/base/utils/dir.test index 4cbb4a3c89..d7071e1d4c 100644 --- a/testing/btest/scripts/base/utils/dir.test +++ b/testing/btest/scripts/base/utils/dir.test @@ -1,4 +1,4 @@ -# @TEST-EXEC: btest-bg-run bro bro -b ../dirtest.bro +# @TEST-EXEC: btest-bg-run bro bro -b ../dirtest.zeek # @TEST-EXEC: $SCRIPTS/wait-for-file bro/next1 10 || (btest-bg-wait -k 1 && false) # @TEST-EXEC: touch testdir/newone # @TEST-EXEC: rm testdir/bye @@ -8,7 +8,7 @@ # @TEST-EXEC: touch testdir/newone # @TEST-EXEC: btest-diff bro/.stdout -@TEST-START-FILE dirtest.bro +@TEST-START-FILE dirtest.zeek @load base/utils/dir redef exit_only_after_terminate = T; diff --git a/testing/btest/scripts/base/utils/exec.test b/testing/btest/scripts/base/utils/exec.test index 0b926df402..d761587f31 100644 --- a/testing/btest/scripts/base/utils/exec.test +++ b/testing/btest/scripts/base/utils/exec.test @@ -1,8 +1,8 @@ -# @TEST-EXEC: btest-bg-run bro bro -b ../exectest.bro +# @TEST-EXEC: btest-bg-run bro bro -b ../exectest.zeek # @TEST-EXEC: btest-bg-wait 15 # @TEST-EXEC: TEST_DIFF_CANONIFIER=$SCRIPTS/diff-sort btest-diff bro/.stdout -@TEST-START-FILE exectest.bro +@TEST-START-FILE exectest.zeek @load base/utils/exec redef exit_only_after_terminate = T; diff --git a/testing/btest/scripts/base/utils/hash_hrw.bro b/testing/btest/scripts/base/utils/hash_hrw.zeek similarity index 100% rename from testing/btest/scripts/base/utils/hash_hrw.bro rename to testing/btest/scripts/base/utils/hash_hrw.zeek diff --git a/testing/btest/scripts/check-test-all-policy.bro b/testing/btest/scripts/check-test-all-policy.zeek similarity index 100% rename from testing/btest/scripts/check-test-all-policy.bro rename to testing/btest/scripts/check-test-all-policy.zeek diff --git a/testing/btest/scripts/policy/frameworks/files/extract-all.bro b/testing/btest/scripts/policy/frameworks/files/extract-all.zeek similarity index 100% rename from testing/btest/scripts/policy/frameworks/files/extract-all.bro rename to testing/btest/scripts/policy/frameworks/files/extract-all.zeek diff --git a/testing/btest/scripts/policy/frameworks/intel/removal.bro b/testing/btest/scripts/policy/frameworks/intel/removal.zeek similarity index 100% rename from testing/btest/scripts/policy/frameworks/intel/removal.bro rename to testing/btest/scripts/policy/frameworks/intel/removal.zeek diff --git a/testing/btest/scripts/policy/frameworks/intel/seen/certs.bro b/testing/btest/scripts/policy/frameworks/intel/seen/certs.zeek similarity index 100% rename from testing/btest/scripts/policy/frameworks/intel/seen/certs.bro rename to testing/btest/scripts/policy/frameworks/intel/seen/certs.zeek diff --git a/testing/btest/scripts/policy/frameworks/intel/seen/smb.bro b/testing/btest/scripts/policy/frameworks/intel/seen/smb.zeek similarity index 100% rename from testing/btest/scripts/policy/frameworks/intel/seen/smb.bro rename to testing/btest/scripts/policy/frameworks/intel/seen/smb.zeek diff --git a/testing/btest/scripts/policy/frameworks/intel/seen/smtp.bro b/testing/btest/scripts/policy/frameworks/intel/seen/smtp.zeek similarity index 100% rename from testing/btest/scripts/policy/frameworks/intel/seen/smtp.bro rename to testing/btest/scripts/policy/frameworks/intel/seen/smtp.zeek diff --git a/testing/btest/scripts/policy/frameworks/intel/whitelisting.bro b/testing/btest/scripts/policy/frameworks/intel/whitelisting.zeek similarity index 100% rename from testing/btest/scripts/policy/frameworks/intel/whitelisting.bro rename to testing/btest/scripts/policy/frameworks/intel/whitelisting.zeek diff --git a/testing/btest/scripts/policy/frameworks/software/version-changes.bro b/testing/btest/scripts/policy/frameworks/software/version-changes.zeek similarity index 100% rename from testing/btest/scripts/policy/frameworks/software/version-changes.bro rename to testing/btest/scripts/policy/frameworks/software/version-changes.zeek diff --git a/testing/btest/scripts/policy/frameworks/software/vulnerable.bro b/testing/btest/scripts/policy/frameworks/software/vulnerable.zeek similarity index 100% rename from testing/btest/scripts/policy/frameworks/software/vulnerable.bro rename to testing/btest/scripts/policy/frameworks/software/vulnerable.zeek diff --git a/testing/btest/scripts/policy/misc/dump-events.bro b/testing/btest/scripts/policy/misc/dump-events.zeek similarity index 100% rename from testing/btest/scripts/policy/misc/dump-events.bro rename to testing/btest/scripts/policy/misc/dump-events.zeek diff --git a/testing/btest/scripts/policy/misc/weird-stats-cluster.bro b/testing/btest/scripts/policy/misc/weird-stats-cluster.zeek similarity index 98% rename from testing/btest/scripts/policy/misc/weird-stats-cluster.bro rename to testing/btest/scripts/policy/misc/weird-stats-cluster.zeek index 140bb3b006..0c73ccf189 100644 --- a/testing/btest/scripts/policy/misc/weird-stats-cluster.bro +++ b/testing/btest/scripts/policy/misc/weird-stats-cluster.zeek @@ -9,7 +9,7 @@ # @TEST-EXEC: btest-diff manager-1/weird_stats.log -@TEST-START-FILE cluster-layout.bro +@TEST-START-FILE cluster-layout.zeek redef Cluster::nodes = { ["manager-1"] = [$node_type=Cluster::MANAGER, $ip=127.0.0.1, $p=to_port(getenv("BROKER_PORT1"))], ["worker-1"] = [$node_type=Cluster::WORKER, $ip=127.0.0.1, $p=to_port(getenv("BROKER_PORT2")), $manager="manager-1", $interface="eth0"], diff --git a/testing/btest/scripts/policy/misc/weird-stats.bro b/testing/btest/scripts/policy/misc/weird-stats.zeek similarity index 100% rename from testing/btest/scripts/policy/misc/weird-stats.bro rename to testing/btest/scripts/policy/misc/weird-stats.zeek diff --git a/testing/btest/scripts/policy/protocols/conn/known-hosts.bro b/testing/btest/scripts/policy/protocols/conn/known-hosts.zeek similarity index 100% rename from testing/btest/scripts/policy/protocols/conn/known-hosts.bro rename to testing/btest/scripts/policy/protocols/conn/known-hosts.zeek diff --git a/testing/btest/scripts/policy/protocols/conn/known-services.bro b/testing/btest/scripts/policy/protocols/conn/known-services.zeek similarity index 100% rename from testing/btest/scripts/policy/protocols/conn/known-services.bro rename to testing/btest/scripts/policy/protocols/conn/known-services.zeek diff --git a/testing/btest/scripts/policy/protocols/conn/mac-logging.bro b/testing/btest/scripts/policy/protocols/conn/mac-logging.zeek similarity index 100% rename from testing/btest/scripts/policy/protocols/conn/mac-logging.bro rename to testing/btest/scripts/policy/protocols/conn/mac-logging.zeek diff --git a/testing/btest/scripts/policy/protocols/conn/vlan-logging.bro b/testing/btest/scripts/policy/protocols/conn/vlan-logging.zeek similarity index 100% rename from testing/btest/scripts/policy/protocols/conn/vlan-logging.bro rename to testing/btest/scripts/policy/protocols/conn/vlan-logging.zeek diff --git a/testing/btest/scripts/policy/protocols/dns/inverse-request.bro b/testing/btest/scripts/policy/protocols/dns/inverse-request.zeek similarity index 100% rename from testing/btest/scripts/policy/protocols/dns/inverse-request.bro rename to testing/btest/scripts/policy/protocols/dns/inverse-request.zeek diff --git a/testing/btest/scripts/policy/protocols/http/flash-version.bro b/testing/btest/scripts/policy/protocols/http/flash-version.zeek similarity index 100% rename from testing/btest/scripts/policy/protocols/http/flash-version.bro rename to testing/btest/scripts/policy/protocols/http/flash-version.zeek diff --git a/testing/btest/scripts/policy/protocols/http/header-names.bro b/testing/btest/scripts/policy/protocols/http/header-names.zeek similarity index 100% rename from testing/btest/scripts/policy/protocols/http/header-names.bro rename to testing/btest/scripts/policy/protocols/http/header-names.zeek diff --git a/testing/btest/scripts/policy/protocols/http/test-sql-injection-regex.bro b/testing/btest/scripts/policy/protocols/http/test-sql-injection-regex.zeek similarity index 100% rename from testing/btest/scripts/policy/protocols/http/test-sql-injection-regex.bro rename to testing/btest/scripts/policy/protocols/http/test-sql-injection-regex.zeek diff --git a/testing/btest/scripts/policy/protocols/krb/ticket-logging.bro b/testing/btest/scripts/policy/protocols/krb/ticket-logging.zeek similarity index 100% rename from testing/btest/scripts/policy/protocols/krb/ticket-logging.bro rename to testing/btest/scripts/policy/protocols/krb/ticket-logging.zeek diff --git a/testing/btest/scripts/policy/protocols/ssh/detect-bruteforcing.bro b/testing/btest/scripts/policy/protocols/ssh/detect-bruteforcing.zeek similarity index 100% rename from testing/btest/scripts/policy/protocols/ssh/detect-bruteforcing.bro rename to testing/btest/scripts/policy/protocols/ssh/detect-bruteforcing.zeek diff --git a/testing/btest/scripts/policy/protocols/ssl/expiring-certs.bro b/testing/btest/scripts/policy/protocols/ssl/expiring-certs.zeek similarity index 100% rename from testing/btest/scripts/policy/protocols/ssl/expiring-certs.bro rename to testing/btest/scripts/policy/protocols/ssl/expiring-certs.zeek diff --git a/testing/btest/scripts/policy/protocols/ssl/extract-certs-pem.bro b/testing/btest/scripts/policy/protocols/ssl/extract-certs-pem.zeek similarity index 100% rename from testing/btest/scripts/policy/protocols/ssl/extract-certs-pem.bro rename to testing/btest/scripts/policy/protocols/ssl/extract-certs-pem.zeek diff --git a/testing/btest/scripts/policy/protocols/ssl/heartbleed.bro b/testing/btest/scripts/policy/protocols/ssl/heartbleed.zeek similarity index 100% rename from testing/btest/scripts/policy/protocols/ssl/heartbleed.bro rename to testing/btest/scripts/policy/protocols/ssl/heartbleed.zeek diff --git a/testing/btest/scripts/policy/protocols/ssl/known-certs.bro b/testing/btest/scripts/policy/protocols/ssl/known-certs.zeek similarity index 100% rename from testing/btest/scripts/policy/protocols/ssl/known-certs.bro rename to testing/btest/scripts/policy/protocols/ssl/known-certs.zeek diff --git a/testing/btest/scripts/policy/protocols/ssl/log-hostcerts-only.bro b/testing/btest/scripts/policy/protocols/ssl/log-hostcerts-only.zeek similarity index 100% rename from testing/btest/scripts/policy/protocols/ssl/log-hostcerts-only.bro rename to testing/btest/scripts/policy/protocols/ssl/log-hostcerts-only.zeek diff --git a/testing/btest/scripts/policy/protocols/ssl/validate-certs-no-cache.bro b/testing/btest/scripts/policy/protocols/ssl/validate-certs-no-cache.zeek similarity index 88% rename from testing/btest/scripts/policy/protocols/ssl/validate-certs-no-cache.bro rename to testing/btest/scripts/policy/protocols/ssl/validate-certs-no-cache.zeek index 712e333037..ccca29fd7c 100644 --- a/testing/btest/scripts/policy/protocols/ssl/validate-certs-no-cache.bro +++ b/testing/btest/scripts/policy/protocols/ssl/validate-certs-no-cache.zeek @@ -1,4 +1,4 @@ -# @TEST-EXEC: bro -C -r $TRACES/tls/missing-intermediate.pcap $SCRIPTS/external-ca-list.bro %INPUT +# @TEST-EXEC: bro -C -r $TRACES/tls/missing-intermediate.pcap $SCRIPTS/external-ca-list.zeek %INPUT # @TEST-EXEC: TEST_DIFF_CANONIFIER="$SCRIPTS/diff-remove-x509-names | $SCRIPTS/diff-remove-timestamps" btest-diff ssl.log @load protocols/ssl/validate-certs diff --git a/testing/btest/scripts/policy/protocols/ssl/validate-certs.bro b/testing/btest/scripts/policy/protocols/ssl/validate-certs.zeek similarity index 84% rename from testing/btest/scripts/policy/protocols/ssl/validate-certs.bro rename to testing/btest/scripts/policy/protocols/ssl/validate-certs.zeek index 03803fe2fa..9686c1ab28 100644 --- a/testing/btest/scripts/policy/protocols/ssl/validate-certs.bro +++ b/testing/btest/scripts/policy/protocols/ssl/validate-certs.zeek @@ -1,6 +1,6 @@ -# @TEST-EXEC: bro -r $TRACES/tls/tls-expired-cert.trace $SCRIPTS/external-ca-list.bro %INPUT +# @TEST-EXEC: bro -r $TRACES/tls/tls-expired-cert.trace $SCRIPTS/external-ca-list.zeek %INPUT # @TEST-EXEC: cat ssl.log > ssl-all.log -# @TEST-EXEC: bro -C -r $TRACES/tls/missing-intermediate.pcap $SCRIPTS/external-ca-list.bro %INPUT +# @TEST-EXEC: bro -C -r $TRACES/tls/missing-intermediate.pcap $SCRIPTS/external-ca-list.zeek %INPUT # @TEST-EXEC: cat ssl.log >> ssl-all.log # @TEST-EXEC: TEST_DIFF_CANONIFIER="$SCRIPTS/diff-remove-x509-names | $SCRIPTS/diff-remove-timestamps" btest-diff ssl-all.log diff --git a/testing/btest/scripts/policy/protocols/ssl/validate-ocsp.bro b/testing/btest/scripts/policy/protocols/ssl/validate-ocsp.zeek similarity index 62% rename from testing/btest/scripts/policy/protocols/ssl/validate-ocsp.bro rename to testing/btest/scripts/policy/protocols/ssl/validate-ocsp.zeek index 4e53a46b02..21d174be91 100644 --- a/testing/btest/scripts/policy/protocols/ssl/validate-ocsp.bro +++ b/testing/btest/scripts/policy/protocols/ssl/validate-ocsp.zeek @@ -1,9 +1,9 @@ -# @TEST-EXEC: bro $SCRIPTS/external-ca-list.bro -C -r $TRACES/tls/ocsp-stapling.trace %INPUT +# @TEST-EXEC: bro $SCRIPTS/external-ca-list.zeek -C -r $TRACES/tls/ocsp-stapling.trace %INPUT # @TEST-EXEC: TEST_DIFF_CANONIFIER="$SCRIPTS/diff-remove-x509-names | $SCRIPTS/diff-remove-timestamps" btest-diff ssl.log -# @TEST-EXEC: bro $SCRIPTS/external-ca-list.bro -C -r $TRACES/tls/ocsp-stapling-twimg.trace %INPUT +# @TEST-EXEC: bro $SCRIPTS/external-ca-list.zeek -C -r $TRACES/tls/ocsp-stapling-twimg.trace %INPUT # @TEST-EXEC: mv ssl.log ssl-twimg.log # @TEST-EXEC: TEST_DIFF_CANONIFIER="$SCRIPTS/diff-remove-x509-names | $SCRIPTS/diff-remove-timestamps" btest-diff ssl-twimg.log -# @TEST-EXEC: bro $SCRIPTS/external-ca-list.bro -C -r $TRACES/tls/ocsp-stapling-digicert.trace %INPUT +# @TEST-EXEC: bro $SCRIPTS/external-ca-list.zeek -C -r $TRACES/tls/ocsp-stapling-digicert.trace %INPUT # @TEST-EXEC: mv ssl.log ssl-digicert.log # @TEST-EXEC: TEST_DIFF_CANONIFIER="$SCRIPTS/diff-remove-x509-names | $SCRIPTS/diff-remove-timestamps" btest-diff ssl-digicert.log diff --git a/testing/btest/scripts/policy/protocols/ssl/validate-sct.bro b/testing/btest/scripts/policy/protocols/ssl/validate-sct.zeek similarity index 88% rename from testing/btest/scripts/policy/protocols/ssl/validate-sct.bro rename to testing/btest/scripts/policy/protocols/ssl/validate-sct.zeek index 8dbd358e17..c21dc18094 100644 --- a/testing/btest/scripts/policy/protocols/ssl/validate-sct.bro +++ b/testing/btest/scripts/policy/protocols/ssl/validate-sct.zeek @@ -1,6 +1,6 @@ -# @TEST-EXEC: bro -r $TRACES/tls/signed_certificate_timestamp.pcap $SCRIPTS/external-ca-list.bro %INPUT +# @TEST-EXEC: bro -r $TRACES/tls/signed_certificate_timestamp.pcap $SCRIPTS/external-ca-list.zeek %INPUT # @TEST-EXEC: cat ssl.log > ssl-all.log -# @TEST-EXEC: bro -r $TRACES/tls/signed_certificate_timestamp-2.pcap $SCRIPTS/external-ca-list.bro %INPUT +# @TEST-EXEC: bro -r $TRACES/tls/signed_certificate_timestamp-2.pcap $SCRIPTS/external-ca-list.zeek %INPUT # @TEST-EXEC: cat ssl.log >> ssl-all.log # @TEST-EXEC: btest-diff .stdout # @TEST-EXEC: TEST_DIFF_CANONIFIER="$SCRIPTS/diff-remove-x509-names | $SCRIPTS/diff-remove-timestamps" btest-diff ssl-all.log diff --git a/testing/btest/scripts/policy/protocols/ssl/weak-keys.bro b/testing/btest/scripts/policy/protocols/ssl/weak-keys.zeek similarity index 100% rename from testing/btest/scripts/policy/protocols/ssl/weak-keys.bro rename to testing/btest/scripts/policy/protocols/ssl/weak-keys.zeek diff --git a/testing/btest/signatures/bad-eval-condition.bro b/testing/btest/signatures/bad-eval-condition.zeek similarity index 100% rename from testing/btest/signatures/bad-eval-condition.bro rename to testing/btest/signatures/bad-eval-condition.zeek diff --git a/testing/btest/signatures/dpd.bro b/testing/btest/signatures/dpd.zeek similarity index 100% rename from testing/btest/signatures/dpd.bro rename to testing/btest/signatures/dpd.zeek diff --git a/testing/btest/signatures/dst-ip-cidr-v4.bro b/testing/btest/signatures/dst-ip-cidr-v4.zeek similarity index 100% rename from testing/btest/signatures/dst-ip-cidr-v4.bro rename to testing/btest/signatures/dst-ip-cidr-v4.zeek diff --git a/testing/btest/signatures/dst-ip-header-condition-v4-masks.bro b/testing/btest/signatures/dst-ip-header-condition-v4-masks.zeek similarity index 100% rename from testing/btest/signatures/dst-ip-header-condition-v4-masks.bro rename to testing/btest/signatures/dst-ip-header-condition-v4-masks.zeek diff --git a/testing/btest/signatures/dst-ip-header-condition-v4.bro b/testing/btest/signatures/dst-ip-header-condition-v4.zeek similarity index 100% rename from testing/btest/signatures/dst-ip-header-condition-v4.bro rename to testing/btest/signatures/dst-ip-header-condition-v4.zeek diff --git a/testing/btest/signatures/dst-ip-header-condition-v6-masks.bro b/testing/btest/signatures/dst-ip-header-condition-v6-masks.zeek similarity index 100% rename from testing/btest/signatures/dst-ip-header-condition-v6-masks.bro rename to testing/btest/signatures/dst-ip-header-condition-v6-masks.zeek diff --git a/testing/btest/signatures/dst-ip-header-condition-v6.bro b/testing/btest/signatures/dst-ip-header-condition-v6.zeek similarity index 100% rename from testing/btest/signatures/dst-ip-header-condition-v6.bro rename to testing/btest/signatures/dst-ip-header-condition-v6.zeek diff --git a/testing/btest/signatures/dst-port-header-condition.bro b/testing/btest/signatures/dst-port-header-condition.zeek similarity index 100% rename from testing/btest/signatures/dst-port-header-condition.bro rename to testing/btest/signatures/dst-port-header-condition.zeek diff --git a/testing/btest/signatures/eval-condition-no-return-value.bro b/testing/btest/signatures/eval-condition-no-return-value.zeek similarity index 100% rename from testing/btest/signatures/eval-condition-no-return-value.bro rename to testing/btest/signatures/eval-condition-no-return-value.zeek diff --git a/testing/btest/signatures/eval-condition.bro b/testing/btest/signatures/eval-condition.zeek similarity index 100% rename from testing/btest/signatures/eval-condition.bro rename to testing/btest/signatures/eval-condition.zeek diff --git a/testing/btest/signatures/header-header-condition.bro b/testing/btest/signatures/header-header-condition.zeek similarity index 100% rename from testing/btest/signatures/header-header-condition.bro rename to testing/btest/signatures/header-header-condition.zeek diff --git a/testing/btest/signatures/id-lookup.bro b/testing/btest/signatures/id-lookup.zeek similarity index 100% rename from testing/btest/signatures/id-lookup.bro rename to testing/btest/signatures/id-lookup.zeek diff --git a/testing/btest/signatures/ip-proto-header-condition.bro b/testing/btest/signatures/ip-proto-header-condition.zeek similarity index 100% rename from testing/btest/signatures/ip-proto-header-condition.bro rename to testing/btest/signatures/ip-proto-header-condition.zeek diff --git a/testing/btest/signatures/load-sigs.bro b/testing/btest/signatures/load-sigs.zeek similarity index 100% rename from testing/btest/signatures/load-sigs.bro rename to testing/btest/signatures/load-sigs.zeek diff --git a/testing/btest/signatures/src-ip-header-condition-v4-masks.bro b/testing/btest/signatures/src-ip-header-condition-v4-masks.zeek similarity index 100% rename from testing/btest/signatures/src-ip-header-condition-v4-masks.bro rename to testing/btest/signatures/src-ip-header-condition-v4-masks.zeek diff --git a/testing/btest/signatures/src-ip-header-condition-v4.bro b/testing/btest/signatures/src-ip-header-condition-v4.zeek similarity index 100% rename from testing/btest/signatures/src-ip-header-condition-v4.bro rename to testing/btest/signatures/src-ip-header-condition-v4.zeek diff --git a/testing/btest/signatures/src-ip-header-condition-v6-masks.bro b/testing/btest/signatures/src-ip-header-condition-v6-masks.zeek similarity index 100% rename from testing/btest/signatures/src-ip-header-condition-v6-masks.bro rename to testing/btest/signatures/src-ip-header-condition-v6-masks.zeek diff --git a/testing/btest/signatures/src-ip-header-condition-v6.bro b/testing/btest/signatures/src-ip-header-condition-v6.zeek similarity index 100% rename from testing/btest/signatures/src-ip-header-condition-v6.bro rename to testing/btest/signatures/src-ip-header-condition-v6.zeek diff --git a/testing/btest/signatures/src-port-header-condition.bro b/testing/btest/signatures/src-port-header-condition.zeek similarity index 100% rename from testing/btest/signatures/src-port-header-condition.bro rename to testing/btest/signatures/src-port-header-condition.zeek diff --git a/testing/btest/signatures/udp-packetwise-match.bro b/testing/btest/signatures/udp-packetwise-match.zeek similarity index 100% rename from testing/btest/signatures/udp-packetwise-match.bro rename to testing/btest/signatures/udp-packetwise-match.zeek diff --git a/testing/btest/signatures/udp-payload-size.bro b/testing/btest/signatures/udp-payload-size.zeek similarity index 100% rename from testing/btest/signatures/udp-payload-size.bro rename to testing/btest/signatures/udp-payload-size.zeek diff --git a/testing/external/commit-hash.zeek-testing b/testing/external/commit-hash.zeek-testing index 029d39391b..758d688ec2 100644 --- a/testing/external/commit-hash.zeek-testing +++ b/testing/external/commit-hash.zeek-testing @@ -1 +1 @@ -37f541404be417d5b092b8b36c7c1c84d2f307e9 +96f9f7976b98447831fcfa2146007ea9ddb98f74 diff --git a/testing/external/commit-hash.zeek-testing-private b/testing/external/commit-hash.zeek-testing-private index a99b5e8d7b..04034e2be2 100644 --- a/testing/external/commit-hash.zeek-testing-private +++ b/testing/external/commit-hash.zeek-testing-private @@ -1 +1 @@ -de8e378210cacc599d8e59e1204286f7fe9cbc1b +fb5be2e139ab5c9840eb6b50e691eacc66f62165 diff --git a/testing/external/scripts/external-ca-list.bro b/testing/external/scripts/external-ca-list.bro deleted file mode 120000 index a52a9be196..0000000000 --- a/testing/external/scripts/external-ca-list.bro +++ /dev/null @@ -1 +0,0 @@ -../../scripts/external-ca-list.bro \ No newline at end of file diff --git a/testing/external/scripts/external-ca-list.zeek b/testing/external/scripts/external-ca-list.zeek new file mode 120000 index 0000000000..a50808a16d --- /dev/null +++ b/testing/external/scripts/external-ca-list.zeek @@ -0,0 +1 @@ +../../scripts/external-ca-list.zeek \ No newline at end of file diff --git a/testing/external/scripts/testing-setup.bro b/testing/external/scripts/testing-setup.zeek similarity index 91% rename from testing/external/scripts/testing-setup.bro rename to testing/external/scripts/testing-setup.zeek index a56a72aee5..d24813e1fc 100644 --- a/testing/external/scripts/testing-setup.bro +++ b/testing/external/scripts/testing-setup.zeek @@ -1,6 +1,6 @@ # Sets some testing specific options. -@load external-ca-list.bro +@load external-ca-list @ifdef ( SMTP::never_calc_md5 ) # MDD5s can depend on libmagic output. diff --git a/testing/scripts/external-ca-list.bro b/testing/scripts/external-ca-list.zeek similarity index 100% rename from testing/scripts/external-ca-list.bro rename to testing/scripts/external-ca-list.zeek diff --git a/testing/scripts/file-analysis-test.bro b/testing/scripts/file-analysis-test.zeek similarity index 100% rename from testing/scripts/file-analysis-test.bro rename to testing/scripts/file-analysis-test.zeek diff --git a/testing/scripts/snmp-test.bro b/testing/scripts/snmp-test.zeek similarity index 100% rename from testing/scripts/snmp-test.bro rename to testing/scripts/snmp-test.zeek From 8f82ecc66d3b5c96db4f1ddb4e0f14091d72dd60 Mon Sep 17 00:00:00 2001 From: Jon Siwek Date: Tue, 16 Apr 2019 16:37:12 -0700 Subject: [PATCH 73/88] Updating submodule(s). [nomail] --- doc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc b/doc index 5af14fffad..9b556e5e71 160000 --- a/doc +++ b/doc @@ -1 +1 @@ -Subproject commit 5af14fffad53d2c43541a0169494c8fb9b5b2e46 +Subproject commit 9b556e5e71d0d8a5c2e7a1d4be4b308d887310f1 From f21e11d8114db0ef757d1a6c7f92256d829bc271 Mon Sep 17 00:00:00 2001 From: Jon Siwek Date: Tue, 16 Apr 2019 17:44:31 -0700 Subject: [PATCH 74/88] GH-237: add `@load foo.bro` -> foo.zeek fallback When failing to locate a script with explicit .bro suffix, check for whether one with a .zeek suffix exists and use it instead. --- CHANGES | 7 +++++++ NEWS | 10 ++++++---- VERSION | 2 +- src/util.cc | 16 ++++++++++++++++ .../core.load-explicit-bro-suffix-fallback/out | 1 + .../core/load-explicit-bro-suffix-fallback.zeek | 12 ++++++++++++ 6 files changed, 43 insertions(+), 5 deletions(-) create mode 100644 testing/btest/Baseline/core.load-explicit-bro-suffix-fallback/out create mode 100644 testing/btest/core/load-explicit-bro-suffix-fallback.zeek diff --git a/CHANGES b/CHANGES index d9146fbb9b..1779902ddd 100644 --- a/CHANGES +++ b/CHANGES @@ -1,4 +1,11 @@ +2.6-227 | 2019-04-16 17:44:31 -0700 + + * GH-237: add `@load foo.bro` -> foo.zeek fallback (Jon Siwek, Corelight) + + When failing to locate a script with explicit .bro suffix, check for + whether one with a .zeek suffix exists and use it instead. + 2.6-225 | 2019-04-16 16:07:49 -0700 * Use .zeek file suffix in unit tests (Jon Siwek, Corelight) diff --git a/NEWS b/NEWS index 36b9556b3e..a1e04773ff 100644 --- a/NEWS +++ b/NEWS @@ -81,10 +81,12 @@ Changed Functionality been renamed to ``.zeek``. - The search logic for the ``@load`` script directive now prefers files - ending in ``.zeek``, but will fallback to loading a ``.bro`` file if it - exists. E.g. ``@load foo`` will check for ``foo.zeek`` and then ``foo.bro``. - Note that ``@load foo.bro`` will not automatically check for - ``@load foo.zeek``. + ending in ``.zeek``, but will fallback to loading a ``.bro`` file if + it exists. E.g. ``@load foo`` will first check for a ``foo.zeek`` + file to load and then otherwise ``foo.bro``. Note that + ``@load foo.bro`` (with the explicit ``.bro`` file suffix) prefers + in the opposite order: it first checks for ``foo.bro`` and then + falls back to a ``foo.zeek``, if it exists. - The for-loop index variable for vectors has been changed from 'int' to 'count' type. It's unlikely this would alter/break any diff --git a/VERSION b/VERSION index 23ad9f21a7..168f57bc28 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -2.6-225 +2.6-227 diff --git a/src/util.cc b/src/util.cc index 8b4bd0a88b..0367700ffb 100644 --- a/src/util.cc +++ b/src/util.cc @@ -1298,6 +1298,14 @@ string find_file(const string& filename, const string& path_set, return string(); } +static bool ends_with(const std::string& s, const std::string& ending) + { + if ( ending.size() > s.size() ) + return false; + + return std::equal(ending.rbegin(), ending.rend(), s.rbegin()); + } + string find_script_file(const string& filename, const string& path_set) { vector paths; @@ -1313,6 +1321,14 @@ string find_script_file(const string& filename, const string& path_set) return f; } + if ( ends_with(filename, ".bro") ) + { + // We were looking for a file explicitly ending in .bro and didn't + // find it, so fall back to one ending in .zeek, if it exists. + auto fallback = string(filename.data(), filename.size() - 4) + ".zeek"; + return find_script_file(fallback, path_set); + } + return string(); } diff --git a/testing/btest/Baseline/core.load-explicit-bro-suffix-fallback/out b/testing/btest/Baseline/core.load-explicit-bro-suffix-fallback/out new file mode 100644 index 0000000000..c67eefbfc1 --- /dev/null +++ b/testing/btest/Baseline/core.load-explicit-bro-suffix-fallback/out @@ -0,0 +1 @@ +loaded foo.zeek diff --git a/testing/btest/core/load-explicit-bro-suffix-fallback.zeek b/testing/btest/core/load-explicit-bro-suffix-fallback.zeek new file mode 100644 index 0000000000..28f770ca48 --- /dev/null +++ b/testing/btest/core/load-explicit-bro-suffix-fallback.zeek @@ -0,0 +1,12 @@ +# @TEST-EXEC: bro -b %INPUT >out +# @TEST-EXEC: btest-diff out + +# We don't have a foo.bro, but we'll accept foo.zeek. +@load foo.bro + +@TEST-START-FILE foo.zeek +event bro_init() + { + print "loaded foo.zeek"; + } +@TEST-END-FILE From ae4129d2b6d562916dbba23972e1265c6a066f10 Mon Sep 17 00:00:00 2001 From: Jon Siwek Date: Tue, 16 Apr 2019 18:06:55 -0700 Subject: [PATCH 75/88] Updating submodule(s). [nomail] --- aux/broctl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/aux/broctl b/aux/broctl index 2844f70062..3d15efdd8b 160000 --- a/aux/broctl +++ b/aux/broctl @@ -1 +1 @@ -Subproject commit 2844f70062c778094c6baf3864177161843517ac +Subproject commit 3d15efdd8b732c27e903c2d34f70fa4fa09bdcc1 From 915189a06aa0b5a50dcd330089f81355c09947bc Mon Sep 17 00:00:00 2001 From: Vern Paxson Date: Wed, 17 Apr 2019 14:20:48 -0700 Subject: [PATCH 76/88] added 'g' $history character for content gaps --- scripts/base/protocols/conn/main.zeek | 3 ++- src/analyzer/protocol/tcp/TCP.cc | 18 +++++++++--------- src/analyzer/protocol/tcp/TCP_Endpoint.cc | 12 ++++++++++-- src/analyzer/protocol/tcp/TCP_Endpoint.h | 4 ++++ src/analyzer/protocol/tcp/TCP_Reassembler.cc | 3 +++ src/analyzer/protocol/tcp/events.bif | 18 +++++++++++++++--- .../core.tcp.large-file-reassembly/conn.log | 6 +++--- .../core.tcp.large-file-reassembly/files.log | 4 ++-- .../Baseline/core.tcp.rxmit-history/conn-1.log | 6 +++--- .../Baseline/core.tcp.rxmit-history/conn-2.log | 4 ++-- .../conn.log | 6 +++--- .../conn.log | 6 +++--- .../ftp.log | 4 ++-- 13 files changed, 61 insertions(+), 33 deletions(-) diff --git a/scripts/base/protocols/conn/main.zeek b/scripts/base/protocols/conn/main.zeek index e2209b6e22..ed28bd6104 100644 --- a/scripts/base/protocols/conn/main.zeek +++ b/scripts/base/protocols/conn/main.zeek @@ -107,6 +107,7 @@ export { ## f packet with FIN bit set ## r packet with RST bit set ## c packet with a bad checksum (applies to UDP too) + ## g a content gap ## t packet with retransmitted payload ## w packet with a zero window advertisement ## i inconsistent packet (e.g. FIN+RST bits set) @@ -122,7 +123,7 @@ export { ## 's' can be recorded multiple times for either direction ## if the associated sequence number differs from the ## last-seen packet of the same flag type. - ## 'c', 't' and 'w' are recorded in a logarithmic fashion: + ## 'c', 'g', 't' and 'w' are recorded in a logarithmic fashion: ## the second instance represents that the event was seen ## (at least) 10 times; the third instance, 100 times; etc. history: string &log &optional; diff --git a/src/analyzer/protocol/tcp/TCP.cc b/src/analyzer/protocol/tcp/TCP.cc index 9329b103ed..595fe8e6b6 100644 --- a/src/analyzer/protocol/tcp/TCP.cc +++ b/src/analyzer/protocol/tcp/TCP.cc @@ -1321,6 +1321,14 @@ void TCP_Analyzer::DeliverPacket(int len, const u_char* data, bool is_orig, PacketWithRST(); } + int32 delta_last = update_last_seq(endpoint, seq_one_past_segment, flags, len); + endpoint->last_time = current_timestamp; + + int do_close; + int gen_event; + UpdateStateMachine(current_timestamp, endpoint, peer, base_seq, ack_seq, + len, delta_last, is_orig, flags, do_close, gen_event); + uint64 rel_ack = 0; if ( flags.ACK() ) @@ -1350,21 +1358,13 @@ void TCP_Analyzer::DeliverPacket(int len, const u_char* data, bool is_orig, Weird("TCP_ack_underflow_or_misorder"); } else if ( ! flags.RST() ) - // Don't trust ack's in RSt packets. + // Don't trust ack's in RST packets. update_ack_seq(peer, ack_seq); } peer->AckReceived(rel_ack); } - int32 delta_last = update_last_seq(endpoint, seq_one_past_segment, flags, len); - endpoint->last_time = current_timestamp; - - int do_close; - int gen_event; - UpdateStateMachine(current_timestamp, endpoint, peer, base_seq, ack_seq, - len, delta_last, is_orig, flags, do_close, gen_event); - if ( tcp_packet ) GeneratePacketEvent(rel_seq, rel_ack, data, len, caplen, is_orig, flags); diff --git a/src/analyzer/protocol/tcp/TCP_Endpoint.cc b/src/analyzer/protocol/tcp/TCP_Endpoint.cc index 7e7b316e10..99551cd211 100644 --- a/src/analyzer/protocol/tcp/TCP_Endpoint.cc +++ b/src/analyzer/protocol/tcp/TCP_Endpoint.cc @@ -32,8 +32,8 @@ TCP_Endpoint::TCP_Endpoint(TCP_Analyzer* arg_analyzer, int arg_is_orig) tcp_analyzer = arg_analyzer; is_orig = arg_is_orig; - chk_cnt = rxmt_cnt = win0_cnt = 0; - chk_thresh = rxmt_thresh = win0_thresh = 1; + gap_cnt = chk_cnt = rxmt_cnt = win0_cnt = 0; + gap_thresh = chk_thresh = rxmt_thresh = win0_thresh = 1; hist_last_SYN = hist_last_FIN = hist_last_RST = 0; @@ -313,3 +313,11 @@ void TCP_Endpoint::ZeroWindow() Conn()->HistoryThresholdEvent(tcp_multiple_zero_windows, IsOrig(), t); } + +void TCP_Endpoint::Gap(uint64 seq, uint64 len) + { + uint32 t = gap_thresh; + if ( Conn()->ScaledHistoryEntry(IsOrig() ? 'G' : 'g', + gap_cnt, gap_thresh) ) + Conn()->HistoryThresholdEvent(tcp_multiple_gap, IsOrig(), t); + } diff --git a/src/analyzer/protocol/tcp/TCP_Endpoint.h b/src/analyzer/protocol/tcp/TCP_Endpoint.h index 4c38aadd93..4c1cf64d6c 100644 --- a/src/analyzer/protocol/tcp/TCP_Endpoint.h +++ b/src/analyzer/protocol/tcp/TCP_Endpoint.h @@ -175,6 +175,9 @@ public: // Called to inform endpoint that it has offered a zero window. void ZeroWindow(); + // Called to inform endpoint that it a gap occurred. + void Gap(uint64 seq, uint64 len); + // Returns true if the data was used (and hence should be recorded // in the save file), false otherwise. int DataSent(double t, uint64 seq, int len, int caplen, const u_char* data, @@ -240,6 +243,7 @@ protected: uint32 chk_cnt, chk_thresh; uint32 rxmt_cnt, rxmt_thresh; uint32 win0_cnt, win0_thresh; + uint32 gap_cnt, gap_thresh; }; #define ENDIAN_UNKNOWN 0 diff --git a/src/analyzer/protocol/tcp/TCP_Reassembler.cc b/src/analyzer/protocol/tcp/TCP_Reassembler.cc index ef68f621b5..5a82197054 100644 --- a/src/analyzer/protocol/tcp/TCP_Reassembler.cc +++ b/src/analyzer/protocol/tcp/TCP_Reassembler.cc @@ -134,6 +134,9 @@ void TCP_Reassembler::Gap(uint64 seq, uint64 len) // The one opportunity we lose here is on clean FIN // handshakes, but Oh Well. + if ( established(endp, endp->peer) ) + endp->Gap(seq, len); + if ( report_gap(endp, endp->peer) ) { val_list* vl = new val_list; diff --git a/src/analyzer/protocol/tcp/events.bif b/src/analyzer/protocol/tcp/events.bif index d93ebe4819..390dadec0f 100644 --- a/src/analyzer/protocol/tcp/events.bif +++ b/src/analyzer/protocol/tcp/events.bif @@ -300,7 +300,7 @@ event tcp_rexmit%(c: connection, is_orig: bool, seq: count, len: count, data_in_ ## threshold: the threshold that was crossed ## ## .. bro:see:: udp_multiple_checksum_errors -## tcp_multiple_zero_windows tcp_multiple_retransmissions +## tcp_multiple_zero_windows tcp_multiple_retransmissions tcp_multiple_gap event tcp_multiple_checksum_errors%(c: connection, is_orig: bool, threshold: count%); ## Generated if a TCP flow crosses a zero-window threshold, per @@ -312,7 +312,7 @@ event tcp_multiple_checksum_errors%(c: connection, is_orig: bool, threshold: cou ## ## threshold: the threshold that was crossed ## -## .. bro:see:: tcp_multiple_checksum_errors tcp_multiple_retransmissions +## .. bro:see:: tcp_multiple_checksum_errors tcp_multiple_retransmissions tcp_multiple_gap event tcp_multiple_zero_windows%(c: connection, is_orig: bool, threshold: count%); ## Generated if a TCP flow crosses a retransmission threshold, per @@ -324,9 +324,21 @@ event tcp_multiple_zero_windows%(c: connection, is_orig: bool, threshold: count% ## ## threshold: the threshold that was crossed ## -## .. bro:see:: tcp_multiple_checksum_errors tcp_multiple_zero_windows +## .. bro:see:: tcp_multiple_checksum_errors tcp_multiple_zero_windows tcp_multiple_gap event tcp_multiple_retransmissions%(c: connection, is_orig: bool, threshold: count%); +## Generated if a TCP flow crosses a gap threshold, per 'G'/'g' history +## reporting. +## +## c: The connection record for the TCP connection. +## +## is_orig: True if the event is raised for the originator side. +## +## threshold: the threshold that was crossed +## +## .. bro:see:: tcp_multiple_checksum_errors tcp_multiple_zero_windows tcp_multiple_retransmissions +event tcp_multiple_gap%(c: connection, is_orig: bool, threshold: count%); + ## Generated when failing to write contents of a TCP stream to a file. ## ## c: The connection whose contents are being recorded. diff --git a/testing/btest/Baseline/core.tcp.large-file-reassembly/conn.log b/testing/btest/Baseline/core.tcp.large-file-reassembly/conn.log index 8da44df913..3a997687d1 100644 --- a/testing/btest/Baseline/core.tcp.large-file-reassembly/conn.log +++ b/testing/btest/Baseline/core.tcp.large-file-reassembly/conn.log @@ -3,10 +3,10 @@ #empty_field (empty) #unset_field - #path conn -#open 2016-07-13-16-13-01 +#open 2019-04-17-20-41-29 #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig local_resp missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes tunnel_parents #types time string addr port addr port enum string interval count count string bool bool count string count count count count set[string] 1395939406.175845 ClEkJM2Vm5giqnMf4h 192.168.56.1 59763 192.168.56.101 63988 tcp ftp-data 0.001676 0 270 SF - - 0 ShAdfFa 5 272 4 486 - -1395939411.361078 C4J4Th3PJpwUYZZ6gc 192.168.56.1 59764 192.168.56.101 37150 tcp ftp-data 150.496065 0 5416666670 SF - - 4675708816 ShAdfFa 13 688 12 24454 - +1395939411.361078 C4J4Th3PJpwUYZZ6gc 192.168.56.1 59764 192.168.56.101 37150 tcp ftp-data 150.496065 0 5416666670 SF - - 4675708816 ShAdgfFa 13 688 12 24454 - 1395939399.984671 CHhAvVGS1DHFjwGM9 192.168.56.1 59762 192.168.56.101 21 tcp ftp 169.634297 104 1041 SF - - 0 ShAdDaFf 31 1728 18 1985 - -#close 2016-07-13-16-13-01 +#close 2019-04-17-20-41-29 diff --git a/testing/btest/Baseline/core.tcp.large-file-reassembly/files.log b/testing/btest/Baseline/core.tcp.large-file-reassembly/files.log index 31087d58cc..15de6047b6 100644 --- a/testing/btest/Baseline/core.tcp.large-file-reassembly/files.log +++ b/testing/btest/Baseline/core.tcp.large-file-reassembly/files.log @@ -3,9 +3,9 @@ #empty_field (empty) #unset_field - #path files -#open 2017-01-25-07-03-11 +#open 2019-04-17-20-41-29 #fields ts fuid tx_hosts rx_hosts conn_uids source depth analyzers mime_type filename duration local_orig is_orig seen_bytes total_bytes missing_bytes overflow_bytes timedout parent_fuid md5 sha1 sha256 extracted extracted_cutoff extracted_size #types time string set[addr] set[addr] set[string] string count set[string] string string interval bool bool count count count count bool string string string string string bool count 1395939406.177079 FAb5m22Dhe2Zi95anf 192.168.56.101 192.168.56.1 ClEkJM2Vm5giqnMf4h FTP_DATA 0 DATA_EVENT text/plain - 0.000000 - F 270 - 0 0 F - - - - - - - 1395939411.364462 FhI0ao2FNTjabdfSBd 192.168.56.101 192.168.56.1 C4J4Th3PJpwUYZZ6gc FTP_DATA 0 DATA_EVENT text/plain - 150.490904 - F 23822 - 5416642848 0 F - - - - - - - -#close 2017-01-25-07-03-11 +#close 2019-04-17-20-41-29 diff --git a/testing/btest/Baseline/core.tcp.rxmit-history/conn-1.log b/testing/btest/Baseline/core.tcp.rxmit-history/conn-1.log index 43daf101a3..466f882257 100644 --- a/testing/btest/Baseline/core.tcp.rxmit-history/conn-1.log +++ b/testing/btest/Baseline/core.tcp.rxmit-history/conn-1.log @@ -3,8 +3,8 @@ #empty_field (empty) #unset_field - #path conn -#open 2018-01-12-21-43-34 +#open 2019-04-17-20-42-43 #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig local_resp missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes tunnel_parents #types time string addr port addr port enum string interval count count string bool bool count string count count count count set[string] -1285862902.700271 CHhAvVGS1DHFjwGM9 10.0.88.85 50368 192.168.0.27 80 tcp - 60.991770 474 23783 RSTO - - 24257 ShADadtR 17 1250 22 28961 - -#close 2018-01-12-21-43-34 +1285862902.700271 CHhAvVGS1DHFjwGM9 10.0.88.85 50368 192.168.0.27 80 tcp - 60.991770 474 23783 RSTO - - 24257 ShADaGdgtR 17 1250 22 28961 - +#close 2019-04-17-20-42-43 diff --git a/testing/btest/Baseline/core.tcp.rxmit-history/conn-2.log b/testing/btest/Baseline/core.tcp.rxmit-history/conn-2.log index 22d4ec3ab9..e75d9487d0 100644 --- a/testing/btest/Baseline/core.tcp.rxmit-history/conn-2.log +++ b/testing/btest/Baseline/core.tcp.rxmit-history/conn-2.log @@ -3,7 +3,7 @@ #empty_field (empty) #unset_field - #path conn -#open 2018-01-12-21-43-35 +#open 2019-04-17-20-42-44 #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig local_resp missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes tunnel_parents #types time string addr port addr port enum string interval count count string bool bool count string count count count count set[string] 1300475167.096535 CHhAvVGS1DHFjwGM9 141.142.220.202 5353 224.0.0.251 5353 udp dns - - - S0 - - 0 D 1 73 0 0 - @@ -40,4 +40,4 @@ 1300475168.859163 Ck51lg1bScffFj34Ri 141.142.220.118 49998 208.80.152.3 80 tcp http 0.215893 1130 734 S1 - - 0 ShADad 6 1450 4 950 - 1300475168.892936 CtxTCR2Yer0FR1tIBg 141.142.220.118 50000 208.80.152.3 80 tcp http 0.229603 1148 734 S1 - - 0 ShADad 6 1468 4 950 - 1300475168.895267 CLNN1k2QMum1aexUK7 141.142.220.118 50001 208.80.152.3 80 tcp http 0.227284 1178 734 S1 - - 0 ShADad 6 1498 4 950 - -#close 2018-01-12-21-43-35 +#close 2019-04-17-20-42-44 diff --git a/testing/btest/Baseline/scripts.base.frameworks.netcontrol.packetfilter/conn.log b/testing/btest/Baseline/scripts.base.frameworks.netcontrol.packetfilter/conn.log index 9a673f80e2..614a90a0f7 100644 --- a/testing/btest/Baseline/scripts.base.frameworks.netcontrol.packetfilter/conn.log +++ b/testing/btest/Baseline/scripts.base.frameworks.netcontrol.packetfilter/conn.log @@ -3,13 +3,13 @@ #empty_field (empty) #unset_field - #path conn -#open 2016-07-13-16-15-38 +#open 2019-04-17-21-00-04 #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig local_resp missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes tunnel_parents #types time string addr port addr port enum string interval count count string bool bool count string count count count count set[string] 1254722767.492060 CHhAvVGS1DHFjwGM9 10.10.1.4 56166 10.10.1.1 53 udp dns 0.034025 34 100 SF - - 0 Dd 1 62 1 128 - 1254722776.690444 C4J4Th3PJpwUYZZ6gc 10.10.1.20 138 10.10.1.255 138 udp - - - - S0 - - 0 D 1 229 0 0 - 1254722767.529046 ClEkJM2Vm5giqnMf4h 10.10.1.4 1470 74.53.140.153 25 tcp - 0.346950 0 0 S1 - - 0 Sh 1 48 1 48 - 1437831776.764391 CtPZjS20MLrsMUOJi2 192.168.133.100 49285 66.196.121.26 5050 tcp - 0.343008 41 0 OTH - - 0 Da 1 93 1 52 - -1437831787.856895 CUM0KZ3MLUfNB0cl11 192.168.133.100 49648 192.168.133.102 25 tcp - 0.048043 162 154 S1 - - 154 ShDA 3 192 1 60 - +1437831787.856895 CUM0KZ3MLUfNB0cl11 192.168.133.100 49648 192.168.133.102 25 tcp - 0.048043 162 154 S1 - - 154 ShDgA 3 192 1 60 - 1437831798.533765 CmES5u32sYpV7JYN 192.168.133.100 49336 74.125.71.189 443 tcp - - - - OTH - - 0 A 1 52 0 0 - -#close 2016-07-13-16-15-38 +#close 2019-04-17-21-00-04 diff --git a/testing/btest/Baseline/scripts.base.protocols.ftp.cwd-navigation/conn.log b/testing/btest/Baseline/scripts.base.protocols.ftp.cwd-navigation/conn.log index 8990518008..2559f88db2 100644 --- a/testing/btest/Baseline/scripts.base.protocols.ftp.cwd-navigation/conn.log +++ b/testing/btest/Baseline/scripts.base.protocols.ftp.cwd-navigation/conn.log @@ -3,8 +3,8 @@ #empty_field (empty) #unset_field - #path conn -#open 2016-07-13-16-16-15 +#open 2019-04-17-21-00-49 #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig local_resp missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes tunnel_parents #types time string addr port addr port enum string interval count count string bool bool count string count count count count set[string] -1464385864.999633 CHhAvVGS1DHFjwGM9 10.3.22.91 58218 10.167.25.101 21 tcp ftp 600.931043 41420 159830 S1 - - 233 ShAdDa 4139 206914 4178 326799 - -#close 2016-07-13-16-16-15 +1464385864.999633 CHhAvVGS1DHFjwGM9 10.3.22.91 58218 10.167.25.101 21 tcp ftp 600.931043 41420 159830 S1 - - 233 ShAdDaGg 4139 206914 4178 326799 - +#close 2019-04-17-21-00-50 diff --git a/testing/btest/Baseline/scripts.base.protocols.ftp.cwd-navigation/ftp.log b/testing/btest/Baseline/scripts.base.protocols.ftp.cwd-navigation/ftp.log index 4516886e52..8a2d00a6c7 100644 --- a/testing/btest/Baseline/scripts.base.protocols.ftp.cwd-navigation/ftp.log +++ b/testing/btest/Baseline/scripts.base.protocols.ftp.cwd-navigation/ftp.log @@ -3,7 +3,7 @@ #empty_field (empty) #unset_field - #path ftp -#open 2016-07-13-16-16-15 +#open 2019-04-17-21-00-48 #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p user password command arg mime_type file_size reply_code reply_msg data_channel.passive data_channel.orig_h data_channel.resp_h data_channel.resp_p fuid #types time string addr port addr port string string string string string count count string bool addr addr port string 1464385865.669674 CHhAvVGS1DHFjwGM9 10.3.22.91 58218 10.167.25.101 21 anonymous anonymous@ PASV - - - 227 Entering Passive Mode (205,167,25,101,243,251). T 10.3.22.91 205.167.25.101 62459 - @@ -1381,4 +1381,4 @@ 1464386464.737901 CHhAvVGS1DHFjwGM9 10.3.22.91 58218 10.167.25.101 21 anonymous anonymous@ RETR ftp://10.167.25.101/./pub/data/1993/722024-99999-1993.gz - 30171 226 Transfer complete - - - - - 1464386465.294490 CHhAvVGS1DHFjwGM9 10.3.22.91 58218 10.167.25.101 21 anonymous anonymous@ PASV - - - 227 Entering Passive Mode (205,167,25,101,251,88). T 10.3.22.91 205.167.25.101 64344 - 1464386465.471708 CHhAvVGS1DHFjwGM9 10.3.22.91 58218 10.167.25.101 21 anonymous anonymous@ RETR ftp://10.167.25.101/./pub/data/1994/722024-99999-1994.gz - 29736 226 Transfer complete - - - - - -#close 2016-07-13-16-16-15 +#close 2019-04-17-21-00-50 From 31e9ae0fed9ffc7973debcd6fb9692d10ad0b5d1 Mon Sep 17 00:00:00 2001 From: Jon Siwek Date: Wed, 17 Apr 2019 16:02:38 -0700 Subject: [PATCH 77/88] Updating submodule(s). [nomail] --- aux/bifcl | 2 +- aux/binpac | 2 +- aux/broccoli | 2 +- aux/broctl | 2 +- aux/broker | 2 +- aux/zeek-aux | 2 +- cmake | 2 +- 7 files changed, 7 insertions(+), 7 deletions(-) diff --git a/aux/bifcl b/aux/bifcl index d787c301ce..1dea95dd78 160000 --- a/aux/bifcl +++ b/aux/bifcl @@ -1 +1 @@ -Subproject commit d787c301ce1183765773a0a7fd29bf142dc11f0d +Subproject commit 1dea95dd7819cb6b80291d5830e2b7d04b14abd0 diff --git a/aux/binpac b/aux/binpac index 9ee2eab599..f648419d79 160000 --- a/aux/binpac +++ b/aux/binpac @@ -1 +1 @@ -Subproject commit 9ee2eab59925f3b846be6531a0569df3c8580591 +Subproject commit f648419d796f8ab9f36991062ae790174e084aee diff --git a/aux/broccoli b/aux/broccoli index 5d568e69a2..0ec42e5f54 160000 --- a/aux/broccoli +++ b/aux/broccoli @@ -1 +1 @@ -Subproject commit 5d568e69a2f59edf6b026c2e4d591a6c415f51d0 +Subproject commit 0ec42e5f54b7f0a65e35213d709ae19499526647 diff --git a/aux/broctl b/aux/broctl index 3d15efdd8b..65f213ff35 160000 --- a/aux/broctl +++ b/aux/broctl @@ -1 +1 @@ -Subproject commit 3d15efdd8b732c27e903c2d34f70fa4fa09bdcc1 +Subproject commit 65f213ff3573314ac8f7b33ff4b121d93fc883dc diff --git a/aux/broker b/aux/broker index 12a22c295c..e8f6d7fa95 160000 --- a/aux/broker +++ b/aux/broker @@ -1 +1 @@ -Subproject commit 12a22c295c31ec58009680b2babb111daf8b8e3c +Subproject commit e8f6d7fa952c7d0bb9cb5f54e82806a17a9b85f3 diff --git a/aux/zeek-aux b/aux/zeek-aux index b232d84996..0ec8103a69 160000 --- a/aux/zeek-aux +++ b/aux/zeek-aux @@ -1 +1 @@ -Subproject commit b232d84996b3da69e1ca08dfc7777b5d24c369e9 +Subproject commit 0ec8103a698ae71ff23d4dfa9e38b624c22ae718 diff --git a/cmake b/cmake index 1c527236d0..8554b602ee 160000 --- a/cmake +++ b/cmake @@ -1 +1 @@ -Subproject commit 1c527236d083af129cf130b205d61b336c475ae8 +Subproject commit 8554b602eed13076484fdac18fbdd934b061bed7 From 5f3e608b601d930896f8f9a30ea386bd891cbd12 Mon Sep 17 00:00:00 2001 From: Jon Siwek Date: Wed, 17 Apr 2019 16:44:16 -0700 Subject: [PATCH 78/88] Fix unit test failures on case-insensitive file systems The original casing mistake in the test only pops up now due to the new .zeek over .bro file loading preference --- CHANGES | 4 ++++ VERSION | 2 +- .../btest/plugins/bifs-and-scripts-install.sh | 16 ++++++------- testing/btest/plugins/bifs-and-scripts.sh | 24 +++++++++---------- 4 files changed, 25 insertions(+), 21 deletions(-) diff --git a/CHANGES b/CHANGES index 1779902ddd..dbaf61c9c8 100644 --- a/CHANGES +++ b/CHANGES @@ -1,4 +1,8 @@ +2.6-230 | 2019-04-17 16:44:16 -0700 + + * Fix unit test failures on case-insensitive file systems (Jon Siwek, Corelight) + 2.6-227 | 2019-04-16 17:44:31 -0700 * GH-237: add `@load foo.bro` -> foo.zeek fallback (Jon Siwek, Corelight) diff --git a/VERSION b/VERSION index 168f57bc28..7f4be0e904 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -2.6-227 +2.6-230 diff --git a/testing/btest/plugins/bifs-and-scripts-install.sh b/testing/btest/plugins/bifs-and-scripts-install.sh index 5498e515ca..dac1eeb3c2 100644 --- a/testing/btest/plugins/bifs-and-scripts-install.sh +++ b/testing/btest/plugins/bifs-and-scripts-install.sh @@ -4,20 +4,20 @@ # @TEST-EXEC: make # @TEST-EXEC: make install # @TEST-EXEC: BRO_PLUGIN_PATH=`pwd`/test-install bro -NN Demo::Foo >>output -# @TEST-EXEC: BRO_PLUGIN_PATH=`pwd`/test-install bro demo/foo -r $TRACES/empty.trace >>output +# @TEST-EXEC: BRO_PLUGIN_PATH=`pwd`/test-install bro Demo/Foo -r $TRACES/empty.trace >>output # @TEST-EXEC: TEST_DIFF_CANONIFIER= btest-diff output -mkdir -p scripts/demo/foo/base/ +mkdir -p scripts/Demo/Foo/base/ cat >scripts/__load__.zeek <scripts/demo/foo/__load__.bro <scripts/Demo/Foo/__load__.zeek <scripts/demo/foo/manually.bro <scripts/Demo/Foo/manually.zeek <scripts/demo/foo/base/at-startup.bro <scripts/Demo/Foo/base/at-startup.zeek <activate.bro <activate.zeek <>output # @TEST-EXEC: BRO_PLUGIN_PATH=`pwd` bro -r $TRACES/empty.trace >>output # @TEST-EXEC: echo === >>output -# @TEST-EXEC: BRO_PLUGIN_PATH=`pwd` bro demo/foo -r $TRACES/empty.trace >>output +# @TEST-EXEC: BRO_PLUGIN_PATH=`pwd` bro Demo/Foo -r $TRACES/empty.trace >>output # @TEST-EXEC: echo =-= >>output # @TEST-EXEC: BRO_PLUGIN_PATH=`pwd` bro -b -r $TRACES/empty.trace >>output # @TEST-EXEC: echo =-= >>output -# @TEST-EXEC-FAIL: BRO_PLUGIN_PATH=`pwd` bro -b demo/foo -r $TRACES/empty.trace >>output +# @TEST-EXEC-FAIL: BRO_PLUGIN_PATH=`pwd` bro -b Demo/Foo -r $TRACES/empty.trace >>output # @TEST-EXEC: echo === >>output -# @TEST-EXEC: BRO_PLUGIN_PATH=`pwd` bro -b ./activate.bro -r $TRACES/empty.trace >>output +# @TEST-EXEC: BRO_PLUGIN_PATH=`pwd` bro -b ./activate.zeek -r $TRACES/empty.trace >>output # @TEST-EXEC: echo === >>output -# @TEST-EXEC: BRO_PLUGIN_PATH=`pwd` bro -b ./activate.bro demo/foo -r $TRACES/empty.trace >>output +# @TEST-EXEC: BRO_PLUGIN_PATH=`pwd` bro -b ./activate.zeek Demo/Foo -r $TRACES/empty.trace >>output # @TEST-EXEC: echo === >>output -# @TEST-EXEC: BRO_PLUGIN_PATH=`pwd` bro -b Demo::Foo demo/foo -r $TRACES/empty.trace >>output +# @TEST-EXEC: BRO_PLUGIN_PATH=`pwd` bro -b Demo::Foo Demo/Foo -r $TRACES/empty.trace >>output # @TEST-EXEC: TEST_DIFF_CANONIFIER= btest-diff output -mkdir -p scripts/demo/foo/base/ +mkdir -p scripts/Demo/Foo/base/ cat >scripts/__load__.zeek <scripts/demo/foo/__load__.bro <scripts/Demo/Foo/__load__.zeek <scripts/demo/foo/manually.bro <scripts/Demo/Foo/manually.zeek <scripts/demo/foo/base/at-startup.bro <scripts/Demo/Foo/base/at-startup.zeek <activate.bro <activate.zeek < Date: Fri, 19 Apr 2019 12:00:37 -0700 Subject: [PATCH 79/88] GH-236: Add zeek_script_loaded event, deprecate bro_script_loaded --- CHANGES | 7 +++++ NEWS | 11 ++++---- VERSION | 2 +- doc | 2 +- scripts/policy/misc/loaded-scripts.zeek | 2 +- src/event.bif | 9 +++++-- src/main.cc | 2 +- src/parse.y | 5 +++- .../Baseline/language.zeek_script_loaded/out | 4 +++ .../{zeek_init.bro => zeek_init.zeek} | 0 .../btest/language/zeek_script_loaded.zeek | 26 +++++++++++++++++++ 11 files changed, 58 insertions(+), 12 deletions(-) create mode 100644 testing/btest/Baseline/language.zeek_script_loaded/out rename testing/btest/language/{zeek_init.bro => zeek_init.zeek} (100%) create mode 100644 testing/btest/language/zeek_script_loaded.zeek diff --git a/CHANGES b/CHANGES index b773789f55..c04a412d99 100644 --- a/CHANGES +++ b/CHANGES @@ -1,4 +1,11 @@ +2.6-237 | 2019-04-19 12:00:37 -0700 + + * GH-236: Add zeek_script_loaded event, deprecate bro_script_loaded (Jon Siwek, Corelight) + + Existing handlers for bro_script_loaded automatically alias to the new + zeek_script_loaded event, but emit a deprecation warning. + 2.6-236 | 2019-04-19 11:16:35 -0700 * Add zeek_init/zeek_done events and deprecate bro_init/bro_done (Seth Hall, Corelight) diff --git a/NEWS b/NEWS index df9dca2229..7671919e36 100644 --- a/NEWS +++ b/NEWS @@ -176,11 +176,12 @@ Deprecated Functionality instead. The later will automatically return a value that is enclosed in double-quotes. -- The ``bro_init`` and ``bro_done`` events are now deprecated, use - ``zeek_init`` and ``zeek_done`` instead. Any existing handlers for - ``bro_init`` and ``bro_done`` will automatically alias to the new - ``zeek_init`` and ``zeek_done`` events such that existing code will - not break, but will emit a deprecation warning. +- The ``bro_init``, ``bro_done``, and ``bro_script_loaded`` events are now + deprecated, use ``zeek_init``, ``zeek_done``, and + ``zeek_script_loaded`` instead. Any existing event handlers for + the deprecated versions will automatically alias to the new events + such that existing code will not break, but will emit a deprecation + warning. Bro 2.6 ======= diff --git a/VERSION b/VERSION index d732c2900b..dd25d12142 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -2.6-236 +2.6-237 diff --git a/doc b/doc index 5e02a297ee..ef39a55ef0 160000 --- a/doc +++ b/doc @@ -1 +1 @@ -Subproject commit 5e02a297eefe8740e8b84f7610fbf126af5c3475 +Subproject commit ef39a55ef00382d49459783aa0144ef672b4de97 diff --git a/scripts/policy/misc/loaded-scripts.zeek b/scripts/policy/misc/loaded-scripts.zeek index fd616bba19..0bd986e01a 100644 --- a/scripts/policy/misc/loaded-scripts.zeek +++ b/scripts/policy/misc/loaded-scripts.zeek @@ -32,7 +32,7 @@ event zeek_init() &priority=5 Log::create_stream(LoadedScripts::LOG, [$columns=Info, $path="loaded_scripts"]); } -event bro_script_loaded(path: string, level: count) +event zeek_script_loaded(path: string, level: count) { Log::write(LoadedScripts::LOG, [$name=cat(get_indent(level), compress_path(path))]); } diff --git a/src/event.bif b/src/event.bif index 4585003090..2cab61752c 100644 --- a/src/event.bif +++ b/src/event.bif @@ -872,9 +872,14 @@ event reporter_error%(t: time, msg: string, location: string%) &error_handler; ## ## path: The full path to the script loaded. ## -## level: The "nesting level": zero for a top-level Bro script and incremented +## level: The "nesting level": zero for a top-level Zeek script and incremented ## recursively for each ``@load``. -event bro_script_loaded%(path: string, level: count%); +event zeek_script_loaded%(path: string, level: count%); + +## Deprecated synonym for ``zeek_script_loaded``. +## +## .. bro:see: zeek_script_loaded +event bro_script_loaded%(path: string, level: count%) &deprecated; ## Generated each time Bro's script interpreter opens a file. This event is ## triggered only for files opened via :bro:id:`open`, and in particular not for diff --git a/src/main.cc b/src/main.cc index 1d2b89cc0c..1dddc99681 100644 --- a/src/main.cc +++ b/src/main.cc @@ -1193,7 +1193,7 @@ int main(int argc, char** argv) val_list* vl = new val_list; vl->append(new StringVal(i->name.c_str())); vl->append(val_mgr->GetCount(i->include_level)); - mgr.QueueEvent(bro_script_loaded, vl); + mgr.QueueEvent(zeek_script_loaded, vl); } reporter->ReportViaEvents(true); diff --git a/src/parse.y b/src/parse.y index 338436da9e..3b5d2cab14 100644 --- a/src/parse.y +++ b/src/parse.y @@ -1171,11 +1171,14 @@ func_hdr: } | TOK_EVENT event_id func_params opt_attr { - // Gracefully handle the deprecation of bro_init and bro_done + // Gracefully handle the deprecation of bro_init, bro_done, + // and bro_script_loaded if ( streq("bro_init", $2->Name()) ) $2 = global_scope()->Lookup("zeek_init"); else if ( streq("bro_done", $2->Name()) ) $2 = global_scope()->Lookup("zeek_done"); + else if ( streq("bro_script_loaded", $2->Name()) ) + $2 = global_scope()->Lookup("zeek_script_loaded"); begin_func($2, current_module.c_str(), FUNC_FLAVOR_EVENT, 0, $3, $4); diff --git a/testing/btest/Baseline/language.zeek_script_loaded/out b/testing/btest/Baseline/language.zeek_script_loaded/out new file mode 100644 index 0000000000..cddf509308 --- /dev/null +++ b/testing/btest/Baseline/language.zeek_script_loaded/out @@ -0,0 +1,4 @@ +zeek_script_loaded priority 10 +bro_script_loaded priority 5 +zeek_script_loaded priority 0 +bro_script_loaded priority -10 diff --git a/testing/btest/language/zeek_init.bro b/testing/btest/language/zeek_init.zeek similarity index 100% rename from testing/btest/language/zeek_init.bro rename to testing/btest/language/zeek_init.zeek diff --git a/testing/btest/language/zeek_script_loaded.zeek b/testing/btest/language/zeek_script_loaded.zeek new file mode 100644 index 0000000000..41f43409e6 --- /dev/null +++ b/testing/btest/language/zeek_script_loaded.zeek @@ -0,0 +1,26 @@ +# @TEST-EXEC: bro -b %INPUT >out +# @TEST-EXEC: btest-diff out + +event zeek_script_loaded(path: string, level: count) &priority=10 + { + if ( /zeek_script_loaded.zeek/ in path ) + print "zeek_script_loaded priority 10"; + } + +event bro_script_loaded(path: string, level: count) &priority=5 + { + if ( /zeek_script_loaded.zeek/ in path ) + print "bro_script_loaded priority 5"; + } + +event zeek_script_loaded(path: string, level: count) &priority=0 + { + if ( /zeek_script_loaded.zeek/ in path ) + print "zeek_script_loaded priority 0"; + } + +event bro_script_loaded(path: string, level: count) &priority=-10 + { + if ( /zeek_script_loaded.zeek/ in path ) + print "bro_script_loaded priority -10"; + } From 9c8ad11d92fcc7ea907c80c823a47e53e04683a6 Mon Sep 17 00:00:00 2001 From: Vern Paxson Date: Mon, 22 Apr 2019 09:13:23 -0700 Subject: [PATCH 80/88] Refined state machine update placement to (1) properly deal with gaps capped by clean FIN handshakes, and (1) fix failure to detect split routing. Fixed typo flagged by Pierre Lalet. --- src/analyzer/protocol/tcp/TCP.cc | 27 ++++++++++++------- src/analyzer/protocol/tcp/TCP_Endpoint.h | 2 +- src/analyzer/protocol/tcp/TCP_Reassembler.cc | 24 ++++++++++------- .../core.tcp.large-file-reassembly/conn.log | 6 ++--- .../Baseline/core.tcp.miss-end-data/conn.log | 6 ++--- .../core.tunnels.gtp.outer_ip_frag/conn.log | 6 ++--- 6 files changed, 42 insertions(+), 29 deletions(-) diff --git a/src/analyzer/protocol/tcp/TCP.cc b/src/analyzer/protocol/tcp/TCP.cc index 595fe8e6b6..1f5309a1b9 100644 --- a/src/analyzer/protocol/tcp/TCP.cc +++ b/src/analyzer/protocol/tcp/TCP.cc @@ -1321,14 +1321,6 @@ void TCP_Analyzer::DeliverPacket(int len, const u_char* data, bool is_orig, PacketWithRST(); } - int32 delta_last = update_last_seq(endpoint, seq_one_past_segment, flags, len); - endpoint->last_time = current_timestamp; - - int do_close; - int gen_event; - UpdateStateMachine(current_timestamp, endpoint, peer, base_seq, ack_seq, - len, delta_last, is_orig, flags, do_close, gen_event); - uint64 rel_ack = 0; if ( flags.ACK() ) @@ -1361,10 +1353,25 @@ void TCP_Analyzer::DeliverPacket(int len, const u_char* data, bool is_orig, // Don't trust ack's in RST packets. update_ack_seq(peer, ack_seq); } - - peer->AckReceived(rel_ack); } + int32 delta_last = update_last_seq(endpoint, seq_one_past_segment, flags, len); + endpoint->last_time = current_timestamp; + + int do_close; + int gen_event; + UpdateStateMachine(current_timestamp, endpoint, peer, base_seq, ack_seq, + len, delta_last, is_orig, flags, do_close, gen_event); + + if ( flags.ACK() ) + // We wait on doing this until we've updated the state + // machine so that if the ack reveals a content gap, + // we can tell whether it came at the very end of the + // connection (in a FIN or RST). Those gaps aren't + // reliable - especially those for RSTs - and we refrain + // from flagging them in the connection history. + peer->AckReceived(rel_ack); + if ( tcp_packet ) GeneratePacketEvent(rel_seq, rel_ack, data, len, caplen, is_orig, flags); diff --git a/src/analyzer/protocol/tcp/TCP_Endpoint.h b/src/analyzer/protocol/tcp/TCP_Endpoint.h index 4c1cf64d6c..b17cfef700 100644 --- a/src/analyzer/protocol/tcp/TCP_Endpoint.h +++ b/src/analyzer/protocol/tcp/TCP_Endpoint.h @@ -175,7 +175,7 @@ public: // Called to inform endpoint that it has offered a zero window. void ZeroWindow(); - // Called to inform endpoint that it a gap occurred. + // Called to inform endpoint that a gap occurred. void Gap(uint64 seq, uint64 len); // Returns true if the data was used (and hence should be recorded diff --git a/src/analyzer/protocol/tcp/TCP_Reassembler.cc b/src/analyzer/protocol/tcp/TCP_Reassembler.cc index 5a82197054..e91f400d76 100644 --- a/src/analyzer/protocol/tcp/TCP_Reassembler.cc +++ b/src/analyzer/protocol/tcp/TCP_Reassembler.cc @@ -112,29 +112,35 @@ void TCP_Reassembler::SetContentsFile(BroFile* f) record_contents_file = f; } -static inline bool established(const TCP_Endpoint* a, const TCP_Endpoint* b) +static inline bool is_clean(const TCP_Endpoint* a) { - return a->state == TCP_ENDPOINT_ESTABLISHED && - b->state == TCP_ENDPOINT_ESTABLISHED; + return a->state == TCP_ENDPOINT_ESTABLISHED || + (a->state == TCP_ENDPOINT_CLOSED && + a->prev_state == TCP_ENDPOINT_ESTABLISHED); + } + +static inline bool established_or_cleanly_closing(const TCP_Endpoint* a, + const TCP_Endpoint* b) + { + return is_clean(a) && is_clean(b); } static inline bool report_gap(const TCP_Endpoint* a, const TCP_Endpoint* b) { return content_gap && - ( BifConst::report_gaps_for_partial || established(a, b) ); + ( BifConst::report_gaps_for_partial || + established_or_cleanly_closing(a, b) ); } void TCP_Reassembler::Gap(uint64 seq, uint64 len) { // Only report on content gaps for connections that - // are in a cleanly established state. In other - // states, these can arise falsely due to things + // are in a cleanly established or closing state. In + // other states, these can arise falsely due to things // like sequence number mismatches in RSTs, or // unseen previous packets in partial connections. - // The one opportunity we lose here is on clean FIN - // handshakes, but Oh Well. - if ( established(endp, endp->peer) ) + if ( established_or_cleanly_closing(endp, endp->peer) ) endp->Gap(seq, len); if ( report_gap(endp, endp->peer) ) diff --git a/testing/btest/Baseline/core.tcp.large-file-reassembly/conn.log b/testing/btest/Baseline/core.tcp.large-file-reassembly/conn.log index 3a997687d1..fbb4a71369 100644 --- a/testing/btest/Baseline/core.tcp.large-file-reassembly/conn.log +++ b/testing/btest/Baseline/core.tcp.large-file-reassembly/conn.log @@ -3,10 +3,10 @@ #empty_field (empty) #unset_field - #path conn -#open 2019-04-17-20-41-29 +#open 2019-04-19-18-10-57 #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig local_resp missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes tunnel_parents #types time string addr port addr port enum string interval count count string bool bool count string count count count count set[string] 1395939406.175845 ClEkJM2Vm5giqnMf4h 192.168.56.1 59763 192.168.56.101 63988 tcp ftp-data 0.001676 0 270 SF - - 0 ShAdfFa 5 272 4 486 - -1395939411.361078 C4J4Th3PJpwUYZZ6gc 192.168.56.1 59764 192.168.56.101 37150 tcp ftp-data 150.496065 0 5416666670 SF - - 4675708816 ShAdgfFa 13 688 12 24454 - +1395939411.361078 C4J4Th3PJpwUYZZ6gc 192.168.56.1 59764 192.168.56.101 37150 tcp ftp-data 150.496065 0 5416666670 SF - - 5416642848 ShAdgfFa 13 688 12 24454 - 1395939399.984671 CHhAvVGS1DHFjwGM9 192.168.56.1 59762 192.168.56.101 21 tcp ftp 169.634297 104 1041 SF - - 0 ShAdDaFf 31 1728 18 1985 - -#close 2019-04-17-20-41-29 +#close 2019-04-19-18-10-57 diff --git a/testing/btest/Baseline/core.tcp.miss-end-data/conn.log b/testing/btest/Baseline/core.tcp.miss-end-data/conn.log index b33aec3366..e8d6102398 100644 --- a/testing/btest/Baseline/core.tcp.miss-end-data/conn.log +++ b/testing/btest/Baseline/core.tcp.miss-end-data/conn.log @@ -3,8 +3,8 @@ #empty_field (empty) #unset_field - #path conn -#open 2016-07-13-16-13-02 +#open 2019-04-19-18-11-06 #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig local_resp missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes tunnel_parents #types time string addr port addr port enum string interval count count string bool bool count string count count count count set[string] -1331764471.664131 CHhAvVGS1DHFjwGM9 192.168.122.230 60648 77.238.160.184 80 tcp http 10.048360 538 2902 SF - - 2902 ShADafF 5 750 4 172 - -#close 2016-07-13-16-13-02 +1331764471.664131 CHhAvVGS1DHFjwGM9 192.168.122.230 60648 77.238.160.184 80 tcp http 10.048360 538 2902 SF - - 2902 ShADafgF 5 750 4 172 - +#close 2019-04-19-18-11-07 diff --git a/testing/btest/Baseline/core.tunnels.gtp.outer_ip_frag/conn.log b/testing/btest/Baseline/core.tunnels.gtp.outer_ip_frag/conn.log index 4c598b386d..dfa705f258 100644 --- a/testing/btest/Baseline/core.tunnels.gtp.outer_ip_frag/conn.log +++ b/testing/btest/Baseline/core.tunnels.gtp.outer_ip_frag/conn.log @@ -3,9 +3,9 @@ #empty_field (empty) #unset_field - #path conn -#open 2016-07-13-16-13-10 +#open 2019-04-19-18-10-49 #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig local_resp missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes tunnel_parents #types time string addr port addr port enum string interval count count string bool bool count string count count count count set[string] -1333458850.364667 ClEkJM2Vm5giqnMf4h 10.131.47.185 1923 79.101.110.141 80 tcp http 0.069783 2100 56702 SF - - 0 ShADadfF 27 3204 41 52594 CHhAvVGS1DHFjwGM9 +1333458850.364667 ClEkJM2Vm5giqnMf4h 10.131.47.185 1923 79.101.110.141 80 tcp http 0.069783 2100 56702 SF - - 5760 ShADadfgF 27 3204 41 52594 CHhAvVGS1DHFjwGM9 1333458850.364667 CHhAvVGS1DHFjwGM9 239.114.155.111 2152 63.94.149.181 2152 udp gtpv1 0.069813 3420 52922 SF - - 0 Dd 27 4176 41 54070 - -#close 2016-07-13-16-13-10 +#close 2019-04-19-18-10-49 From f15c99c82ea11b8050f578e03b7597b9e891940a Mon Sep 17 00:00:00 2001 From: Jon Siwek Date: Mon, 22 Apr 2019 11:19:52 -0700 Subject: [PATCH 81/88] Updating submodule(s). [nomail] --- doc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc b/doc index ef39a55ef0..6857222c8c 160000 --- a/doc +++ b/doc @@ -1 +1 @@ -Subproject commit ef39a55ef00382d49459783aa0144ef672b4de97 +Subproject commit 6857222c8c7050c96906757b468cbc1bffb7a807 From 5ba46eaa71fbd065316b7de19595bd8e2ba0b7a8 Mon Sep 17 00:00:00 2001 From: Johanna Amann Date: Mon, 22 Apr 2019 22:43:09 +0200 Subject: [PATCH 82/88] update SSL consts from TLS 1.3 --- CHANGES | 4 ++++ VERSION | 2 +- doc | 2 +- scripts/base/protocols/ssl/consts.zeek | 11 +++++++++++ .../.stdout | 12 ++++++------ 5 files changed, 23 insertions(+), 8 deletions(-) diff --git a/CHANGES b/CHANGES index 98f3034437..add558f878 100644 --- a/CHANGES +++ b/CHANGES @@ -1,4 +1,8 @@ +2.6-242 | 2019-04-22 22:43:09 +0200 + + * update SSL consts from TLS 1.3 (Johanna Amann) + 2.6-241 | 2019-04-22 12:38:06 -0700 * Add 'g' character to conn.log history field to flag content gaps (Vern Paxson, Corelight) diff --git a/VERSION b/VERSION index cc71b4548f..39cb43fbe0 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -2.6-241 +2.6-242 diff --git a/doc b/doc index 8e741019c2..38f6edaf27 160000 --- a/doc +++ b/doc @@ -1 +1 @@ -Subproject commit 8e741019c26015066b1e59c224de3ae6b20ff76f +Subproject commit 38f6edaf273401eef51cf754010f144be6398066 diff --git a/scripts/base/protocols/ssl/consts.zeek b/scripts/base/protocols/ssl/consts.zeek index aaac5aab84..dc4f72674b 100644 --- a/scripts/base/protocols/ssl/consts.zeek +++ b/scripts/base/protocols/ssl/consts.zeek @@ -78,6 +78,7 @@ export { [4] = "sha256", [5] = "sha384", [6] = "sha512", + [8] = "Intrinsic", } &default=function(i: count):string { return fmt("unknown-%d", i); }; ## Mapping between numeric codes and human readable strings for signature @@ -87,6 +88,16 @@ export { [1] = "rsa", [2] = "dsa", [3] = "ecdsa", + [4] = "rsa_pss_sha256", + [5] = "rsa_pss_sha384", + [6] = "rsa_pss_sha512", + [7] = "ed25519", + [8] = "ed448", + [9] = "rsa_pss_sha256", + [10] = "rsa_pss_sha384", + [11] = "rsa_pss_sha512", + [64] = "gostr34102012_256", + [65] = "gostr34102012_256", } &default=function(i: count):string { return fmt("unknown-%d", i); }; ## Mapping between numeric codes and human readable strings for alert diff --git a/testing/btest/Baseline/scripts.base.protocols.ssl.tls-extension-events/.stdout b/testing/btest/Baseline/scripts.base.protocols.ssl.tls-extension-events/.stdout index d5ab2cf618..7347ea650f 100644 --- a/testing/btest/Baseline/scripts.base.protocols.ssl.tls-extension-events/.stdout +++ b/testing/btest/Baseline/scripts.base.protocols.ssl.tls-extension-events/.stdout @@ -33,9 +33,9 @@ signature_algorithm, 192.168.6.240, 139.162.123.134 sha256, ecdsa sha384, ecdsa sha512, ecdsa -unknown-8, unknown-4 -unknown-8, unknown-5 -unknown-8, unknown-6 +Intrinsic, rsa_pss_sha256 +Intrinsic, rsa_pss_sha384 +Intrinsic, rsa_pss_sha512 sha256, rsa sha384, rsa sha512, rsa @@ -66,9 +66,9 @@ signature_algorithm, 192.168.6.240, 139.162.123.134 sha256, ecdsa sha384, ecdsa sha512, ecdsa -unknown-8, unknown-4 -unknown-8, unknown-5 -unknown-8, unknown-6 +Intrinsic, rsa_pss_sha256 +Intrinsic, rsa_pss_sha384 +Intrinsic, rsa_pss_sha512 sha256, rsa sha384, rsa sha512, rsa From aebcb1415d74ef71f90b7dfc651c3f6025b34647 Mon Sep 17 00:00:00 2001 From: Jon Siwek Date: Mon, 22 Apr 2019 19:42:52 -0700 Subject: [PATCH 83/88] GH-234: rename Broxygen to Zeexygen along with roles/directives * All "Broxygen" usages have been replaced in code, documentation, filenames, etc. * Sphinx roles/directives like ":bro:see" are now ":zeek:see" * The "--broxygen" command-line option is now "--zeexygen" --- CHANGES | 11 + NEWS | 8 + VERSION | 2 +- doc | 2 +- man/bro.8 | 4 +- scripts/base/files/extract/main.zeek | 6 +- scripts/base/frameworks/analyzer/main.zeek | 6 +- scripts/base/frameworks/broker/main.zeek | 38 +- scripts/base/frameworks/broker/store.zeek | 2 +- scripts/base/frameworks/cluster/__load__.zeek | 2 +- scripts/base/frameworks/cluster/main.zeek | 36 +- scripts/base/frameworks/cluster/pools.zeek | 16 +- .../frameworks/cluster/setup-connections.zeek | 2 +- scripts/base/frameworks/config/main.zeek | 6 +- scripts/base/frameworks/control/main.zeek | 8 +- scripts/base/frameworks/files/main.zeek | 26 +- scripts/base/frameworks/input/main.zeek | 2 +- scripts/base/frameworks/intel/main.zeek | 6 +- scripts/base/frameworks/logging/main.zeek | 58 +- .../logging/postprocessors/scp.zeek | 16 +- .../logging/postprocessors/sftp.zeek | 16 +- .../netcontrol/catch-and-release.zeek | 12 +- scripts/base/frameworks/netcontrol/drop.zeek | 2 +- scripts/base/frameworks/netcontrol/main.zeek | 8 +- .../frameworks/netcontrol/plugins/broker.zeek | 2 +- .../netcontrol/plugins/openflow.zeek | 2 +- scripts/base/frameworks/netcontrol/shunt.zeek | 2 +- scripts/base/frameworks/netcontrol/types.zeek | 24 +- .../notice/actions/add-geodata.zeek | 2 +- .../base/frameworks/notice/actions/drop.zeek | 2 +- .../notice/actions/email_admin.zeek | 4 +- .../base/frameworks/notice/actions/page.zeek | 4 +- .../frameworks/notice/actions/pp-alarms.zeek | 2 +- scripts/base/frameworks/notice/main.zeek | 48 +- .../base/frameworks/openflow/plugins/log.zeek | 2 +- .../base/frameworks/packet-filter/main.zeek | 6 +- .../base/frameworks/packet-filter/utils.zeek | 2 +- scripts/base/frameworks/reporter/main.zeek | 6 +- scripts/base/frameworks/signatures/main.zeek | 20 +- scripts/base/frameworks/software/main.zeek | 14 +- scripts/base/frameworks/sumstats/cluster.zeek | 4 +- scripts/base/frameworks/sumstats/main.zeek | 6 +- .../frameworks/sumstats/plugins/last.zeek | 2 +- scripts/base/frameworks/tunnels/main.zeek | 24 +- scripts/base/init-bare.zeek | 588 ++++++++--------- scripts/base/misc/find-filtered-trace.zeek | 2 +- scripts/base/protocols/conn/contents.zeek | 2 +- scripts/base/protocols/conn/main.zeek | 14 +- scripts/base/protocols/dhcp/main.zeek | 6 +- scripts/base/protocols/dns/main.zeek | 6 +- scripts/base/protocols/ftp/gridftp.zeek | 10 +- scripts/base/protocols/ftp/main.zeek | 2 +- scripts/base/protocols/ftp/utils.zeek | 8 +- scripts/base/protocols/http/entities.zeek | 20 +- scripts/base/protocols/http/utils.zeek | 8 +- scripts/base/protocols/ssh/main.zeek | 10 +- scripts/base/utils/active-http.zeek | 2 +- scripts/base/utils/conn-ids.zeek | 2 +- scripts/base/utils/dir.zeek | 2 +- scripts/base/utils/exec.zeek | 2 +- scripts/base/utils/geoip-distance.zeek | 2 +- scripts/base/utils/paths.zeek | 2 +- scripts/base/utils/patterns.zeek | 2 +- scripts/base/utils/site.zeek | 16 +- scripts/base/utils/thresholds.zeek | 12 +- scripts/base/utils/urls.zeek | 2 +- scripts/broxygen/README | 4 - .../dpd/packet-segment-logging.zeek | 2 +- .../notice/extend-email/hostnames.zeek | 4 +- .../frameworks/packet-filter/shunt.zeek | 4 +- .../frameworks/software/version-changes.zeek | 2 +- .../policy/integration/barnyard2/main.zeek | 4 +- scripts/policy/misc/capture-loss.zeek | 2 +- .../policy/misc/detect-traceroute/main.zeek | 2 +- scripts/policy/misc/profiling.zeek | 2 +- scripts/policy/misc/scan.zeek | 8 +- scripts/policy/misc/trim-trace-file.zeek | 2 +- .../policy/protocols/conn/known-hosts.zeek | 10 +- .../policy/protocols/conn/known-services.zeek | 12 +- .../protocols/dhcp/deprecated_events.zeek | 24 +- .../protocols/dns/detect-external-names.zeek | 4 +- .../policy/protocols/http/detect-sqli.zeek | 2 +- .../protocols/smtp/entities-excerpt.zeek | 2 +- .../protocols/ssh/detect-bruteforcing.zeek | 2 +- scripts/policy/protocols/ssh/geo-data.zeek | 2 +- .../protocols/ssh/interesting-hostnames.zeek | 2 +- .../policy/protocols/ssl/expiring-certs.zeek | 4 +- scripts/policy/protocols/ssl/known-certs.zeek | 8 +- scripts/zeexygen/README | 4 + scripts/{broxygen => zeexygen}/__load__.zeek | 0 scripts/{broxygen => zeexygen}/example.zeek | 32 +- src/Attr.cc | 6 +- src/CMakeLists.txt | 2 +- src/DebugLogger.cc | 2 +- src/DebugLogger.h | 2 +- src/ID.cc | 20 +- src/Type.cc | 50 +- src/analyzer/protocol/arp/events.bif | 6 +- src/analyzer/protocol/bittorrent/events.bif | 36 +- src/analyzer/protocol/conn-size/events.bif | 4 +- src/analyzer/protocol/conn-size/functions.bif | 8 +- src/analyzer/protocol/dce-rpc/events.bif | 14 +- src/analyzer/protocol/dns/events.bif | 40 +- src/analyzer/protocol/finger/events.bif | 4 +- src/analyzer/protocol/ftp/events.bif | 4 +- src/analyzer/protocol/ftp/functions.bif | 18 +- src/analyzer/protocol/gnutella/events.bif | 12 +- src/analyzer/protocol/http/events.bif | 30 +- src/analyzer/protocol/http/functions.bif | 2 +- src/analyzer/protocol/icmp/events.bif | 30 +- src/analyzer/protocol/ident/events.bif | 6 +- src/analyzer/protocol/irc/events.bif | 70 +- src/analyzer/protocol/krb/events.bif | 20 +- src/analyzer/protocol/login/events.bif | 70 +- src/analyzer/protocol/login/functions.bif | 6 +- src/analyzer/protocol/mime/events.bif | 34 +- src/analyzer/protocol/mysql/events.bif | 12 +- src/analyzer/protocol/ncp/events.bif | 4 +- src/analyzer/protocol/netbios/events.bif | 14 +- src/analyzer/protocol/netbios/functions.bif | 4 +- src/analyzer/protocol/ntlm/events.bif | 6 +- src/analyzer/protocol/ntp/events.bif | 2 +- src/analyzer/protocol/pop3/events.bif | 14 +- src/analyzer/protocol/rpc/events.bif | 102 +-- src/analyzer/protocol/sip/events.bif | 12 +- src/analyzer/protocol/smb/events.bif | 2 +- .../protocol/smb/smb1_com_check_directory.bif | 4 +- src/analyzer/protocol/smb/smb1_com_close.bif | 2 +- .../smb/smb1_com_create_directory.bif | 4 +- src/analyzer/protocol/smb/smb1_com_echo.bif | 4 +- .../protocol/smb/smb1_com_logoff_andx.bif | 2 +- .../protocol/smb/smb1_com_negotiate.bif | 4 +- .../protocol/smb/smb1_com_nt_cancel.bif | 2 +- .../protocol/smb/smb1_com_nt_create_andx.bif | 4 +- .../smb/smb1_com_query_information.bif | 2 +- .../protocol/smb/smb1_com_read_andx.bif | 4 +- .../smb/smb1_com_session_setup_andx.bif | 4 +- .../protocol/smb/smb1_com_transaction.bif | 2 +- .../protocol/smb/smb1_com_transaction2.bif | 8 +- .../smb/smb1_com_tree_connect_andx.bif | 4 +- .../protocol/smb/smb1_com_tree_disconnect.bif | 2 +- .../protocol/smb/smb1_com_write_andx.bif | 4 +- src/analyzer/protocol/smb/smb1_events.bif | 6 +- src/analyzer/protocol/smb/smb2_com_close.bif | 4 +- src/analyzer/protocol/smb/smb2_com_create.bif | 4 +- .../protocol/smb/smb2_com_negotiate.bif | 4 +- src/analyzer/protocol/smb/smb2_com_read.bif | 2 +- .../protocol/smb/smb2_com_session_setup.bif | 4 +- .../protocol/smb/smb2_com_set_info.bif | 8 +- .../smb/smb2_com_transform_header.bif | 2 +- .../protocol/smb/smb2_com_tree_connect.bif | 4 +- .../protocol/smb/smb2_com_tree_disconnect.bif | 4 +- src/analyzer/protocol/smb/smb2_com_write.bif | 4 +- src/analyzer/protocol/smb/smb2_events.bif | 2 +- src/analyzer/protocol/smtp/events.bif | 8 +- src/analyzer/protocol/smtp/functions.bif | 2 +- src/analyzer/protocol/ssh/events.bif | 24 +- src/analyzer/protocol/ssl/events.bif | 66 +- src/analyzer/protocol/tcp/events.bif | 66 +- src/analyzer/protocol/tcp/functions.bif | 14 +- src/analyzer/protocol/teredo/events.bif | 10 +- src/analyzer/protocol/udp/events.bif | 16 +- src/bro.bif | 610 +++++++++--------- src/broker/data.bif | 2 +- src/broker/messaging.bif | 8 +- src/event.bif | 212 +++--- src/file_analysis/analyzer/extract/events.bif | 6 +- .../analyzer/extract/functions.bif | 2 +- src/file_analysis/analyzer/hash/events.bif | 2 +- src/file_analysis/analyzer/pe/events.bif | 10 +- src/file_analysis/analyzer/x509/events.bif | 10 +- src/file_analysis/analyzer/x509/functions.bif | 16 +- .../analyzer/x509/ocsp_events.bif | 12 +- src/file_analysis/file_analysis.bif | 24 +- src/iosource/pcap/pcap.bif | 8 +- src/main.cc | 24 +- src/option.bif | 10 +- src/parse.y | 26 +- src/plugin/ComponentManager.h | 4 +- src/probabilistic/bloom-filter.bif | 28 +- src/probabilistic/cardinality-counter.bif | 12 +- src/probabilistic/top-k.bif | 24 +- src/reporter.bif | 6 +- src/scan.l | 12 +- src/stats.bif | 26 +- src/strings.bif | 110 ++-- src/{broxygen => zeexygen}/CMakeLists.txt | 8 +- src/{broxygen => zeexygen}/Configuration.cc | 12 +- src/{broxygen => zeexygen}/Configuration.h | 14 +- src/{broxygen => zeexygen}/IdentifierInfo.cc | 4 +- src/{broxygen => zeexygen}/IdentifierInfo.h | 16 +- src/{broxygen => zeexygen}/Info.h | 10 +- src/{broxygen => zeexygen}/Manager.cc | 48 +- src/{broxygen => zeexygen}/Manager.h | 34 +- src/{broxygen => zeexygen}/PackageInfo.cc | 8 +- src/{broxygen => zeexygen}/PackageInfo.h | 8 +- .../ReStructuredTextTable.cc | 2 +- .../ReStructuredTextTable.h | 8 +- src/{broxygen => zeexygen}/ScriptInfo.cc | 48 +- src/{broxygen => zeexygen}/ScriptInfo.h | 12 +- src/{broxygen => zeexygen}/Target.cc | 54 +- src/{broxygen => zeexygen}/Target.h | 14 +- src/{broxygen => zeexygen}/utils.cc | 18 +- src/{broxygen => zeexygen}/utils.h | 12 +- .../broxygen.bif => zeexygen/zeexygen.bif} | 24 +- .../btest/Baseline/core.plugins.hooks/output | 6 +- .../canonified_loaded_scripts.log | 2 +- .../Baseline/coverage.bare-mode-errors/errors | 2 +- .../canonified_loaded_scripts.log | 2 +- .../Baseline/doc.broxygen.example/example.rst | 248 ------- .../autogen-reST-func-params.rst | 30 - .../Baseline/doc.broxygen.identifier/test.rst | 230 ------- .../doc.broxygen.package_index/test.rst | 7 - .../autogen-reST-records.rst | 28 - .../doc.broxygen.script_index/test.rst | 5 - .../autogen-reST-type-aliases.rst | 44 -- .../.stderr | 0 .../.stdout | 0 .../output | 0 .../out | 0 .../autogen-reST-enums.rst | 30 +- .../Baseline/doc.zeexygen.example/example.rst | 248 +++++++ .../autogen-reST-func-params.rst | 30 + .../Baseline/doc.zeexygen.identifier/test.rst | 230 +++++++ .../test.rst | 20 +- .../doc.zeexygen.package_index/test.rst | 7 + .../autogen-reST-records.rst | 28 + .../doc.zeexygen.script_index/test.rst | 5 + .../test.rst | 12 +- .../autogen-reST-type-aliases.rst | 44 ++ .../autogen-reST-vectors.rst | 12 +- testing/btest/Baseline/plugins.hooks/output | 20 +- testing/btest/coverage/broxygen.sh | 14 +- .../btest/coverage/sphinx-broxygen-docs.sh | 8 +- testing/btest/doc/broxygen/example.zeek | 8 - testing/btest/doc/broxygen/identifier.zeek | 9 - testing/btest/doc/broxygen/package.zeek | 9 - testing/btest/doc/broxygen/package_index.zeek | 9 - testing/btest/doc/broxygen/script_index.zeek | 9 - .../btest/doc/broxygen/script_summary.zeek | 9 - .../{broxygen => zeexygen}/command_line.zeek | 0 .../comment_retrieval_bifs.zeek | 0 .../doc/{broxygen => zeexygen}/enums.zeek | 4 +- testing/btest/doc/zeexygen/example.zeek | 8 + .../{broxygen => zeexygen}/func-params.zeek | 4 +- testing/btest/doc/zeexygen/identifier.zeek | 9 + testing/btest/doc/zeexygen/package.zeek | 9 + testing/btest/doc/zeexygen/package_index.zeek | 9 + .../doc/{broxygen => zeexygen}/records.zeek | 4 +- testing/btest/doc/zeexygen/script_index.zeek | 9 + .../btest/doc/zeexygen/script_summary.zeek | 9 + .../{broxygen => zeexygen}/type-aliases.zeek | 8 +- .../doc/{broxygen => zeexygen}/vectors.zeek | 4 +- ...-broxygen-docs.sh => gen-zeexygen-docs.sh} | 16 +- 254 files changed, 2675 insertions(+), 2656 deletions(-) delete mode 100644 scripts/broxygen/README create mode 100644 scripts/zeexygen/README rename scripts/{broxygen => zeexygen}/__load__.zeek (100%) rename scripts/{broxygen => zeexygen}/example.zeek (88%) rename src/{broxygen => zeexygen}/CMakeLists.txt (73%) rename src/{broxygen => zeexygen}/Configuration.cc (87%) rename src/{broxygen => zeexygen}/Configuration.h (80%) rename src/{broxygen => zeexygen}/IdentifierInfo.cc (97%) rename src/{broxygen => zeexygen}/IdentifierInfo.h (92%) rename src/{broxygen => zeexygen}/Info.h (89%) rename src/{broxygen => zeexygen}/Manager.cc (87%) rename src/{broxygen => zeexygen}/Manager.h (89%) rename src/{broxygen => zeexygen}/PackageInfo.cc (85%) rename src/{broxygen => zeexygen}/PackageInfo.h (89%) rename src/{broxygen => zeexygen}/ReStructuredTextTable.cc (98%) rename src/{broxygen => zeexygen}/ReStructuredTextTable.h (92%) rename src/{broxygen => zeexygen}/ScriptInfo.cc (86%) rename src/{broxygen => zeexygen}/ScriptInfo.h (92%) rename src/{broxygen => zeexygen}/Target.cc (89%) rename src/{broxygen => zeexygen}/Target.h (96%) rename src/{broxygen => zeexygen}/utils.cc (83%) rename src/{broxygen => zeexygen}/utils.h (88%) rename src/{broxygen/broxygen.bif => zeexygen/zeexygen.bif} (81%) delete mode 100644 testing/btest/Baseline/doc.broxygen.example/example.rst delete mode 100644 testing/btest/Baseline/doc.broxygen.func-params/autogen-reST-func-params.rst delete mode 100644 testing/btest/Baseline/doc.broxygen.identifier/test.rst delete mode 100644 testing/btest/Baseline/doc.broxygen.package_index/test.rst delete mode 100644 testing/btest/Baseline/doc.broxygen.records/autogen-reST-records.rst delete mode 100644 testing/btest/Baseline/doc.broxygen.script_index/test.rst delete mode 100644 testing/btest/Baseline/doc.broxygen.type-aliases/autogen-reST-type-aliases.rst rename testing/btest/Baseline/{doc.broxygen.all_scripts => doc.zeexygen.all_scripts}/.stderr (100%) rename testing/btest/Baseline/{doc.broxygen.all_scripts => doc.zeexygen.all_scripts}/.stdout (100%) rename testing/btest/Baseline/{doc.broxygen.command_line => doc.zeexygen.command_line}/output (100%) rename testing/btest/Baseline/{doc.broxygen.comment_retrieval_bifs => doc.zeexygen.comment_retrieval_bifs}/out (100%) rename testing/btest/Baseline/{doc.broxygen.enums => doc.zeexygen.enums}/autogen-reST-enums.rst (51%) create mode 100644 testing/btest/Baseline/doc.zeexygen.example/example.rst create mode 100644 testing/btest/Baseline/doc.zeexygen.func-params/autogen-reST-func-params.rst create mode 100644 testing/btest/Baseline/doc.zeexygen.identifier/test.rst rename testing/btest/Baseline/{doc.broxygen.package => doc.zeexygen.package}/test.rst (58%) create mode 100644 testing/btest/Baseline/doc.zeexygen.package_index/test.rst create mode 100644 testing/btest/Baseline/doc.zeexygen.records/autogen-reST-records.rst create mode 100644 testing/btest/Baseline/doc.zeexygen.script_index/test.rst rename testing/btest/Baseline/{doc.broxygen.script_summary => doc.zeexygen.script_summary}/test.rst (64%) create mode 100644 testing/btest/Baseline/doc.zeexygen.type-aliases/autogen-reST-type-aliases.rst rename testing/btest/Baseline/{doc.broxygen.vectors => doc.zeexygen.vectors}/autogen-reST-vectors.rst (50%) delete mode 100644 testing/btest/doc/broxygen/example.zeek delete mode 100644 testing/btest/doc/broxygen/identifier.zeek delete mode 100644 testing/btest/doc/broxygen/package.zeek delete mode 100644 testing/btest/doc/broxygen/package_index.zeek delete mode 100644 testing/btest/doc/broxygen/script_index.zeek delete mode 100644 testing/btest/doc/broxygen/script_summary.zeek rename testing/btest/doc/{broxygen => zeexygen}/command_line.zeek (100%) rename testing/btest/doc/{broxygen => zeexygen}/comment_retrieval_bifs.zeek (100%) rename testing/btest/doc/{broxygen => zeexygen}/enums.zeek (89%) create mode 100644 testing/btest/doc/zeexygen/example.zeek rename testing/btest/doc/{broxygen => zeexygen}/func-params.zeek (83%) create mode 100644 testing/btest/doc/zeexygen/identifier.zeek create mode 100644 testing/btest/doc/zeexygen/package.zeek create mode 100644 testing/btest/doc/zeexygen/package_index.zeek rename testing/btest/doc/{broxygen => zeexygen}/records.zeek (84%) create mode 100644 testing/btest/doc/zeexygen/script_index.zeek create mode 100644 testing/btest/doc/zeexygen/script_summary.zeek rename testing/btest/doc/{broxygen => zeexygen}/type-aliases.zeek (81%) rename testing/btest/doc/{broxygen => zeexygen}/vectors.zeek (83%) rename testing/scripts/{gen-broxygen-docs.sh => gen-zeexygen-docs.sh} (81%) diff --git a/CHANGES b/CHANGES index add558f878..a65621f999 100644 --- a/CHANGES +++ b/CHANGES @@ -1,4 +1,15 @@ +2.6-243 | 2019-04-22 19:42:52 -0700 + + * GH-234: rename Broxygen to Zeexygen along with roles/directives (Jon Siwek, Corelight) + + * All "Broxygen" usages have been replaced in + code, documentation, filenames, etc. + + * Sphinx roles/directives like ":bro:see" are now ":zeek:see" + + * The "--broxygen" command-line option is now "--zeexygen" + 2.6-242 | 2019-04-22 22:43:09 +0200 * update SSL consts from TLS 1.3 (Johanna Amann) diff --git a/NEWS b/NEWS index 55f1330c9a..b93aa2300b 100644 --- a/NEWS +++ b/NEWS @@ -175,6 +175,14 @@ Changed Functionality the end of a connection (in a FIN or RST) are considered unreliable and aren't counted as true gaps. +- The Broxygen component, which is used to generate our Doxygen-like + scripting API documentation has been renamed to Zeexygen. This likely has + no breaking or visible changes for most users, except in the case one + used it to generate their own documentation via the ``--broxygen`` flag, + which is now named ``--zeexygen``. Besides that, the various documentation + in scripts has also been updated to replace Sphinx cross-referencing roles + and directives like ":bro:see:" with ":zeek:zee:". + Removed Functionality --------------------- diff --git a/VERSION b/VERSION index 39cb43fbe0..f3ae812fb9 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -2.6-242 +2.6-243 diff --git a/doc b/doc index 38f6edaf27..dc37959938 160000 --- a/doc +++ b/doc @@ -1 +1 @@ -Subproject commit 38f6edaf273401eef51cf754010f144be6398066 +Subproject commit dc37959938b9a70a642e7be48693d5c5fd3d5e80 diff --git a/man/bro.8 b/man/bro.8 index 66d0fc4f20..a4c54d48f6 100644 --- a/man/bro.8 +++ b/man/bro.8 @@ -99,7 +99,7 @@ Record process status in file \fB\-W\fR,\ \-\-watchdog activate watchdog timer .TP -\fB\-X\fR,\ \-\-broxygen +\fB\-X\fR,\ \-\-zeexygen generate documentation based on config file .TP \fB\-\-pseudo\-realtime[=\fR] @@ -150,7 +150,7 @@ ASCII log file extension Output file for script execution statistics .TP .B BRO_DISABLE_BROXYGEN -Disable Broxygen documentation support +Disable Zeexygen (Broxygen) documentation support .SH AUTHOR .B bro was written by The Bro Project . diff --git a/scripts/base/files/extract/main.zeek b/scripts/base/files/extract/main.zeek index eaae44a089..93288c5127 100644 --- a/scripts/base/files/extract/main.zeek +++ b/scripts/base/files/extract/main.zeek @@ -29,12 +29,12 @@ export { ## to know where to write the file to. If not specified, then ## a filename in the format "extract--" is ## automatically assigned (using the *source* and *id* - ## fields of :bro:see:`fa_file`). + ## fields of :zeek:see:`fa_file`). extract_filename: string &optional; ## The maximum allowed file size in bytes of *extract_filename*. - ## Once reached, a :bro:see:`file_extraction_limit` event is + ## Once reached, a :zeek:see:`file_extraction_limit` event is ## raised and the analyzer will be removed unless - ## :bro:see:`FileExtract::set_limit` is called to increase the + ## :zeek:see:`FileExtract::set_limit` is called to increase the ## limit. A value of zero means "no limit". extract_limit: count &default=default_limit; }; diff --git a/scripts/base/frameworks/analyzer/main.zeek b/scripts/base/frameworks/analyzer/main.zeek index 57a602f308..0775768dca 100644 --- a/scripts/base/frameworks/analyzer/main.zeek +++ b/scripts/base/frameworks/analyzer/main.zeek @@ -5,7 +5,7 @@ ##! particular analyzer for new connections. ##! ##! Protocol analyzers are identified by unique tags of type -##! :bro:type:`Analyzer::Tag`, such as :bro:enum:`Analyzer::ANALYZER_HTTP`. +##! :zeek:type:`Analyzer::Tag`, such as :zeek:enum:`Analyzer::ANALYZER_HTTP`. ##! These tags are defined internally by ##! the analyzers themselves, and documented in their analyzer-specific ##! description along with the events that they generate. @@ -17,7 +17,7 @@ module Analyzer; export { ## If true, all available analyzers are initially disabled at startup. ## One can then selectively enable them with - ## :bro:id:`Analyzer::enable_analyzer`. + ## :zeek:id:`Analyzer::enable_analyzer`. global disable_all = F &redef; ## Enables an analyzer. Once enabled, the analyzer may be used for analysis @@ -109,7 +109,7 @@ export { ## Automatically creates a BPF filter for the specified protocol based ## on the data supplied for the protocol through the - ## :bro:see:`Analyzer::register_for_ports` function. + ## :zeek:see:`Analyzer::register_for_ports` function. ## ## tag: The analyzer tag. ## diff --git a/scripts/base/frameworks/broker/main.zeek b/scripts/base/frameworks/broker/main.zeek index 93ed69c3c5..f64ff0ce14 100644 --- a/scripts/base/frameworks/broker/main.zeek +++ b/scripts/base/frameworks/broker/main.zeek @@ -10,19 +10,19 @@ export { ## Default interval to retry listening on a port if it's currently in ## use already. Use of the BRO_DEFAULT_LISTEN_RETRY environment variable ## (set as a number of seconds) will override this option and also - ## any values given to :bro:see:`Broker::listen`. + ## any values given to :zeek:see:`Broker::listen`. const default_listen_retry = 30sec &redef; ## Default address on which to listen. ## - ## .. bro:see:: Broker::listen + ## .. zeek:see:: Broker::listen const default_listen_address = getenv("BRO_DEFAULT_LISTEN_ADDRESS") &redef; ## Default interval to retry connecting to a peer if it cannot be made to ## work initially, or if it ever becomes disconnected. Use of the ## BRO_DEFAULT_CONNECT_RETRY environment variable (set as number of ## seconds) will override this option and also any values given to - ## :bro:see:`Broker::peer`. + ## :zeek:see:`Broker::peer`. const default_connect_retry = 30sec &redef; ## If true, do not use SSL for network connections. By default, SSL will @@ -47,7 +47,7 @@ export { const ssl_certificate = "" &redef; ## Passphrase to decrypt the private key specified by - ## :bro:see:`Broker::ssl_keyfile`. If set, Bro will require valid + ## :zeek:see:`Broker::ssl_keyfile`. If set, Bro will require valid ## certificates for all peers. const ssl_passphrase = "" &redef; @@ -96,7 +96,7 @@ export { ## Forward all received messages to subscribing peers. const forward_messages = F &redef; - ## Whether calling :bro:see:`Broker::peer` will register the Broker + ## Whether calling :zeek:see:`Broker::peer` will register the Broker ## system as an I/O source that will block the process from shutting ## down. For example, set this to false when you are reading pcaps, ## but also want to initaiate a Broker peering and still shutdown after @@ -107,7 +107,7 @@ export { ## id is appended when writing to a particular stream. const default_log_topic_prefix = "bro/logs/" &redef; - ## The default implementation for :bro:see:`Broker::log_topic`. + ## The default implementation for :zeek:see:`Broker::log_topic`. function default_log_topic(id: Log::ID, path: string): string { return default_log_topic_prefix + cat(id); @@ -116,7 +116,7 @@ export { ## A function that will be called for each log entry to determine what ## broker topic string will be used for sending it to peers. The ## default implementation will return a value based on - ## :bro:see:`Broker::default_log_topic_prefix`. + ## :zeek:see:`Broker::default_log_topic_prefix`. ## ## id: the ID associated with the log stream entry that will be sent. ## @@ -232,7 +232,7 @@ export { ## ## Returns: the bound port or 0/? on failure. ## - ## .. bro:see:: Broker::status + ## .. zeek:see:: Broker::status global listen: function(a: string &default = default_listen_address, p: port &default = default_port, retry: interval &default = default_listen_retry): port; @@ -252,7 +252,7 @@ export { ## it's a new peer. The actual connection may not be established ## until a later point in time. ## - ## .. bro:see:: Broker::status + ## .. zeek:see:: Broker::status global peer: function(a: string, p: port &default=default_port, retry: interval &default=default_connect_retry): bool; @@ -262,12 +262,12 @@ export { ## just means that we won't exchange any further information with it ## unless peering resumes later. ## - ## a: the address used in previous successful call to :bro:see:`Broker::peer`. + ## a: the address used in previous successful call to :zeek:see:`Broker::peer`. ## - ## p: the port used in previous successful call to :bro:see:`Broker::peer`. + ## p: the port used in previous successful call to :zeek:see:`Broker::peer`. ## ## Returns: true if the arguments match a previously successful call to - ## :bro:see:`Broker::peer`. + ## :zeek:see:`Broker::peer`. ## ## TODO: We do not have a function yet to terminate a connection. global unpeer: function(a: string, p: port): bool; @@ -298,7 +298,7 @@ export { ## Register interest in all peer event messages that use a certain topic ## prefix. Note that subscriptions may not be altered immediately after - ## calling (except during :bro:see:`zeek_init`). + ## calling (except during :zeek:see:`zeek_init`). ## ## topic_prefix: a prefix to match against remote message topics. ## e.g. an empty prefix matches everything and "a" matches @@ -309,10 +309,10 @@ export { ## Unregister interest in all peer event messages that use a topic prefix. ## Note that subscriptions may not be altered immediately after calling - ## (except during :bro:see:`zeek_init`). + ## (except during :zeek:see:`zeek_init`). ## ## topic_prefix: a prefix previously supplied to a successful call to - ## :bro:see:`Broker::subscribe` or :bro:see:`Broker::forward`. + ## :zeek:see:`Broker::subscribe` or :zeek:see:`Broker::forward`. ## ## Returns: true if interest in the topic prefix is no longer advertised. global unsubscribe: function(topic_prefix: string): bool; @@ -320,8 +320,8 @@ export { ## Register a topic prefix subscription for events that should only be ## forwarded to any subscribing peers and not raise any event handlers ## on the receiving/forwarding node. i.e. it's the same as - ## :bro:see:`Broker::subscribe` except matching events are not raised - ## on the receiver, just forwarded. Use :bro:see:`Broker::unsubscribe` + ## :zeek:see:`Broker::subscribe` except matching events are not raised + ## on the receiver, just forwarded. Use :zeek:see:`Broker::unsubscribe` ## with the same argument to undo this operation. ## ## topic_prefix: a prefix to match against remote message topics. @@ -346,9 +346,9 @@ export { ## Stop automatically sending an event to peers upon local dispatch. ## - ## topic: a topic originally given to :bro:see:`Broker::auto_publish`. + ## topic: a topic originally given to :zeek:see:`Broker::auto_publish`. ## - ## ev: an event originally given to :bro:see:`Broker::auto_publish`. + ## ev: an event originally given to :zeek:see:`Broker::auto_publish`. ## ## Returns: true if automatic events will not occur for the topic/event ## pair. diff --git a/scripts/base/frameworks/broker/store.zeek b/scripts/base/frameworks/broker/store.zeek index 2e216afa93..dace2032c9 100644 --- a/scripts/base/frameworks/broker/store.zeek +++ b/scripts/base/frameworks/broker/store.zeek @@ -353,7 +353,7 @@ export { ## ## Returns: a set with the keys. If you expect the keys to be of ## non-uniform type, consider using - ## :bro:see:`Broker::set_iterator` to iterate over the result. + ## :zeek:see:`Broker::set_iterator` to iterate over the result. global keys: function(h: opaque of Broker::Store): QueryResult; ## Deletes all of a store's content, it will be empty afterwards. diff --git a/scripts/base/frameworks/cluster/__load__.zeek b/scripts/base/frameworks/cluster/__load__.zeek index 20060357a4..e3b318c1d5 100644 --- a/scripts/base/frameworks/cluster/__load__.zeek +++ b/scripts/base/frameworks/cluster/__load__.zeek @@ -17,7 +17,7 @@ redef Broker::log_topic = Cluster::rr_log_topic; # If this script isn't found anywhere, the cluster bombs out. # Loading the cluster framework requires that a script by this name exists # somewhere in the BROPATH. The only thing in the file should be the -# cluster definition in the :bro:id:`Cluster::nodes` variable. +# cluster definition in the :zeek:id:`Cluster::nodes` variable. @load cluster-layout @if ( Cluster::node in Cluster::nodes ) diff --git a/scripts/base/frameworks/cluster/main.zeek b/scripts/base/frameworks/cluster/main.zeek index 08d48ac858..02c063c346 100644 --- a/scripts/base/frameworks/cluster/main.zeek +++ b/scripts/base/frameworks/cluster/main.zeek @@ -1,8 +1,8 @@ ##! A framework for establishing and controlling a cluster of Bro instances. ##! In order to use the cluster framework, a script named ##! ``cluster-layout.zeek`` must exist somewhere in Bro's script search path -##! which has a cluster definition of the :bro:id:`Cluster::nodes` variable. -##! The ``CLUSTER_NODE`` environment variable or :bro:id:`Cluster::node` +##! which has a cluster definition of the :zeek:id:`Cluster::nodes` variable. +##! The ``CLUSTER_NODE`` environment variable or :zeek:id:`Cluster::node` ##! must also be sent and the cluster framework loaded as a package like ##! ``@load base/frameworks/cluster``. @@ -44,23 +44,23 @@ export { const nodeid_topic_prefix = "bro/cluster/nodeid/" &redef; ## Name of the node on which master data stores will be created if no other - ## has already been specified by the user in :bro:see:`Cluster::stores`. + ## has already been specified by the user in :zeek:see:`Cluster::stores`. ## An empty value means "use whatever name corresponds to the manager ## node". const default_master_node = "" &redef; ## The type of data store backend that will be used for all data stores if - ## no other has already been specified by the user in :bro:see:`Cluster::stores`. + ## no other has already been specified by the user in :zeek:see:`Cluster::stores`. const default_backend = Broker::MEMORY &redef; ## The type of persistent data store backend that will be used for all data ## stores if no other has already been specified by the user in - ## :bro:see:`Cluster::stores`. This will be used when script authors call - ## :bro:see:`Cluster::create_store` with the *persistent* argument set true. + ## :zeek:see:`Cluster::stores`. This will be used when script authors call + ## :zeek:see:`Cluster::create_store` with the *persistent* argument set true. const default_persistent_backend = Broker::SQLITE &redef; ## Setting a default dir will, for persistent backends that have not - ## been given an explicit file path via :bro:see:`Cluster::stores`, + ## been given an explicit file path via :zeek:see:`Cluster::stores`, ## automatically create a path within this dir that is based on the name of ## the data store. const default_store_dir = "" &redef; @@ -81,21 +81,21 @@ export { ## Parameters used for configuring the backend. options: Broker::BackendOptions &default=Broker::BackendOptions(); ## A resync/reconnect interval to pass through to - ## :bro:see:`Broker::create_clone`. + ## :zeek:see:`Broker::create_clone`. clone_resync_interval: interval &default=Broker::default_clone_resync_interval; ## A staleness duration to pass through to - ## :bro:see:`Broker::create_clone`. + ## :zeek:see:`Broker::create_clone`. clone_stale_interval: interval &default=Broker::default_clone_stale_interval; ## A mutation buffer interval to pass through to - ## :bro:see:`Broker::create_clone`. + ## :zeek:see:`Broker::create_clone`. clone_mutation_buffer_interval: interval &default=Broker::default_clone_mutation_buffer_interval; }; ## A table of cluster-enabled data stores that have been created, indexed ## by their name. This table will be populated automatically by - ## :bro:see:`Cluster::create_store`, but if you need to customize + ## :zeek:see:`Cluster::create_store`, but if you need to customize ## the options related to a particular data store, you may redef this - ## table. Calls to :bro:see:`Cluster::create_store` will first check + ## table. Calls to :zeek:see:`Cluster::create_store` will first check ## the table for an entry of the same name and, if found, will use the ## predefined options there when setting up the store. global stores: table[string] of StoreInfo &default=StoreInfo() &redef; @@ -174,15 +174,15 @@ export { ## This function can be called at any time to determine if the cluster ## framework is being enabled for this run. ## - ## Returns: True if :bro:id:`Cluster::node` has been set. + ## Returns: True if :zeek:id:`Cluster::node` has been set. global is_enabled: function(): bool; ## This function can be called at any time to determine what type of ## cluster node the current Bro instance is going to be acting as. - ## If :bro:id:`Cluster::is_enabled` returns false, then - ## :bro:enum:`Cluster::NONE` is returned. + ## If :zeek:id:`Cluster::is_enabled` returns false, then + ## :zeek:enum:`Cluster::NONE` is returned. ## - ## Returns: The :bro:type:`Cluster::NodeType` the calling node acts as. + ## Returns: The :zeek:type:`Cluster::NodeType` the calling node acts as. global local_node_type: function(): NodeType; ## This gives the value for the number of workers currently connected to, @@ -241,8 +241,8 @@ export { ## Retrieve the topic associated with a specific node in the cluster. ## - ## id: the id of the cluster node (from :bro:see:`Broker::EndpointInfo` - ## or :bro:see:`Broker::node_id`. + ## id: the id of the cluster node (from :zeek:see:`Broker::EndpointInfo` + ## or :zeek:see:`Broker::node_id`. ## ## Returns: a topic string that may used to send a message exclusively to ## a given cluster node. diff --git a/scripts/base/frameworks/cluster/pools.zeek b/scripts/base/frameworks/cluster/pools.zeek index 40f9a9cbf1..ae14a09527 100644 --- a/scripts/base/frameworks/cluster/pools.zeek +++ b/scripts/base/frameworks/cluster/pools.zeek @@ -58,17 +58,17 @@ export { alive_count: count &default = 0; }; - ## The specification for :bro:see:`Cluster::proxy_pool`. + ## The specification for :zeek:see:`Cluster::proxy_pool`. global proxy_pool_spec: PoolSpec = PoolSpec($topic = "bro/cluster/pool/proxy", $node_type = Cluster::PROXY) &redef; - ## The specification for :bro:see:`Cluster::worker_pool`. + ## The specification for :zeek:see:`Cluster::worker_pool`. global worker_pool_spec: PoolSpec = PoolSpec($topic = "bro/cluster/pool/worker", $node_type = Cluster::WORKER) &redef; - ## The specification for :bro:see:`Cluster::logger_pool`. + ## The specification for :zeek:see:`Cluster::logger_pool`. global logger_pool_spec: PoolSpec = PoolSpec($topic = "bro/cluster/pool/logger", $node_type = Cluster::LOGGER) &redef; @@ -120,10 +120,10 @@ export { global rr_topic: function(pool: Pool, key: string &default=""): string; ## Distributes log message topics among logger nodes via round-robin. - ## This will be automatically assigned to :bro:see:`Broker::log_topic` - ## if :bro:see:`Cluster::enable_round_robin_logging` is enabled. + ## This will be automatically assigned to :zeek:see:`Broker::log_topic` + ## if :zeek:see:`Cluster::enable_round_robin_logging` is enabled. ## If no logger nodes are active, then this will return the value - ## of :bro:see:`Broker::default_log_topic`. + ## of :zeek:see:`Broker::default_log_topic`. global rr_log_topic: function(id: Log::ID, path: string): string; } @@ -136,7 +136,7 @@ export { ## Returns: F if a node of the same name already exists in the pool, else T. global init_pool_node: function(pool: Pool, name: string): bool; -## Mark a pool node as alive/online/available. :bro:see:`Cluster::hrw_topic` +## Mark a pool node as alive/online/available. :zeek:see:`Cluster::hrw_topic` ## will distribute keys to nodes marked as alive. ## ## pool: the pool to which the node belongs. @@ -146,7 +146,7 @@ global init_pool_node: function(pool: Pool, name: string): bool; ## Returns: F if the node does not exist in the pool, else T. global mark_pool_node_alive: function(pool: Pool, name: string): bool; -## Mark a pool node as dead/offline/unavailable. :bro:see:`Cluster::hrw_topic` +## Mark a pool node as dead/offline/unavailable. :zeek:see:`Cluster::hrw_topic` ## will not distribute keys to nodes marked as dead. ## ## pool: the pool to which the node belongs. diff --git a/scripts/base/frameworks/cluster/setup-connections.zeek b/scripts/base/frameworks/cluster/setup-connections.zeek index 004dd22f2a..4903f62c0a 100644 --- a/scripts/base/frameworks/cluster/setup-connections.zeek +++ b/scripts/base/frameworks/cluster/setup-connections.zeek @@ -1,5 +1,5 @@ ##! This script establishes communication among all nodes in a cluster -##! as defined by :bro:id:`Cluster::nodes`. +##! as defined by :zeek:id:`Cluster::nodes`. @load ./main @load ./pools diff --git a/scripts/base/frameworks/config/main.zeek b/scripts/base/frameworks/config/main.zeek index aacebbc530..b801c82267 100644 --- a/scripts/base/frameworks/config/main.zeek +++ b/scripts/base/frameworks/config/main.zeek @@ -24,14 +24,14 @@ export { location: string &optional &log; }; - ## Event that can be handled to access the :bro:type:`Config::Info` + ## Event that can be handled to access the :zeek:type:`Config::Info` ## record as it is sent on to the logging framework. global log_config: event(rec: Info); ## This function is the config framework layer around the lower-level - ## :bro:see:`Option::set` call. Config::set_value will set the configuration + ## :zeek:see:`Option::set` call. Config::set_value will set the configuration ## value for all nodes in the cluster, no matter where it was called. Note - ## that :bro:see:`Option::set` does not distribute configuration changes + ## that :zeek:see:`Option::set` does not distribute configuration changes ## to other nodes. ## ## ID: The ID of the option to update. diff --git a/scripts/base/frameworks/control/main.zeek b/scripts/base/frameworks/control/main.zeek index e374806b55..ad1bf3bcce 100644 --- a/scripts/base/frameworks/control/main.zeek +++ b/scripts/base/frameworks/control/main.zeek @@ -8,7 +8,7 @@ export { ## The topic prefix used for exchanging control messages via Broker. const topic_prefix = "bro/control"; - ## Whether the controllee should call :bro:see:`Broker::listen`. + ## Whether the controllee should call :zeek:see:`Broker::listen`. ## In a cluster, this isn't needed since the setup process calls it. const controllee_listen = T &redef; @@ -18,7 +18,7 @@ export { ## The port of the host that will be controlled. const host_port = 0/tcp &redef; - ## If :bro:id:`Control::host` is a non-global IPv6 address and + ## If :zeek:id:`Control::host` is a non-global IPv6 address and ## requires a specific :rfc:`4007` ``zone_id``, it can be set here. const zone_id = "" &redef; @@ -45,7 +45,7 @@ export { ## Event for requesting the value of an ID (a variable). global id_value_request: event(id: string); ## Event for returning the value of an ID after an - ## :bro:id:`Control::id_value_request` event. + ## :zeek:id:`Control::id_value_request` event. global id_value_response: event(id: string, val: string); ## Requests the current communication status. @@ -62,7 +62,7 @@ export { ## updated. global configuration_update_request: event(); ## This event is a wrapper and alias for the - ## :bro:id:`Control::configuration_update_request` event. + ## :zeek:id:`Control::configuration_update_request` event. ## This event is also a primary hooking point for the control framework. global configuration_update: event(); ## Message in response to a configuration update request. diff --git a/scripts/base/frameworks/files/main.zeek b/scripts/base/frameworks/files/main.zeek index fc75d68e8e..591d6724e6 100644 --- a/scripts/base/frameworks/files/main.zeek +++ b/scripts/base/frameworks/files/main.zeek @@ -18,19 +18,19 @@ export { type AnalyzerArgs: record { ## An event which will be generated for all new file contents, ## chunk-wise. Used when *tag* (in the - ## :bro:see:`Files::add_analyzer` function) is - ## :bro:see:`Files::ANALYZER_DATA_EVENT`. + ## :zeek:see:`Files::add_analyzer` function) is + ## :zeek:see:`Files::ANALYZER_DATA_EVENT`. chunk_event: event(f: fa_file, data: string, off: count) &optional; ## An event which will be generated for all new file contents, ## stream-wise. Used when *tag* is - ## :bro:see:`Files::ANALYZER_DATA_EVENT`. + ## :zeek:see:`Files::ANALYZER_DATA_EVENT`. stream_event: event(f: fa_file, data: string) &optional; } &redef; ## Contains all metadata related to the analysis of a given file. ## For the most part, fields here are derived from ones of the same name - ## in :bro:see:`fa_file`. + ## in :zeek:see:`fa_file`. type Info: record { ## The time when the file was first seen. ts: time &log; @@ -66,7 +66,7 @@ export { analyzers: set[string] &default=string_set() &log; ## A mime type provided by the strongest file magic signature - ## match against the *bof_buffer* field of :bro:see:`fa_file`, + ## match against the *bof_buffer* field of :zeek:see:`fa_file`, ## or in the cases where no buffering of the beginning of file ## occurs, an initial guess of the mime type based on the first ## data seen. @@ -82,7 +82,7 @@ export { ## If the source of this file is a network connection, this field ## indicates if the data originated from the local network or not as - ## determined by the configured :bro:see:`Site::local_nets`. + ## determined by the configured :zeek:see:`Site::local_nets`. local_orig: bool &log &optional; ## If the source of this file is a network connection, this field @@ -118,8 +118,8 @@ export { const disable: table[Files::Tag] of bool = table() &redef; ## The salt concatenated to unique file handle strings generated by - ## :bro:see:`get_file_handle` before hashing them in to a file id - ## (the *id* field of :bro:see:`fa_file`). + ## :zeek:see:`get_file_handle` before hashing them in to a file id + ## (the *id* field of :zeek:see:`fa_file`). ## Provided to help mitigate the possibility of manipulating parts of ## network connections that factor in to the file handle in order to ## generate two handles that would hash to the same file id. @@ -142,11 +142,11 @@ export { ## Returns: T if the file uid is known. global file_exists: function(fuid: string): bool; - ## Lookup an :bro:see:`fa_file` record with the file id. + ## Lookup an :zeek:see:`fa_file` record with the file id. ## ## fuid: the file id. ## - ## Returns: the associated :bro:see:`fa_file` record. + ## Returns: the associated :zeek:see:`fa_file` record. global lookup_file: function(fuid: string): fa_file; ## Allows the file reassembler to be used if it's necessary because the @@ -169,10 +169,10 @@ export { ## max: Maximum allowed size of the reassembly buffer. global set_reassembly_buffer_size: function(f: fa_file, max: count); - ## Sets the *timeout_interval* field of :bro:see:`fa_file`, which is + ## Sets the *timeout_interval* field of :zeek:see:`fa_file`, which is ## used to determine the length of inactivity that is allowed for a file ## before internal state related to it is cleaned up. When used within - ## a :bro:see:`file_timeout` handler, the analysis will delay timing out + ## a :zeek:see:`file_timeout` handler, the analysis will delay timing out ## again for the period specified by *t*. ## ## f: the file. @@ -255,7 +255,7 @@ export { ## ## tag: Tag for the protocol analyzer having a callback being registered. ## - ## reg: A :bro:see:`Files::ProtoRegistration` record. + ## reg: A :zeek:see:`Files::ProtoRegistration` record. ## ## Returns: true if the protocol being registered was not previously registered. global register_protocol: function(tag: Analyzer::Tag, reg: ProtoRegistration): bool; diff --git a/scripts/base/frameworks/input/main.zeek b/scripts/base/frameworks/input/main.zeek index 0839602a7a..84488f130c 100644 --- a/scripts/base/frameworks/input/main.zeek +++ b/scripts/base/frameworks/input/main.zeek @@ -193,7 +193,7 @@ export { ## Descriptive name that uniquely identifies the input source. ## Can be used to remove a stream at a later time. ## This will also be used for the unique *source* field of - ## :bro:see:`fa_file`. Most of the time, the best choice for this + ## :zeek:see:`fa_file`. Most of the time, the best choice for this ## field will be the same value as the *source* field. name: string; diff --git a/scripts/base/frameworks/intel/main.zeek b/scripts/base/frameworks/intel/main.zeek index f59323369d..380cb39eaa 100644 --- a/scripts/base/frameworks/intel/main.zeek +++ b/scripts/base/frameworks/intel/main.zeek @@ -35,7 +35,7 @@ export { ## Set of intelligence data types. type TypeSet: set[Type]; - ## Data about an :bro:type:`Intel::Item`. + ## Data about an :zeek:type:`Intel::Item`. type MetaData: record { ## An arbitrary string value representing the data source. This ## value is used as unique key to identify a metadata record in @@ -75,7 +75,7 @@ export { ## The type of data that the indicator represents. indicator_type: Type &log &optional; - ## If the indicator type was :bro:enum:`Intel::ADDR`, then this + ## If the indicator type was :zeek:enum:`Intel::ADDR`, then this ## field will be present. host: addr &optional; @@ -155,7 +155,7 @@ export { global extend_match: hook(info: Info, s: Seen, items: set[Item]); ## The expiration timeout for intelligence items. Once an item expires, the - ## :bro:id:`Intel::item_expired` hook is called. Reinsertion of an item + ## :zeek:id:`Intel::item_expired` hook is called. Reinsertion of an item ## resets the timeout. A negative value disables expiration of intelligence ## items. const item_expiration = -1 min &redef; diff --git a/scripts/base/frameworks/logging/main.zeek b/scripts/base/frameworks/logging/main.zeek index 798b54839e..8746ee3654 100644 --- a/scripts/base/frameworks/logging/main.zeek +++ b/scripts/base/frameworks/logging/main.zeek @@ -176,7 +176,7 @@ export { ## easy to flood the disk by returning a new string for each ## connection. Upon adding a filter to a stream, if neither ## ``path`` nor ``path_func`` is explicitly set by them, then - ## :bro:see:`Log::default_path_func` is used. + ## :zeek:see:`Log::default_path_func` is used. ## ## id: The ID associated with the log stream. ## @@ -191,7 +191,7 @@ export { ## ## Returns: The path to be used for the filter, which will be ## subject to the same automatic correction rules as - ## the *path* field of :bro:type:`Log::Filter` in the + ## the *path* field of :zeek:type:`Log::Filter` in the ## case of conflicts with other filters trying to use ## the same writer/path pair. path_func: function(id: ID, path: string, rec: any): string &optional; @@ -232,7 +232,7 @@ export { interv: interval &default=default_rotation_interval; ## Callback function to trigger for rotated files. If not set, the - ## default comes out of :bro:id:`Log::default_rotation_postprocessors`. + ## default comes out of :zeek:id:`Log::default_rotation_postprocessors`. postprocessor: function(info: RotationInfo) : bool &optional; ## A key/value table that will be passed on to the writer. @@ -253,7 +253,7 @@ export { ## Returns: True if a new logging stream was successfully created and ## a default filter added to it. ## - ## .. bro:see:: Log::add_default_filter Log::remove_default_filter + ## .. zeek:see:: Log::add_default_filter Log::remove_default_filter global create_stream: function(id: ID, stream: Stream) : bool; ## Removes a logging stream completely, stopping all the threads. @@ -262,7 +262,7 @@ export { ## ## Returns: True if the stream was successfully removed. ## - ## .. bro:see:: Log::create_stream + ## .. zeek:see:: Log::create_stream global remove_stream: function(id: ID) : bool; ## Enables a previously disabled logging stream. Disabled streams @@ -273,7 +273,7 @@ export { ## ## Returns: True if the stream is re-enabled or was not previously disabled. ## - ## .. bro:see:: Log::disable_stream + ## .. zeek:see:: Log::disable_stream global enable_stream: function(id: ID) : bool; ## Disables a currently enabled logging stream. Disabled streams @@ -284,7 +284,7 @@ export { ## ## Returns: True if the stream is now disabled or was already disabled. ## - ## .. bro:see:: Log::enable_stream + ## .. zeek:see:: Log::enable_stream global disable_stream: function(id: ID) : bool; ## Adds a custom filter to an existing logging stream. If a filter @@ -299,7 +299,7 @@ export { ## the filter was not added or the *filter* argument was not ## the correct type. ## - ## .. bro:see:: Log::remove_filter Log::add_default_filter + ## .. zeek:see:: Log::remove_filter Log::add_default_filter ## Log::remove_default_filter Log::get_filter Log::get_filter_names global add_filter: function(id: ID, filter: Filter) : bool; @@ -309,12 +309,12 @@ export { ## remove a filter. ## ## name: A string to match against the ``name`` field of a - ## :bro:type:`Log::Filter` for identification purposes. + ## :zeek:type:`Log::Filter` for identification purposes. ## ## Returns: True if the logging stream's filter was removed or ## if no filter associated with *name* was found. ## - ## .. bro:see:: Log::remove_filter Log::add_default_filter + ## .. zeek:see:: Log::remove_filter Log::add_default_filter ## Log::remove_default_filter Log::get_filter Log::get_filter_names global remove_filter: function(id: ID, name: string) : bool; @@ -326,7 +326,7 @@ export { ## ## Returns: The set of filter names associated with the stream. ## - ## ..bro:see:: Log::remove_filter Log::add_default_filter + ## ..zeek:see:: Log::remove_filter Log::add_default_filter ## Log::remove_default_filter Log::get_filter global get_filter_names: function(id: ID) : set[string]; @@ -336,13 +336,13 @@ export { ## obtain one of its filters. ## ## name: A string to match against the ``name`` field of a - ## :bro:type:`Log::Filter` for identification purposes. + ## :zeek:type:`Log::Filter` for identification purposes. ## ## Returns: A filter attached to the logging stream *id* matching ## *name* or, if no matches are found returns the - ## :bro:id:`Log::no_filter` sentinel value. + ## :zeek:id:`Log::no_filter` sentinel value. ## - ## .. bro:see:: Log::add_filter Log::remove_filter Log::add_default_filter + ## .. zeek:see:: Log::add_filter Log::remove_filter Log::add_default_filter ## Log::remove_default_filter Log::get_filter_names global get_filter: function(id: ID, name: string) : Filter; @@ -360,7 +360,7 @@ export { ## to handle, or one of the stream's filters has an invalid ## ``path_func``. ## - ## .. bro:see:: Log::enable_stream Log::disable_stream + ## .. zeek:see:: Log::enable_stream Log::disable_stream global write: function(id: ID, columns: any) : bool; ## Sets the buffering status for all the writers of a given logging stream. @@ -375,7 +375,7 @@ export { ## Returns: True if buffering status was set, false if the logging stream ## does not exist. ## - ## .. bro:see:: Log::flush + ## .. zeek:see:: Log::flush global set_buf: function(id: ID, buffered: bool): bool; ## Flushes any currently buffered output for all the writers of a given @@ -388,50 +388,50 @@ export { ## buffered data or if the logging stream is disabled, ## false if the logging stream does not exist. ## - ## .. bro:see:: Log::set_buf Log::enable_stream Log::disable_stream + ## .. zeek:see:: Log::set_buf Log::enable_stream Log::disable_stream global flush: function(id: ID): bool; - ## Adds a default :bro:type:`Log::Filter` record with ``name`` field + ## Adds a default :zeek:type:`Log::Filter` record with ``name`` field ## set as "default" to a given logging stream. ## ## id: The ID associated with a logging stream for which to add a default ## filter. ## - ## Returns: The status of a call to :bro:id:`Log::add_filter` using a - ## default :bro:type:`Log::Filter` argument with ``name`` field + ## Returns: The status of a call to :zeek:id:`Log::add_filter` using a + ## default :zeek:type:`Log::Filter` argument with ``name`` field ## set to "default". ## - ## .. bro:see:: Log::add_filter Log::remove_filter + ## .. zeek:see:: Log::add_filter Log::remove_filter ## Log::remove_default_filter global add_default_filter: function(id: ID) : bool; - ## Removes the :bro:type:`Log::Filter` with ``name`` field equal to + ## Removes the :zeek:type:`Log::Filter` with ``name`` field equal to ## "default". ## ## id: The ID associated with a logging stream from which to remove the ## default filter. ## - ## Returns: The status of a call to :bro:id:`Log::remove_filter` using + ## Returns: The status of a call to :zeek:id:`Log::remove_filter` using ## "default" as the argument. ## - ## .. bro:see:: Log::add_filter Log::remove_filter Log::add_default_filter + ## .. zeek:see:: Log::add_filter Log::remove_filter Log::add_default_filter global remove_default_filter: function(id: ID) : bool; - ## Runs a command given by :bro:id:`Log::default_rotation_postprocessor_cmd` + ## Runs a command given by :zeek:id:`Log::default_rotation_postprocessor_cmd` ## on a rotated file. Meant to be called from postprocessor functions - ## that are added to :bro:id:`Log::default_rotation_postprocessors`. + ## that are added to :zeek:id:`Log::default_rotation_postprocessors`. ## ## info: A record holding meta-information about the log being rotated. ## ## npath: The new path of the file (after already being rotated/processed ## by writer-specific postprocessor as defined in - ## :bro:id:`Log::default_rotation_postprocessors`). + ## :zeek:id:`Log::default_rotation_postprocessors`). ## - ## Returns: True when :bro:id:`Log::default_rotation_postprocessor_cmd` + ## Returns: True when :zeek:id:`Log::default_rotation_postprocessor_cmd` ## is empty or the system command given by it has been invoked ## to postprocess a rotated log file. ## - ## .. bro:see:: Log::default_rotation_date_format + ## .. zeek:see:: Log::default_rotation_date_format ## Log::default_rotation_postprocessor_cmd ## Log::default_rotation_postprocessors global run_rotation_postprocessor_cmd: function(info: RotationInfo, npath: string) : bool; diff --git a/scripts/base/frameworks/logging/postprocessors/scp.zeek b/scripts/base/frameworks/logging/postprocessors/scp.zeek index 462cb86b20..22adc29e47 100644 --- a/scripts/base/frameworks/logging/postprocessors/scp.zeek +++ b/scripts/base/frameworks/logging/postprocessors/scp.zeek @@ -2,22 +2,22 @@ ##! to a logging filter in order to automatically SCP (secure copy) ##! a log stream (or a subset of it) to a remote host at configurable ##! rotation time intervals. Generally, to use this functionality -##! you must handle the :bro:id:`zeek_init` event and do the following +##! you must handle the :zeek:id:`zeek_init` event and do the following ##! in your handler: ##! -##! 1) Create a new :bro:type:`Log::Filter` record that defines a name/path, +##! 1) Create a new :zeek:type:`Log::Filter` record that defines a name/path, ##! rotation interval, and set the ``postprocessor`` to -##! :bro:id:`Log::scp_postprocessor`. -##! 2) Add the filter to a logging stream using :bro:id:`Log::add_filter`. -##! 3) Add a table entry to :bro:id:`Log::scp_destinations` for the filter's -##! writer/path pair which defines a set of :bro:type:`Log::SCPDestination` +##! :zeek:id:`Log::scp_postprocessor`. +##! 2) Add the filter to a logging stream using :zeek:id:`Log::add_filter`. +##! 3) Add a table entry to :zeek:id:`Log::scp_destinations` for the filter's +##! writer/path pair which defines a set of :zeek:type:`Log::SCPDestination` ##! records. module Log; export { ## Secure-copies the rotated log to all the remote hosts - ## defined in :bro:id:`Log::scp_destinations` and then deletes + ## defined in :zeek:id:`Log::scp_destinations` and then deletes ## the local copy of the rotated log. It's not active when ## reading from trace files. ## @@ -42,7 +42,7 @@ export { }; ## A table indexed by a particular log writer and filter path, that yields - ## a set of remote destinations. The :bro:id:`Log::scp_postprocessor` + ## a set of remote destinations. The :zeek:id:`Log::scp_postprocessor` ## function queries this table upon log rotation and performs a secure ## copy of the rotated log to each destination in the set. This ## table can be modified at run-time. diff --git a/scripts/base/frameworks/logging/postprocessors/sftp.zeek b/scripts/base/frameworks/logging/postprocessors/sftp.zeek index 803851261f..75ab438809 100644 --- a/scripts/base/frameworks/logging/postprocessors/sftp.zeek +++ b/scripts/base/frameworks/logging/postprocessors/sftp.zeek @@ -2,22 +2,22 @@ ##! to a logging filter in order to automatically SFTP ##! a log stream (or a subset of it) to a remote host at configurable ##! rotation time intervals. Generally, to use this functionality -##! you must handle the :bro:id:`zeek_init` event and do the following +##! you must handle the :zeek:id:`zeek_init` event and do the following ##! in your handler: ##! -##! 1) Create a new :bro:type:`Log::Filter` record that defines a name/path, +##! 1) Create a new :zeek:type:`Log::Filter` record that defines a name/path, ##! rotation interval, and set the ``postprocessor`` to -##! :bro:id:`Log::sftp_postprocessor`. -##! 2) Add the filter to a logging stream using :bro:id:`Log::add_filter`. -##! 3) Add a table entry to :bro:id:`Log::sftp_destinations` for the filter's -##! writer/path pair which defines a set of :bro:type:`Log::SFTPDestination` +##! :zeek:id:`Log::sftp_postprocessor`. +##! 2) Add the filter to a logging stream using :zeek:id:`Log::add_filter`. +##! 3) Add a table entry to :zeek:id:`Log::sftp_destinations` for the filter's +##! writer/path pair which defines a set of :zeek:type:`Log::SFTPDestination` ##! records. module Log; export { ## Securely transfers the rotated log to all the remote hosts - ## defined in :bro:id:`Log::sftp_destinations` and then deletes + ## defined in :zeek:id:`Log::sftp_destinations` and then deletes ## the local copy of the rotated log. It's not active when ## reading from trace files. ## @@ -44,7 +44,7 @@ export { }; ## A table indexed by a particular log writer and filter path, that yields - ## a set of remote destinations. The :bro:id:`Log::sftp_postprocessor` + ## a set of remote destinations. The :zeek:id:`Log::sftp_postprocessor` ## function queries this table upon log rotation and performs a secure ## transfer of the rotated log to each destination in the set. This ## table can be modified at run-time. diff --git a/scripts/base/frameworks/netcontrol/catch-and-release.zeek b/scripts/base/frameworks/netcontrol/catch-and-release.zeek index 83d9e1d7af..1a8ba88574 100644 --- a/scripts/base/frameworks/netcontrol/catch-and-release.zeek +++ b/scripts/base/frameworks/netcontrol/catch-and-release.zeek @@ -80,7 +80,7 @@ export { ## again. ## ## In cluster mode, this function works on workers as well as the manager. On managers, - ## the returned :bro:see:`NetControl::BlockInfo` record will not contain the block ID, + ## the returned :zeek:see:`NetControl::BlockInfo` record will not contain the block ID, ## which will be assigned on the manager. ## ## a: The address to be dropped. @@ -89,7 +89,7 @@ export { ## ## location: An optional string describing where the drop was triggered. ## - ## Returns: The :bro:see:`NetControl::BlockInfo` record containing information about + ## Returns: The :zeek:see:`NetControl::BlockInfo` record containing information about ## the inserted block. global drop_address_catch_release: function(a: addr, location: string &default="") : BlockInfo; @@ -114,7 +114,7 @@ export { ## a: The address that was seen and should be re-dropped if it is being watched. global catch_release_seen: function(a: addr); - ## Get the :bro:see:`NetControl::BlockInfo` record for an address currently blocked by catch and release. + ## Get the :zeek:see:`NetControl::BlockInfo` record for an address currently blocked by catch and release. ## If the address is unknown to catch and release, the watch_until time will be set to 0. ## ## In cluster mode, this function works on the manager and workers. On workers, the data will @@ -123,7 +123,7 @@ export { ## ## a: The address to get information about. ## - ## Returns: The :bro:see:`NetControl::BlockInfo` record containing information about + ## Returns: The :zeek:see:`NetControl::BlockInfo` record containing information about ## the inserted block. global get_catch_release_info: function(a: addr) : BlockInfo; @@ -132,7 +132,7 @@ export { ## ## a: The address that is no longer being managed. ## - ## bi: The :bro:see:`NetControl::BlockInfo` record containing information about the block. + ## bi: The :zeek:see:`NetControl::BlockInfo` record containing information about the block. global catch_release_forgotten: event(a: addr, bi: BlockInfo); ## If true, catch_release_seen is called on the connection originator in new_connection, @@ -148,7 +148,7 @@ export { ## effect. const catch_release_intervals: vector of interval = vector(10min, 1hr, 24hrs, 7days) &redef; - ## Event that can be handled to access the :bro:type:`NetControl::CatchReleaseInfo` + ## Event that can be handled to access the :zeek:type:`NetControl::CatchReleaseInfo` ## record as it is sent on to the logging framework. global log_netcontrol_catch_release: event(rec: CatchReleaseInfo); diff --git a/scripts/base/frameworks/netcontrol/drop.zeek b/scripts/base/frameworks/netcontrol/drop.zeek index 40304e1187..9c1adc73d2 100644 --- a/scripts/base/frameworks/netcontrol/drop.zeek +++ b/scripts/base/frameworks/netcontrol/drop.zeek @@ -50,7 +50,7 @@ export { ## r: The rule to be added. global NetControl::drop_rule_policy: hook(r: Rule); - ## Event that can be handled to access the :bro:type:`NetControl::ShuntInfo` + ## Event that can be handled to access the :zeek:type:`NetControl::ShuntInfo` ## record as it is sent on to the logging framework. global log_netcontrol_drop: event(rec: DropInfo); } diff --git a/scripts/base/frameworks/netcontrol/main.zeek b/scripts/base/frameworks/netcontrol/main.zeek index ee5f6a276c..97b6e27459 100644 --- a/scripts/base/frameworks/netcontrol/main.zeek +++ b/scripts/base/frameworks/netcontrol/main.zeek @@ -98,7 +98,7 @@ export { ## Returns: Vector of inserted rules on success, empty list on failure. global quarantine_host: function(infected: addr, dns: addr, quarantine: addr, t: interval, location: string &default="") : vector of string; - ## Flushes all state by calling :bro:see:`NetControl::remove_rule` on all currently active rules. + ## Flushes all state by calling :zeek:see:`NetControl::remove_rule` on all currently active rules. global clear: function(); # ### @@ -122,7 +122,7 @@ export { ## Removes a rule. ## - ## id: The rule to remove, specified as the ID returned by :bro:see:`NetControl::add_rule`. + ## id: The rule to remove, specified as the ID returned by :zeek:see:`NetControl::add_rule`. ## ## reason: Optional string argument giving information on why the rule was removed. ## @@ -138,7 +138,7 @@ export { ## the rule has been added; if it is not removed from them by a separate mechanism, ## it will stay installed and not be removed later. ## - ## id: The rule to delete, specified as the ID returned by :bro:see:`NetControl::add_rule`. + ## id: The rule to delete, specified as the ID returned by :zeek:see:`NetControl::add_rule`. ## ## reason: Optional string argument giving information on why the rule was deleted. ## @@ -321,7 +321,7 @@ export { plugin: string &log &optional; }; - ## Event that can be handled to access the :bro:type:`NetControl::Info` + ## Event that can be handled to access the :zeek:type:`NetControl::Info` ## record as it is sent on to the logging framework. global log_netcontrol: event(rec: Info); } diff --git a/scripts/base/frameworks/netcontrol/plugins/broker.zeek b/scripts/base/frameworks/netcontrol/plugins/broker.zeek index 4bfb231c94..599613d06d 100644 --- a/scripts/base/frameworks/netcontrol/plugins/broker.zeek +++ b/scripts/base/frameworks/netcontrol/plugins/broker.zeek @@ -9,7 +9,7 @@ module NetControl; @load base/frameworks/broker export { - ## This record specifies the configuration that is passed to :bro:see:`NetControl::create_broker`. + ## This record specifies the configuration that is passed to :zeek:see:`NetControl::create_broker`. type BrokerConfig: record { ## The broker topic to send events to. topic: string &optional; diff --git a/scripts/base/frameworks/netcontrol/plugins/openflow.zeek b/scripts/base/frameworks/netcontrol/plugins/openflow.zeek index f1403a70a8..d80d7c4a41 100644 --- a/scripts/base/frameworks/netcontrol/plugins/openflow.zeek +++ b/scripts/base/frameworks/netcontrol/plugins/openflow.zeek @@ -7,7 +7,7 @@ module NetControl; export { - ## This record specifies the configuration that is passed to :bro:see:`NetControl::create_openflow`. + ## This record specifies the configuration that is passed to :zeek:see:`NetControl::create_openflow`. type OfConfig: record { monitor: bool &default=T; ##< Accept rules that target the monitor path. forward: bool &default=T; ##< Accept rules that target the forward path. diff --git a/scripts/base/frameworks/netcontrol/shunt.zeek b/scripts/base/frameworks/netcontrol/shunt.zeek index 58923a0cb3..7cbd8512e2 100644 --- a/scripts/base/frameworks/netcontrol/shunt.zeek +++ b/scripts/base/frameworks/netcontrol/shunt.zeek @@ -31,7 +31,7 @@ export { location: string &log &optional; }; - ## Event that can be handled to access the :bro:type:`NetControl::ShuntInfo` + ## Event that can be handled to access the :zeek:type:`NetControl::ShuntInfo` ## record as it is sent on to the logging framework. global log_netcontrol_shunt: event(rec: ShuntInfo); } diff --git a/scripts/base/frameworks/netcontrol/types.zeek b/scripts/base/frameworks/netcontrol/types.zeek index 7fda65ea6b..2be65ce3e6 100644 --- a/scripts/base/frameworks/netcontrol/types.zeek +++ b/scripts/base/frameworks/netcontrol/types.zeek @@ -1,6 +1,6 @@ ##! This file defines the types that are used by the NetControl framework. ##! -##! The most important type defined in this file is :bro:see:`NetControl::Rule`, +##! The most important type defined in this file is :zeek:see:`NetControl::Rule`, ##! which is used to describe all rules that can be expressed by the NetControl framework. module NetControl; @@ -10,11 +10,11 @@ export { option default_priority: int = +0; ## The default priority that is used when using the high-level functions to - ## push whitelist entries to the backends (:bro:see:`NetControl::whitelist_address` and - ## :bro:see:`NetControl::whitelist_subnet`). + ## push whitelist entries to the backends (:zeek:see:`NetControl::whitelist_address` and + ## :zeek:see:`NetControl::whitelist_subnet`). ## ## Note that this priority is not automatically used when manually creating rules - ## that have a :bro:see:`NetControl::RuleType` of :bro:enum:`NetControl::WHITELIST`. + ## that have a :zeek:see:`NetControl::RuleType` of :zeek:enum:`NetControl::WHITELIST`. const whitelist_priority: int = +5 &redef; ## Type defining the entity that a rule applies to. @@ -25,7 +25,7 @@ export { MAC, ##< Activity involving a MAC address. }; - ## Flow is used in :bro:type:`NetControl::Entity` together with :bro:enum:`NetControl::FLOW` to specify + ## Flow is used in :zeek:type:`NetControl::Entity` together with :zeek:enum:`NetControl::FLOW` to specify ## a uni-directional flow that a rule applies to. ## ## If optional fields are not set, they are interpreted as wildcarded. @@ -41,10 +41,10 @@ export { ## Type defining the entity a rule is operating on. type Entity: record { ty: EntityType; ##< Type of entity. - conn: conn_id &optional; ##< Used with :bro:enum:`NetControl::CONNECTION`. - flow: Flow &optional; ##< Used with :bro:enum:`NetControl::FLOW`. - ip: subnet &optional; ##< Used with :bro:enum:`NetControl::ADDRESS` to specifiy a CIDR subnet. - mac: string &optional; ##< Used with :bro:enum:`NetControl::MAC`. + conn: conn_id &optional; ##< Used with :zeek:enum:`NetControl::CONNECTION`. + flow: Flow &optional; ##< Used with :zeek:enum:`NetControl::FLOW`. + ip: subnet &optional; ##< Used with :zeek:enum:`NetControl::ADDRESS` to specifiy a CIDR subnet. + mac: string &optional; ##< Used with :zeek:enum:`NetControl::MAC`. }; ## Type defining the target of a rule. @@ -59,7 +59,7 @@ export { }; ## Type of rules that the framework supports. Each type lists the extra - ## :bro:type:`NetControl::Rule` fields it uses, if any. + ## :zeek:type:`NetControl::Rule` fields it uses, if any. ## ## Plugins may extend this type to define their own. type RuleType: enum { @@ -108,8 +108,8 @@ export { priority: int &default=default_priority; ##< Priority if multiple rules match an entity (larger value is higher priority). location: string &optional; ##< Optional string describing where/what installed the rule. - out_port: count &optional; ##< Argument for :bro:enum:`NetControl::REDIRECT` rules. - mod: FlowMod &optional; ##< Argument for :bro:enum:`NetControl::MODIFY` rules. + out_port: count &optional; ##< Argument for :zeek:enum:`NetControl::REDIRECT` rules. + mod: FlowMod &optional; ##< Argument for :zeek:enum:`NetControl::MODIFY` rules. id: string &default=""; ##< Internally determined unique ID for this rule. Will be set when added. cid: count &default=0; ##< Internally determined unique numeric ID for this rule. Set when added. diff --git a/scripts/base/frameworks/notice/actions/add-geodata.zeek b/scripts/base/frameworks/notice/actions/add-geodata.zeek index 7d097f5eb6..04cc10209d 100644 --- a/scripts/base/frameworks/notice/actions/add-geodata.zeek +++ b/scripts/base/frameworks/notice/actions/add-geodata.zeek @@ -13,7 +13,7 @@ module Notice; export { redef enum Action += { ## Indicates that the notice should have geodata added for the - ## "remote" host. :bro:id:`Site::local_nets` must be defined + ## "remote" host. :zeek:id:`Site::local_nets` must be defined ## in order for this to work. ACTION_ADD_GEODATA }; diff --git a/scripts/base/frameworks/notice/actions/drop.zeek b/scripts/base/frameworks/notice/actions/drop.zeek index a189faaeda..024c3b5b92 100644 --- a/scripts/base/frameworks/notice/actions/drop.zeek +++ b/scripts/base/frameworks/notice/actions/drop.zeek @@ -8,7 +8,7 @@ module Notice; export { redef enum Action += { - ## Drops the address via :bro:see:`NetControl::drop_address_catch_release`. + ## Drops the address via :zeek:see:`NetControl::drop_address_catch_release`. ACTION_DROP }; diff --git a/scripts/base/frameworks/notice/actions/email_admin.zeek b/scripts/base/frameworks/notice/actions/email_admin.zeek index fb82f2b960..1b02e5ff0c 100644 --- a/scripts/base/frameworks/notice/actions/email_admin.zeek +++ b/scripts/base/frameworks/notice/actions/email_admin.zeek @@ -1,6 +1,6 @@ ##! Adds a new notice action type which can be used to email notices ##! to the administrators of a particular address space as set by -##! :bro:id:`Site::local_admins` if the notice contains a source +##! :zeek:id:`Site::local_admins` if the notice contains a source ##! or destination address that lies within their space. @load ../main @@ -12,7 +12,7 @@ export { redef enum Action += { ## Indicate that the generated email should be addressed to the ## appropriate email addresses as found by the - ## :bro:id:`Site::get_emails` function based on the relevant + ## :zeek:id:`Site::get_emails` function based on the relevant ## address or addresses indicated in the notice. ACTION_EMAIL_ADMIN }; diff --git a/scripts/base/frameworks/notice/actions/page.zeek b/scripts/base/frameworks/notice/actions/page.zeek index 73432337d1..99ca44537b 100644 --- a/scripts/base/frameworks/notice/actions/page.zeek +++ b/scripts/base/frameworks/notice/actions/page.zeek @@ -7,12 +7,12 @@ module Notice; export { redef enum Action += { ## Indicates that the notice should be sent to the pager email - ## address configured in the :bro:id:`Notice::mail_page_dest` + ## address configured in the :zeek:id:`Notice::mail_page_dest` ## variable. ACTION_PAGE }; - ## Email address to send notices with the :bro:enum:`Notice::ACTION_PAGE` + ## Email address to send notices with the :zeek:enum:`Notice::ACTION_PAGE` ## action. option mail_page_dest = ""; } diff --git a/scripts/base/frameworks/notice/actions/pp-alarms.zeek b/scripts/base/frameworks/notice/actions/pp-alarms.zeek index 02fe65e163..a327f3f9d6 100644 --- a/scripts/base/frameworks/notice/actions/pp-alarms.zeek +++ b/scripts/base/frameworks/notice/actions/pp-alarms.zeek @@ -12,7 +12,7 @@ export { const pretty_print_alarms = T &redef; ## Address to send the pretty-printed reports to. Default if not set is - ## :bro:id:`Notice::mail_dest`. + ## :zeek:id:`Notice::mail_dest`. ## ## Note that this is overridden by the BroControl MailAlarmsTo option. const mail_dest_pretty_printed = "" &redef; diff --git a/scripts/base/frameworks/notice/main.zeek b/scripts/base/frameworks/notice/main.zeek index 5b2625e0db..f4a7796495 100644 --- a/scripts/base/frameworks/notice/main.zeek +++ b/scripts/base/frameworks/notice/main.zeek @@ -18,7 +18,7 @@ export { ## Scripts creating new notices need to redef this enum to add their ## own specific notice types which would then get used when they call - ## the :bro:id:`NOTICE` function. The convention is to give a general + ## the :zeek:id:`NOTICE` function. The convention is to give a general ## category along with the specific notice separating words with ## underscores and using leading capitals on each word except for ## abbreviations which are kept in all capitals. For example, @@ -37,12 +37,12 @@ export { ## logging stream. ACTION_LOG, ## Indicates that the notice should be sent to the email - ## address(es) configured in the :bro:id:`Notice::mail_dest` + ## address(es) configured in the :zeek:id:`Notice::mail_dest` ## variable. ACTION_EMAIL, ## Indicates that the notice should be alarmed. A readable ## ASCII version of the alarm log is emailed in bulk to the - ## address(es) configured in :bro:id:`Notice::mail_dest`. + ## address(es) configured in :zeek:id:`Notice::mail_dest`. ACTION_ALARM, }; @@ -50,7 +50,7 @@ export { type ActionSet: set[Notice::Action]; ## The notice framework is able to do automatic notice suppression by - ## utilizing the *identifier* field in :bro:type:`Notice::Info` records. + ## utilizing the *identifier* field in :zeek:type:`Notice::Info` records. ## Set this to "0secs" to completely disable automated notice ## suppression. option default_suppression_interval = 1hrs; @@ -103,18 +103,18 @@ export { ## *conn*, *iconn* or *p* is specified. proto: transport_proto &log &optional; - ## The :bro:type:`Notice::Type` of the notice. + ## The :zeek:type:`Notice::Type` of the notice. note: Type &log; ## The human readable message for the notice. msg: string &log &optional; ## The human readable sub-message. sub: string &log &optional; - ## Source address, if we don't have a :bro:type:`conn_id`. + ## Source address, if we don't have a :zeek:type:`conn_id`. src: addr &log &optional; ## Destination address. dst: addr &log &optional; - ## Associated port, if we don't have a :bro:type:`conn_id`. + ## Associated port, if we don't have a :zeek:type:`conn_id`. p: port &log &optional; ## Associated count, or perhaps a status code. n: count &log &optional; @@ -131,14 +131,14 @@ export { ## By adding chunks of text into this element, other scripts ## can expand on notices that are being emailed. The normal ## way to add text is to extend the vector by handling the - ## :bro:id:`Notice::notice` event and modifying the notice in + ## :zeek:id:`Notice::notice` event and modifying the notice in ## place. email_body_sections: vector of string &optional; ## Adding a string "token" to this set will cause the notice ## framework's built-in emailing functionality to delay sending ## the email until either the token has been removed or the - ## email has been delayed for :bro:id:`Notice::max_email_delay`. + ## email has been delayed for :zeek:id:`Notice::max_email_delay`. email_delay_tokens: set[string] &optional; ## This field is to be provided when a notice is generated for @@ -192,8 +192,8 @@ export { ## Note that this is overridden by the BroControl SendMail option. option sendmail = "/usr/sbin/sendmail"; ## Email address to send notices with the - ## :bro:enum:`Notice::ACTION_EMAIL` action or to send bulk alarm logs - ## on rotation with :bro:enum:`Notice::ACTION_ALARM`. + ## :zeek:enum:`Notice::ACTION_EMAIL` action or to send bulk alarm logs + ## on rotation with :zeek:enum:`Notice::ACTION_ALARM`. ## ## Note that this is overridden by the BroControl MailTo option. const mail_dest = "" &redef; @@ -212,18 +212,18 @@ export { ## The maximum amount of time a plugin can delay email from being sent. const max_email_delay = 15secs &redef; - ## Contains a portion of :bro:see:`fa_file` that's also contained in - ## :bro:see:`Notice::Info`. + ## Contains a portion of :zeek:see:`fa_file` that's also contained in + ## :zeek:see:`Notice::Info`. type FileInfo: record { fuid: string; ##< File UID. desc: string; ##< File description from e.g. - ##< :bro:see:`Files::describe`. + ##< :zeek:see:`Files::describe`. mime: string &optional; ##< Strongest mime type match for file. cid: conn_id &optional; ##< Connection tuple over which file is sent. cuid: string &optional; ##< Connection UID over which file is sent. }; - ## Creates a record containing a subset of a full :bro:see:`fa_file` record. + ## Creates a record containing a subset of a full :zeek:see:`fa_file` record. ## ## f: record containing metadata about a file. ## @@ -245,7 +245,7 @@ export { global populate_file_info2: function(fi: Notice::FileInfo, n: Notice::Info); ## A log postprocessing function that implements emailing the contents - ## of a log upon rotation to any configured :bro:id:`Notice::mail_dest`. + ## of a log upon rotation to any configured :zeek:id:`Notice::mail_dest`. ## The rotated log is removed upon being sent. ## ## info: A record containing the rotated log file information. @@ -254,9 +254,9 @@ export { global log_mailing_postprocessor: function(info: Log::RotationInfo): bool; ## This is the event that is called as the entry point to the - ## notice framework by the global :bro:id:`NOTICE` function. By the + ## notice framework by the global :zeek:id:`NOTICE` function. By the ## time this event is generated, default values have already been - ## filled out in the :bro:type:`Notice::Info` record and the notice + ## filled out in the :zeek:type:`Notice::Info` record and the notice ## policy has also been applied. ## ## n: The record containing notice data. @@ -268,7 +268,7 @@ export { ## ## suppress_for: length of time that this notice should be suppressed. ## - ## note: The :bro:type:`Notice::Type` of the notice. + ## note: The :zeek:type:`Notice::Type` of the notice. ## ## identifier: The identifier string of the notice that should be suppressed. global begin_suppression: event(ts: time, suppress_for: interval, note: Type, identifier: string); @@ -286,8 +286,8 @@ export { global suppressed: event(n: Notice::Info); ## Call this function to send a notice in an email. It is already used - ## by default with the built in :bro:enum:`Notice::ACTION_EMAIL` and - ## :bro:enum:`Notice::ACTION_PAGE` actions. + ## by default with the built in :zeek:enum:`Notice::ACTION_EMAIL` and + ## :zeek:enum:`Notice::ACTION_PAGE` actions. ## ## n: The record of notice data to email. ## @@ -308,13 +308,13 @@ export { ## appended. global email_headers: function(subject_desc: string, dest: string): string; - ## This event can be handled to access the :bro:type:`Notice::Info` + ## This event can be handled to access the :zeek:type:`Notice::Info` ## record as it is sent on to the logging framework. ## ## rec: The record containing notice data before it is logged. global log_notice: event(rec: Info); - ## This is an internal wrapper for the global :bro:id:`NOTICE` + ## This is an internal wrapper for the global :zeek:id:`NOTICE` ## function; disregard. ## ## n: The record of notice data. @@ -598,7 +598,7 @@ function populate_file_info2(fi: Notice::FileInfo, n: Notice::Info) # This is run synchronously as a function before all of the other # notice related functions and events. It also modifies the -# :bro:type:`Notice::Info` record in place. +# :zeek:type:`Notice::Info` record in place. function apply_policy(n: Notice::Info) { # Fill in some defaults. diff --git a/scripts/base/frameworks/openflow/plugins/log.zeek b/scripts/base/frameworks/openflow/plugins/log.zeek index 7f1ecf86ea..23a16c3186 100644 --- a/scripts/base/frameworks/openflow/plugins/log.zeek +++ b/scripts/base/frameworks/openflow/plugins/log.zeek @@ -41,7 +41,7 @@ export { flow_mod: ofp_flow_mod &log; }; - ## Event that can be handled to access the :bro:type:`OpenFlow::Info` + ## Event that can be handled to access the :zeek:type:`OpenFlow::Info` ## record as it is sent on to the logging framework. global log_openflow: event(rec: Info); } diff --git a/scripts/base/frameworks/packet-filter/main.zeek b/scripts/base/frameworks/packet-filter/main.zeek index c06e801710..160139b1db 100644 --- a/scripts/base/frameworks/packet-filter/main.zeek +++ b/scripts/base/frameworks/packet-filter/main.zeek @@ -2,7 +2,7 @@ ##! Bro sets a capture filter that allows all traffic. If a filter ##! is set on the command line, that filter takes precedence over the default ##! open filter and all filters defined in Bro scripts with the -##! :bro:id:`capture_filters` and :bro:id:`restrict_filters` variables. +##! :zeek:id:`capture_filters` and :zeek:id:`restrict_filters` variables. @load base/frameworks/notice @load base/frameworks/analyzer @@ -48,7 +48,7 @@ export { }; ## The BPF filter that is used by default to define what traffic should - ## be captured. Filters defined in :bro:id:`restrict_filters` will + ## be captured. Filters defined in :zeek:id:`restrict_filters` will ## still be applied to reduce the captured traffic. const default_capture_filter = "ip or not ip" &redef; @@ -64,7 +64,7 @@ export { ## The maximum amount of time that you'd like to allow for BPF filters to compile. ## If this time is exceeded, compensation measures may be taken by the framework ## to reduce the filter size. This threshold being crossed also results - ## in the :bro:see:`PacketFilter::Too_Long_To_Compile_Filter` notice. + ## in the :zeek:see:`PacketFilter::Too_Long_To_Compile_Filter` notice. const max_filter_compile_time = 100msec &redef; ## Install a BPF filter to exclude some traffic. The filter should diff --git a/scripts/base/frameworks/packet-filter/utils.zeek b/scripts/base/frameworks/packet-filter/utils.zeek index 29b54229af..cbf07f64ad 100644 --- a/scripts/base/frameworks/packet-filter/utils.zeek +++ b/scripts/base/frameworks/packet-filter/utils.zeek @@ -1,7 +1,7 @@ module PacketFilter; export { - ## Takes a :bro:type:`port` and returns a BPF expression which will + ## Takes a :zeek:type:`port` and returns a BPF expression which will ## match the port. ## ## p: The port. diff --git a/scripts/base/frameworks/reporter/main.zeek b/scripts/base/frameworks/reporter/main.zeek index 39f0755325..54e4123407 100644 --- a/scripts/base/frameworks/reporter/main.zeek +++ b/scripts/base/frameworks/reporter/main.zeek @@ -2,9 +2,9 @@ ##! internal messages/warnings/errors. It should typically be loaded to ##! log such messages to a file in a standard way. For the options to ##! toggle whether messages are additionally written to STDERR, see -##! :bro:see:`Reporter::info_to_stderr`, -##! :bro:see:`Reporter::warnings_to_stderr`, and -##! :bro:see:`Reporter::errors_to_stderr`. +##! :zeek:see:`Reporter::info_to_stderr`, +##! :zeek:see:`Reporter::warnings_to_stderr`, and +##! :zeek:see:`Reporter::errors_to_stderr`. ##! ##! Note that this framework deals with the handling of internally generated ##! reporter messages, for the interface diff --git a/scripts/base/frameworks/signatures/main.zeek b/scripts/base/frameworks/signatures/main.zeek index da19416871..910f3b461c 100644 --- a/scripts/base/frameworks/signatures/main.zeek +++ b/scripts/base/frameworks/signatures/main.zeek @@ -13,22 +13,22 @@ export { Sensitive_Signature, ## Host has triggered many signatures on the same host. The ## number of signatures is defined by the - ## :bro:id:`Signatures::vert_scan_thresholds` variable. + ## :zeek:id:`Signatures::vert_scan_thresholds` variable. Multiple_Signatures, ## Host has triggered the same signature on multiple hosts as - ## defined by the :bro:id:`Signatures::horiz_scan_thresholds` + ## defined by the :zeek:id:`Signatures::horiz_scan_thresholds` ## variable. Multiple_Sig_Responders, ## The same signature has triggered multiple times for a host. ## The number of times the signature has been triggered is - ## defined by the :bro:id:`Signatures::count_thresholds` + ## defined by the :zeek:id:`Signatures::count_thresholds` ## variable. To generate this notice, the - ## :bro:enum:`Signatures::SIG_COUNT_PER_RESP` action must be + ## :zeek:enum:`Signatures::SIG_COUNT_PER_RESP` action must be ## set for the signature. Count_Signature, ## Summarize the number of times a host triggered a signature. ## The interval between summaries is defined by the - ## :bro:id:`Signatures::summary_interval` variable. + ## :zeek:id:`Signatures::summary_interval` variable. Signature_Summary, }; @@ -48,7 +48,7 @@ export { SIG_QUIET, ## Generate a notice. SIG_LOG, - ## The same as :bro:enum:`Signatures::SIG_LOG`, but ignore for + ## The same as :zeek:enum:`Signatures::SIG_LOG`, but ignore for ## aggregate/scan processing. SIG_FILE_BUT_NO_SCAN, ## Generate a notice and set it to be alarmed upon. @@ -58,8 +58,8 @@ export { ## Alarm once and then never again. SIG_ALARM_ONCE, ## Count signatures per responder host and alarm with the - ## :bro:enum:`Signatures::Count_Signature` notice if a threshold - ## defined by :bro:id:`Signatures::count_thresholds` is reached. + ## :zeek:enum:`Signatures::Count_Signature` notice if a threshold + ## defined by :zeek:id:`Signatures::count_thresholds` is reached. SIG_COUNT_PER_RESP, ## Don't alarm, but generate per-orig summary. SIG_SUMMARY, @@ -114,11 +114,11 @@ export { ## different signature matches has reached one of the thresholds. const vert_scan_thresholds = { 5, 10, 50, 100, 500, 1000 } &redef; - ## Generate a notice if a :bro:enum:`Signatures::SIG_COUNT_PER_RESP` + ## Generate a notice if a :zeek:enum:`Signatures::SIG_COUNT_PER_RESP` ## signature is triggered as often as given by one of these thresholds. const count_thresholds = { 5, 10, 50, 100, 500, 1000, 10000, 1000000, } &redef; - ## The interval between when :bro:enum:`Signatures::Signature_Summary` + ## The interval between when :zeek:enum:`Signatures::Signature_Summary` ## notices are generated. option summary_interval = 1 day; diff --git a/scripts/base/frameworks/software/main.zeek b/scripts/base/frameworks/software/main.zeek index 291ca539a1..83669cbc82 100644 --- a/scripts/base/frameworks/software/main.zeek +++ b/scripts/base/frameworks/software/main.zeek @@ -2,7 +2,7 @@ ##! parsing but doesn't actually do any detection on it's own. It relies on ##! other protocol specific scripts to parse out software from the protocols ##! that they analyze. The entry point for providing new software detections -##! to this framework is through the :bro:id:`Software::found` function. +##! to this framework is through the :zeek:id:`Software::found` function. @load base/utils/directions-and-hosts @load base/utils/numbers @@ -16,7 +16,7 @@ export { ## Scripts detecting new types of software need to redef this enum to add ## their own specific software types which would then be used when they - ## create :bro:type:`Software::Info` records. + ## create :zeek:type:`Software::Info` records. type Type: enum { ## A placeholder type for when the type of software is not known. UNKNOWN, @@ -45,7 +45,7 @@ export { ## The port on which the software is running. Only sensible for ## server software. host_p: port &log &optional; - ## The type of software detected (e.g. :bro:enum:`HTTP::SERVER`). + ## The type of software detected (e.g. :zeek:enum:`HTTP::SERVER`). software_type: Type &log &default=UNKNOWN; ## Name of the software (e.g. Apache). name: string &log &optional; @@ -96,9 +96,9 @@ export { ["Flash Player"] = "Flash", } &default=function(a: string): string { return a; }; - ## Type to represent a collection of :bro:type:`Software::Info` records. + ## Type to represent a collection of :zeek:type:`Software::Info` records. ## It's indexed with the name of a piece of software such as "Firefox" - ## and it yields a :bro:type:`Software::Info` record with more + ## and it yields a :zeek:type:`Software::Info` record with more ## information about the software. type SoftwareSet: table[string] of Info; @@ -108,7 +108,7 @@ export { ## uniformly distributed among proxy nodes. global tracked: table[addr] of SoftwareSet &create_expire=1day; - ## This event can be handled to access the :bro:type:`Software::Info` + ## This event can be handled to access the :zeek:type:`Software::Info` ## record as it is sent on to the logging framework. global log_software: event(rec: Info); @@ -117,7 +117,7 @@ export { global version_change: event(old: Info, new: Info); ## This event is raised when software is about to be registered for - ## tracking in :bro:see:`Software::tracked`. + ## tracking in :zeek:see:`Software::tracked`. global register: event(info: Info); } diff --git a/scripts/base/frameworks/sumstats/cluster.zeek b/scripts/base/frameworks/sumstats/cluster.zeek index 670ad86fe1..d2633afd87 100644 --- a/scripts/base/frameworks/sumstats/cluster.zeek +++ b/scripts/base/frameworks/sumstats/cluster.zeek @@ -35,12 +35,12 @@ export { global cluster_get_result: event(uid: string, ss_name: string, key: Key, cleanup: bool); ## This event is sent by nodes in response to a - ## :bro:id:`SumStats::cluster_get_result` event. + ## :zeek:id:`SumStats::cluster_get_result` event. global cluster_send_result: event(uid: string, ss_name: string, key: Key, result: Result, cleanup: bool); ## This is sent by workers to indicate that they crossed the percent ## of the current threshold by the percentage defined globally in - ## :bro:id:`SumStats::cluster_request_global_view_percent`. + ## :zeek:id:`SumStats::cluster_request_global_view_percent`. global cluster_key_intermediate_response: event(ss_name: string, key: SumStats::Key); ## This event is scheduled internally on workers to send result chunks. diff --git a/scripts/base/frameworks/sumstats/main.zeek b/scripts/base/frameworks/sumstats/main.zeek index a312377111..3f73d278e5 100644 --- a/scripts/base/frameworks/sumstats/main.zeek +++ b/scripts/base/frameworks/sumstats/main.zeek @@ -105,7 +105,7 @@ export { reducers: set[Reducer]; ## A function that will be called once for each observation in order - ## to calculate a value from the :bro:see:`SumStats::Result` structure + ## to calculate a value from the :zeek:see:`SumStats::Result` structure ## which will be used for thresholding. ## This function is required if a *threshold* value or ## a *threshold_series* is given. @@ -157,7 +157,7 @@ export { ## Dynamically request a sumstat key. This function should be ## used sparingly and not as a replacement for the callbacks - ## from the :bro:see:`SumStats::SumStat` record. The function is only + ## from the :zeek:see:`SumStats::SumStat` record. The function is only ## available for use within "when" statements as an asynchronous ## function. ## @@ -168,7 +168,7 @@ export { ## Returns: The result for the requested sumstat key. global request_key: function(ss_name: string, key: Key): Result; - ## Helper function to represent a :bro:type:`SumStats::Key` value as + ## Helper function to represent a :zeek:type:`SumStats::Key` value as ## a simple string. ## ## key: The metric key that is to be converted into a string. diff --git a/scripts/base/frameworks/sumstats/plugins/last.zeek b/scripts/base/frameworks/sumstats/plugins/last.zeek index b12d854bbb..a2c19f3f51 100644 --- a/scripts/base/frameworks/sumstats/plugins/last.zeek +++ b/scripts/base/frameworks/sumstats/plugins/last.zeek @@ -19,7 +19,7 @@ export { redef record ResultVal += { ## This is the queue where elements are maintained. ## Don't access this value directly, instead use the - ## :bro:see:`SumStats::get_last` function to get a vector of + ## :zeek:see:`SumStats::get_last` function to get a vector of ## the current element values. last_elements: Queue::Queue &optional; }; diff --git a/scripts/base/frameworks/tunnels/main.zeek b/scripts/base/frameworks/tunnels/main.zeek index f72a7d3445..09441c177c 100644 --- a/scripts/base/frameworks/tunnels/main.zeek +++ b/scripts/base/frameworks/tunnels/main.zeek @@ -3,7 +3,7 @@ ##! ##! For any connection that occurs over a tunnel, information about its ##! encapsulating tunnels is also found in the *tunnel* field of -##! :bro:type:`connection`. +##! :zeek:type:`connection`. module Tunnel; @@ -18,7 +18,7 @@ export { ## A tunnel connection has closed. CLOSE, ## No new connections over a tunnel happened in the amount of - ## time indicated by :bro:see:`Tunnel::expiration_interval`. + ## time indicated by :zeek:see:`Tunnel::expiration_interval`. EXPIRE, }; @@ -27,7 +27,7 @@ export { ## Time at which some tunnel activity occurred. ts: time &log; ## The unique identifier for the tunnel, which may correspond - ## to a :bro:type:`connection`'s *uid* field for non-IP-in-IP tunnels. + ## to a :zeek:type:`connection`'s *uid* field for non-IP-in-IP tunnels. ## This is optional because there could be numerous connections ## for payload proxies like SOCKS but we should treat it as a ## single tunnel. @@ -42,29 +42,29 @@ export { }; ## Logs all tunnels in an encapsulation chain with action - ## :bro:see:`Tunnel::DISCOVER` that aren't already in the - ## :bro:id:`Tunnel::active` table and adds them if not. + ## :zeek:see:`Tunnel::DISCOVER` that aren't already in the + ## :zeek:id:`Tunnel::active` table and adds them if not. global register_all: function(ecv: EncapsulatingConnVector); ## Logs a single tunnel "connection" with action - ## :bro:see:`Tunnel::DISCOVER` if it's not already in the - ## :bro:id:`Tunnel::active` table and adds it if not. + ## :zeek:see:`Tunnel::DISCOVER` if it's not already in the + ## :zeek:id:`Tunnel::active` table and adds it if not. global register: function(ec: EncapsulatingConn); ## Logs a single tunnel "connection" with action - ## :bro:see:`Tunnel::EXPIRE` and removes it from the - ## :bro:id:`Tunnel::active` table. + ## :zeek:see:`Tunnel::EXPIRE` and removes it from the + ## :zeek:id:`Tunnel::active` table. ## ## t: A table of tunnels. ## ## idx: The index of the tunnel table corresponding to the tunnel to expire. ## ## Returns: 0secs, which when this function is used as an - ## :bro:attr:`&expire_func`, indicates to remove the element at + ## :zeek:attr:`&expire_func`, indicates to remove the element at ## *idx* immediately. global expire: function(t: table[conn_id] of Info, idx: conn_id): interval; - ## Removes a single tunnel from the :bro:id:`Tunnel::active` table + ## Removes a single tunnel from the :zeek:id:`Tunnel::active` table ## and logs the closing/expiration of the tunnel. ## ## tunnel: The tunnel which has closed or expired. @@ -78,7 +78,7 @@ export { ## Currently active tunnels. That is, tunnels for which new, ## encapsulated connections have been seen in the interval indicated by - ## :bro:see:`Tunnel::expiration_interval`. + ## :zeek:see:`Tunnel::expiration_interval`. global active: table[conn_id] of Info = table() &read_expire=expiration_interval &expire_func=expire; } diff --git a/scripts/base/init-bare.zeek b/scripts/base/init-bare.zeek index 4575b3a694..86e3317931 100644 --- a/scripts/base/init-bare.zeek +++ b/scripts/base/init-bare.zeek @@ -99,7 +99,7 @@ type files_tag_set: set[Files::Tag]; ## A structure indicating a MIME type and strength of a match against ## file magic signatures. ## -## :bro:see:`file_magic` +## :zeek:see:`file_magic` type mime_match: record { strength: int; ##< How strongly the signature matched. Used for ##< prioritization when multiple file magic signatures @@ -110,7 +110,7 @@ type mime_match: record { ## A vector of file magic signature matches, ordered by strength of ## the signature, strongest first. ## -## :bro:see:`file_magic` +## :zeek:see:`file_magic` type mime_matches: vector of mime_match; ## A connection's transport-layer protocol. Note that Bro uses the term @@ -126,7 +126,7 @@ type transport_proto: enum { ## ## .. note:: It's actually a 5-tuple: the transport-layer protocol is stored as ## part of the port values, `orig_p` and `resp_p`, and can be extracted from -## them with :bro:id:`get_port_transport_proto`. +## them with :zeek:id:`get_port_transport_proto`. type conn_id: record { orig_h: addr; ##< The originator's IP address. orig_p: port; ##< The originator's port number. @@ -138,7 +138,7 @@ type conn_id: record { ## ## .. note:: It's actually a 5-tuple: the transport-layer protocol is stored as ## part of the port values, `src_p` and `dst_p`, and can be extracted from -## them with :bro:id:`get_port_transport_proto`. +## them with :zeek:id:`get_port_transport_proto`. type flow_id : record { src_h: addr; ##< The source IP address. src_p: port; ##< The source port number. @@ -147,9 +147,9 @@ type flow_id : record { } &log; ## Specifics about an ICMP conversation. ICMP events typically pass this in -## addition to :bro:type:`conn_id`. +## addition to :zeek:type:`conn_id`. ## -## .. bro:see:: icmp_echo_reply icmp_echo_request icmp_redirect icmp_sent +## .. zeek:see:: icmp_echo_reply icmp_echo_request icmp_redirect icmp_sent ## icmp_time_exceeded icmp_unreachable type icmp_conn: record { orig_h: addr; ##< The originator's IP address. @@ -164,7 +164,7 @@ type icmp_conn: record { ## Packet context part of an ICMP message. The fields of this record reflect the ## packet that is described by the context. ## -## .. bro:see:: icmp_time_exceeded icmp_unreachable +## .. zeek:see:: icmp_time_exceeded icmp_unreachable type icmp_context: record { id: conn_id; ##< The packet's 4-tuple. len: count; ##< The length of the IP packet (headers + payload). @@ -183,7 +183,7 @@ type icmp_context: record { ## Values extracted from a Prefix Information option in an ICMPv6 neighbor ## discovery message as specified by :rfc:`4861`. ## -## .. bro:see:: icmp6_nd_option +## .. zeek:see:: icmp6_nd_option type icmp6_nd_prefix_info: record { ## Number of leading bits of the *prefix* that are valid. prefix_len: count; @@ -199,14 +199,14 @@ type icmp6_nd_prefix_info: record { ## (0xffffffff represents infinity). preferred_lifetime: interval; ## An IP address or prefix of an IP address. Use the *prefix_len* field - ## to convert this into a :bro:type:`subnet`. + ## to convert this into a :zeek:type:`subnet`. prefix: addr; }; ## Options extracted from ICMPv6 neighbor discovery messages as specified ## by :rfc:`4861`. ## -## .. bro:see:: icmp_router_solicitation icmp_router_advertisement +## .. zeek:see:: icmp_router_solicitation icmp_router_advertisement ## icmp_neighbor_advertisement icmp_neighbor_solicitation icmp_redirect ## icmp6_nd_options type icmp6_nd_option: record { @@ -238,7 +238,7 @@ type icmp6_nd_options: vector of icmp6_nd_option; # A DNS mapping between IP address and hostname resolved by Bro's internal # resolver. # -# .. bro:see:: dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name +# .. zeek:see:: dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name # dns_mapping_unverified dns_mapping_valid type dns_mapping: record { ## The time when the mapping was created, which corresponds to when @@ -264,7 +264,7 @@ type dns_mapping: record { ## A parsed host/port combination describing server endpoint for an upcoming ## data transfer. ## -## .. bro:see:: fmt_ftp_port parse_eftp_port parse_ftp_epsv parse_ftp_pasv +## .. zeek:see:: fmt_ftp_port parse_eftp_port parse_ftp_epsv parse_ftp_pasv ## parse_ftp_port type ftp_port: record { h: addr; ##< The host's address. @@ -274,7 +274,7 @@ type ftp_port: record { ## Statistics about what a TCP endpoint sent. ## -## .. bro:see:: conn_stats +## .. zeek:see:: conn_stats type endpoint_stats: record { num_pkts: count; ##< Number of packets. num_rxmit: count; ##< Number of retransmissions. @@ -283,9 +283,9 @@ type endpoint_stats: record { num_OO: count; ##< Number of out-of-order packets. num_repl: count; ##< Number of replicated packets (last packet was sent again). ## Endian type used by the endpoint, if it could be determined from - ## the sequence numbers used. This is one of :bro:see:`ENDIAN_UNKNOWN`, - ## :bro:see:`ENDIAN_BIG`, :bro:see:`ENDIAN_LITTLE`, and - ## :bro:see:`ENDIAN_CONFUSED`. + ## the sequence numbers used. This is one of :zeek:see:`ENDIAN_UNKNOWN`, + ## :zeek:see:`ENDIAN_BIG`, :zeek:see:`ENDIAN_LITTLE`, and + ## :zeek:see:`ENDIAN_CONFUSED`. endian_type: count; }; @@ -302,7 +302,7 @@ export { ## The type of tunnel. tunnel_type: Tunnel::Type; ## A globally unique identifier that, for non-IP-in-IP tunnels, - ## cross-references the *uid* field of :bro:type:`connection`. + ## cross-references the *uid* field of :zeek:type:`connection`. uid: string &optional; } &log; } # end export @@ -316,22 +316,22 @@ module GLOBAL; ## directly and then remove this alias. type EncapsulatingConnVector: vector of Tunnel::EncapsulatingConn; -## Statistics about a :bro:type:`connection` endpoint. +## Statistics about a :zeek:type:`connection` endpoint. ## -## .. bro:see:: connection +## .. zeek:see:: connection type endpoint: record { size: count; ##< Logical size of data sent (for TCP: derived from sequence numbers). ## Endpoint state. For a TCP connection, one of the constants: - ## :bro:see:`TCP_INACTIVE` :bro:see:`TCP_SYN_SENT` - ## :bro:see:`TCP_SYN_ACK_SENT` :bro:see:`TCP_PARTIAL` - ## :bro:see:`TCP_ESTABLISHED` :bro:see:`TCP_CLOSED` :bro:see:`TCP_RESET`. - ## For UDP, one of :bro:see:`UDP_ACTIVE` and :bro:see:`UDP_INACTIVE`. + ## :zeek:see:`TCP_INACTIVE` :zeek:see:`TCP_SYN_SENT` + ## :zeek:see:`TCP_SYN_ACK_SENT` :zeek:see:`TCP_PARTIAL` + ## :zeek:see:`TCP_ESTABLISHED` :zeek:see:`TCP_CLOSED` :zeek:see:`TCP_RESET`. + ## For UDP, one of :zeek:see:`UDP_ACTIVE` and :zeek:see:`UDP_INACTIVE`. state: count; - ## Number of packets sent. Only set if :bro:id:`use_conn_size_analyzer` + ## Number of packets sent. Only set if :zeek:id:`use_conn_size_analyzer` ## is true. num_pkts: count &optional; ## Number of IP-level bytes sent. Only set if - ## :bro:id:`use_conn_size_analyzer` is true. + ## :zeek:id:`use_conn_size_analyzer` is true. num_bytes_ip: count &optional; ## The current IPv6 flow label that the connection endpoint is using. ## Always 0 if the connection is over IPv4. @@ -361,7 +361,7 @@ type connection: record { ## to parse the same data. If so, all will be recorded. Also note that ## the recorded services are independent of any transport-level protocols. service: set[string]; - history: string; ##< State history of connections. See *history* in :bro:see:`Conn::Info`. + history: string; ##< State history of connections. See *history* in :zeek:see:`Conn::Info`. ## A globally unique connection identifier. For each connection, Bro ## creates an ID that is very likely unique across independent Bro runs. ## These IDs can thus be used to tag and locate information associated @@ -370,7 +370,7 @@ type connection: record { ## If the connection is tunneled, this field contains information about ## the encapsulating "connection(s)" with the outermost one starting ## at index zero. It's also always the first such encapsulation seen - ## for the connection unless the :bro:id:`tunnel_changed` event is + ## for the connection unless the :zeek:id:`tunnel_changed` event is ## handled and reassigns this field to the new encapsulation. tunnel: EncapsulatingConnVector &optional; @@ -460,7 +460,7 @@ type fa_metadata: record { ## Fields of a SYN packet. ## -## .. bro:see:: connection_SYN_packet +## .. zeek:see:: connection_SYN_packet type SYN_packet: record { is_orig: bool; ##< True if the packet was sent the connection's originator. DF: bool; ##< True if the *don't fragment* is set in the IP header. @@ -474,7 +474,7 @@ type SYN_packet: record { ## Packet capture statistics. All counts are cumulative. ## -## .. bro:see:: get_net_stats +## .. zeek:see:: get_net_stats type NetStats: record { pkts_recvd: count &default=0; ##< Packets received by Bro. pkts_dropped: count &default=0; ##< Packets reported dropped by the system. @@ -514,7 +514,7 @@ type ConnStats: record { ## Statistics about Bro's process. ## -## .. bro:see:: get_proc_stats +## .. zeek:see:: get_proc_stats ## ## .. note:: All process-level values refer to Bro's main process only, not to ## the child process it spawns for doing communication. @@ -540,7 +540,7 @@ type EventStats: record { ## Holds statistics for all types of reassembly. ## -## .. bro:see:: get_reassembler_stats +## .. zeek:see:: get_reassembler_stats type ReassemblerStats: record { file_size: count; ##< Byte size of File reassembly tracking. frag_size: count; ##< Byte size of Fragment reassembly tracking. @@ -550,7 +550,7 @@ type ReassemblerStats: record { ## Statistics of all regular expression matchers. ## -## .. bro:see:: get_matcher_stats +## .. zeek:see:: get_matcher_stats type MatcherStats: record { matchers: count; ##< Number of distinct RE matchers. nfa_states: count; ##< Number of NFA states across all matchers. @@ -563,7 +563,7 @@ type MatcherStats: record { ## Statistics of timers. ## -## .. bro:see:: get_timer_stats +## .. zeek:see:: get_timer_stats type TimerStats: record { current: count; ##< Current number of pending timers. max: count; ##< Maximum number of concurrent timers pending so far. @@ -572,7 +572,7 @@ type TimerStats: record { ## Statistics of file analysis. ## -## .. bro:see:: get_file_analysis_stats +## .. zeek:see:: get_file_analysis_stats type FileAnalysisStats: record { current: count; ##< Current number of files being analyzed. max: count; ##< Maximum number of concurrent files so far. @@ -583,7 +583,7 @@ type FileAnalysisStats: record { ## about Bro performing DNS queries on it's own, not traffic ## being seen. ## -## .. bro:see:: get_dns_stats +## .. zeek:see:: get_dns_stats type DNSStats: record { requests: count; ##< Number of DNS requests made successful: count; ##< Number of successful DNS replies. @@ -595,7 +595,7 @@ type DNSStats: record { ## Statistics about number of gaps in TCP connections. ## -## .. bro:see:: get_gap_stats +## .. zeek:see:: get_gap_stats type GapStats: record { ack_events: count; ##< How many ack events *could* have had gaps. ack_bytes: count; ##< How many bytes those covered. @@ -605,14 +605,14 @@ type GapStats: record { ## Statistics about threads. ## -## .. bro:see:: get_thread_stats +## .. zeek:see:: get_thread_stats type ThreadStats: record { num_threads: count; }; ## Statistics about Broker communication. ## -## .. bro:see:: get_broker_stats +## .. zeek:see:: get_broker_stats type BrokerStats: record { num_peers: count; ## Number of active data stores. @@ -635,7 +635,7 @@ type BrokerStats: record { ## Statistics about reporter messages and weirds. ## -## .. bro:see:: get_reporter_stats +## .. zeek:see:: get_reporter_stats type ReporterStats: record { ## Number of total weirds encountered, before any rate-limiting. weirds: count; @@ -657,7 +657,7 @@ type packet: record { ## Table type used to map variable names to their memory allocation. ## -## .. bro:see:: global_sizes +## .. zeek:see:: global_sizes ## ## .. todo:: We need this type definition only for declaring builtin functions ## via ``bifcl``. We should extend ``bifcl`` to understand composite types @@ -666,21 +666,21 @@ type var_sizes: table[string] of count; ## Meta-information about a script-level identifier. ## -## .. bro:see:: global_ids id_table +## .. zeek:see:: global_ids id_table type script_id: record { type_name: string; ##< The name of the identifier's type. exported: bool; ##< True if the identifier is exported. constant: bool; ##< True if the identifier is a constant. enum_constant: bool; ##< True if the identifier is an enum value. option_value: bool; ##< True if the identifier is an option. - redefinable: bool; ##< True if the identifier is declared with the :bro:attr:`&redef` attribute. + redefinable: bool; ##< True if the identifier is declared with the :zeek:attr:`&redef` attribute. value: any &optional; ##< The current value of the identifier. }; ## Table type used to map script-level identifiers to meta-information ## describing them. ## -## .. bro:see:: global_ids script_id +## .. zeek:see:: global_ids script_id ## ## .. todo:: We need this type definition only for declaring builtin functions ## via ``bifcl``. We should extend ``bifcl`` to understand composite types @@ -689,20 +689,20 @@ type id_table: table[string] of script_id; ## Meta-information about a record field. ## -## .. bro:see:: record_fields record_field_table +## .. zeek:see:: record_fields record_field_table type record_field: record { type_name: string; ##< The name of the field's type. - log: bool; ##< True if the field is declared with :bro:attr:`&log` attribute. + log: bool; ##< True if the field is declared with :zeek:attr:`&log` attribute. ## The current value of the field in the record instance passed into - ## :bro:see:`record_fields` (if it has one). + ## :zeek:see:`record_fields` (if it has one). value: any &optional; - default_val: any &optional; ##< The value of the :bro:attr:`&default` attribute if defined. + default_val: any &optional; ##< The value of the :zeek:attr:`&default` attribute if defined. }; ## Table type used to map record field declarations to meta-information ## describing them. ## -## .. bro:see:: record_fields record_field +## .. zeek:see:: record_fields record_field ## ## .. todo:: We need this type definition only for declaring builtin functions ## via ``bifcl``. We should extend ``bifcl`` to understand composite types @@ -711,21 +711,21 @@ type record_field_table: table[string] of record_field; ## Meta-information about a parameter to a function/event. ## -## .. bro:see:: call_argument_vector new_event +## .. zeek:see:: call_argument_vector new_event type call_argument: record { name: string; ##< The name of the parameter. type_name: string; ##< The name of the parameters's type. - default_val: any &optional; ##< The value of the :bro:attr:`&default` attribute if defined. + default_val: any &optional; ##< The value of the :zeek:attr:`&default` attribute if defined. ## The value of the parameter as passed into a given call instance. - ## Might be unset in the case a :bro:attr:`&default` attribute is + ## Might be unset in the case a :zeek:attr:`&default` attribute is ## defined. value: any &optional; }; ## Vector type used to capture parameters of a function/event call. ## -## .. bro:see:: call_argument new_event +## .. zeek:see:: call_argument new_event type call_argument_vector: vector of call_argument; # todo:: Do we still need these here? Can they move into the packet filter @@ -736,28 +736,28 @@ type call_argument_vector: vector of call_argument; ## Set of BPF capture filters to use for capturing, indexed by a user-definable ## ID (which must be unique). If Bro is *not* configured with -## :bro:id:`PacketFilter::enable_auto_protocol_capture_filters`, +## :zeek:id:`PacketFilter::enable_auto_protocol_capture_filters`, ## all packets matching at least one of the filters in this table (and all in -## :bro:id:`restrict_filters`) will be analyzed. +## :zeek:id:`restrict_filters`) will be analyzed. ## -## .. bro:see:: PacketFilter PacketFilter::enable_auto_protocol_capture_filters +## .. zeek:see:: PacketFilter PacketFilter::enable_auto_protocol_capture_filters ## PacketFilter::unrestricted_filter restrict_filters global capture_filters: table[string] of string &redef; ## Set of BPF filters to restrict capturing, indexed by a user-definable ID ## (which must be unique). ## -## .. bro:see:: PacketFilter PacketFilter::enable_auto_protocol_capture_filters +## .. zeek:see:: PacketFilter PacketFilter::enable_auto_protocol_capture_filters ## PacketFilter::unrestricted_filter capture_filters global restrict_filters: table[string] of string &redef; ## Enum type identifying dynamic BPF filters. These are used by -## :bro:see:`Pcap::precompile_pcap_filter` and :bro:see:`Pcap::precompile_pcap_filter`. +## :zeek:see:`Pcap::precompile_pcap_filter` and :zeek:see:`Pcap::precompile_pcap_filter`. type PcapFilterID: enum { None }; ## Deprecated. ## -## .. bro:see:: anonymize_addr +## .. zeek:see:: anonymize_addr type IPAddrAnonymization: enum { KEEP_ORIG_ADDR, SEQUENTIALLY_NUMBERED, @@ -768,7 +768,7 @@ type IPAddrAnonymization: enum { ## Deprecated. ## -## .. bro:see:: anonymize_addr +## .. zeek:see:: anonymize_addr type IPAddrAnonymizationClass: enum { ORIG_ADDR, RESP_ADDR, @@ -776,14 +776,14 @@ type IPAddrAnonymizationClass: enum { }; ## A locally unique ID identifying a communication peer. The ID is returned by -## :bro:id:`connect`. +## :zeek:id:`connect`. ## -## .. bro:see:: connect +## .. zeek:see:: connect type peer_id: count; ## A communication peer. ## -## .. bro:see:: complete_handshake disconnect finished_send_state +## .. zeek:see:: complete_handshake disconnect finished_send_state ## get_event_peer get_local_event_peer remote_capture_filter ## remote_connection_closed remote_connection_error ## remote_connection_established remote_connection_handshake_done @@ -794,19 +794,19 @@ type peer_id: count; ## ## .. todo::The type's name is too narrow these days, should rename. type event_peer: record { - id: peer_id; ##< Locally unique ID of peer (returned by :bro:id:`connect`). + id: peer_id; ##< Locally unique ID of peer (returned by :zeek:id:`connect`). host: addr; ##< The IP address of the peer. ## Either the port we connected to at the peer; or our port the peer ## connected to if the session is remotely initiated. p: port; is_local: bool; ##< True if this record describes the local process. - descr: string; ##< The peer's :bro:see:`peer_description`. + descr: string; ##< The peer's :zeek:see:`peer_description`. class: string &optional; ##< The self-assigned *class* of the peer. }; ## Deprecated. ## -## .. bro:see:: rotate_file rotate_file_by_name rotate_interval +## .. zeek:see:: rotate_file rotate_file_by_name rotate_interval type rotate_info: record { old_name: string; ##< Original filename. new_name: string; ##< File name after rotation. @@ -824,7 +824,7 @@ type rotate_info: record { ## Parameters for the Smith-Waterman algorithm. ## -## .. bro:see:: str_smith_waterman +## .. zeek:see:: str_smith_waterman type sw_params: record { ## Minimum size of a substring, minimum "granularity". min_strlen: count &default = 3; @@ -835,7 +835,7 @@ type sw_params: record { ## Helper type for return value of Smith-Waterman algorithm. ## -## .. bro:see:: str_smith_waterman sw_substring_vec sw_substring sw_align_vec sw_params +## .. zeek:see:: str_smith_waterman sw_substring_vec sw_substring sw_align_vec sw_params type sw_align: record { str: string; ##< String a substring is part of. index: count; ##< Offset substring is located. @@ -843,12 +843,12 @@ type sw_align: record { ## Helper type for return value of Smith-Waterman algorithm. ## -## .. bro:see:: str_smith_waterman sw_substring_vec sw_substring sw_align sw_params +## .. zeek:see:: str_smith_waterman sw_substring_vec sw_substring sw_align sw_params type sw_align_vec: vector of sw_align; ## Helper type for return value of Smith-Waterman algorithm. ## -## .. bro:see:: str_smith_waterman sw_substring_vec sw_align_vec sw_align sw_params +## .. zeek:see:: str_smith_waterman sw_substring_vec sw_align_vec sw_align sw_params ## type sw_substring: record { str: string; ##< A substring. @@ -858,7 +858,7 @@ type sw_substring: record { ## Return type for Smith-Waterman algorithm. ## -## .. bro:see:: str_smith_waterman sw_substring sw_align_vec sw_align sw_params +## .. zeek:see:: str_smith_waterman sw_substring sw_align_vec sw_align sw_params ## ## .. todo:: We need this type definition only for declaring builtin functions ## via ``bifcl``. We should extend ``bifcl`` to understand composite types @@ -869,7 +869,7 @@ type sw_substring_vec: vector of sw_substring; ## includes the complete packet as returned by libpcap, including the link-layer ## header. ## -## .. bro:see:: dump_packet get_current_packet +## .. zeek:see:: dump_packet get_current_packet type pcap_packet: record { ts_sec: count; ##< The non-fractional part of the packet's timestamp (i.e., full seconds since the epoch). ts_usec: count; ##< The fractional part of the packet's timestamp. @@ -881,7 +881,7 @@ type pcap_packet: record { ## GeoIP location information. ## -## .. bro:see:: lookup_location +## .. zeek:see:: lookup_location type geo_location: record { country_code: string &optional; ##< The country code. region: string &optional; ##< The region. @@ -898,7 +898,7 @@ const mmdb_dir: string = "" &redef; ## `_ for more information, Bro uses the same ## code. ## -## .. bro:see:: entropy_test_add entropy_test_finish entropy_test_init find_entropy +## .. zeek:see:: entropy_test_add entropy_test_finish entropy_test_init find_entropy type entropy_test_result: record { entropy: double; ##< Information density. chi_square: double; ##< Chi-Square value. @@ -907,7 +907,7 @@ type entropy_test_result: record { serial_correlation: double; ##< Serial correlation coefficient. }; -# TCP values for :bro:see:`endpoint` *state* field. +# TCP values for :zeek:see:`endpoint` *state* field. # todo:: these should go into an enum to make them autodoc'able. const TCP_INACTIVE = 0; ##< Endpoint is still inactive. const TCP_SYN_SENT = 1; ##< Endpoint has sent SYN. @@ -917,7 +917,7 @@ const TCP_ESTABLISHED = 4; ##< Endpoint has finished initial handshake regularly const TCP_CLOSED = 5; ##< Endpoint has closed connection. const TCP_RESET = 6; ##< Endpoint has sent RST. -# UDP values for :bro:see:`endpoint` *state* field. +# UDP values for :zeek:see:`endpoint` *state* field. # todo:: these should go into an enum to make them autodoc'able. const UDP_INACTIVE = 0; ##< Endpoint is still inactive. const UDP_ACTIVE = 1; ##< Endpoint has sent something. @@ -933,7 +933,7 @@ const ignore_checksums = F &redef; const partial_connection_ok = T &redef; ## If true, instantiate connection state when a SYN/ACK is seen but not the -## initial SYN (even if :bro:see:`partial_connection_ok` is false). +## initial SYN (even if :zeek:see:`partial_connection_ok` is false). const tcp_SYN_ack_ok = T &redef; ## If true, pass any undelivered to the signature engine before flushing the state. @@ -963,53 +963,53 @@ const tcp_close_delay = 5 secs &redef; ## Upon seeing a RST, flush state after this much time. const tcp_reset_delay = 5 secs &redef; -## Generate a :bro:id:`connection_partial_close` event this much time after one +## Generate a :zeek:id:`connection_partial_close` event this much time after one ## half of a partial connection closes, assuming there has been no subsequent ## activity. const tcp_partial_close_delay = 3 secs &redef; ## If a connection belongs to an application that we don't analyze, ## time it out after this interval. If 0 secs, then don't time it out (but -## :bro:see:`tcp_inactivity_timeout`, :bro:see:`udp_inactivity_timeout`, and -## :bro:see:`icmp_inactivity_timeout` still apply). +## :zeek:see:`tcp_inactivity_timeout`, :zeek:see:`udp_inactivity_timeout`, and +## :zeek:see:`icmp_inactivity_timeout` still apply). const non_analyzed_lifetime = 0 secs &redef; ## If a TCP connection is inactive, time it out after this interval. If 0 secs, ## then don't time it out. ## -## .. bro:see:: udp_inactivity_timeout icmp_inactivity_timeout set_inactivity_timeout +## .. zeek:see:: udp_inactivity_timeout icmp_inactivity_timeout set_inactivity_timeout const tcp_inactivity_timeout = 5 min &redef; ## If a UDP flow is inactive, time it out after this interval. If 0 secs, then ## don't time it out. ## -## .. bro:see:: tcp_inactivity_timeout icmp_inactivity_timeout set_inactivity_timeout +## .. zeek:see:: tcp_inactivity_timeout icmp_inactivity_timeout set_inactivity_timeout const udp_inactivity_timeout = 1 min &redef; ## If an ICMP flow is inactive, time it out after this interval. If 0 secs, then ## don't time it out. ## -## .. bro:see:: tcp_inactivity_timeout udp_inactivity_timeout set_inactivity_timeout +## .. zeek:see:: tcp_inactivity_timeout udp_inactivity_timeout set_inactivity_timeout const icmp_inactivity_timeout = 1 min &redef; ## Number of FINs/RSTs in a row that constitute a "storm". Storms are reported ## as ``weird`` via the notice framework, and they must also come within -## intervals of at most :bro:see:`tcp_storm_interarrival_thresh`. +## intervals of at most :zeek:see:`tcp_storm_interarrival_thresh`. ## -## .. bro:see:: tcp_storm_interarrival_thresh +## .. zeek:see:: tcp_storm_interarrival_thresh const tcp_storm_thresh = 1000 &redef; ## FINs/RSTs must come with this much time or less between them to be ## considered a "storm". ## -## .. bro:see:: tcp_storm_thresh +## .. zeek:see:: tcp_storm_thresh const tcp_storm_interarrival_thresh = 1 sec &redef; ## Maximum amount of data that might plausibly be sent in an initial flight ## (prior to receiving any acks). Used to determine whether we must not be ## seeing our peer's ACKs. Set to zero to turn off this determination. ## -## .. bro:see:: tcp_max_above_hole_without_any_acks tcp_excessive_data_without_further_acks +## .. zeek:see:: tcp_max_above_hole_without_any_acks tcp_excessive_data_without_further_acks const tcp_max_initial_window = 16384 &redef; ## If we're not seeing our peer's ACKs, the maximum volume of data above a @@ -1017,7 +1017,7 @@ const tcp_max_initial_window = 16384 &redef; ## drop and we should give up on tracking a connection. If set to zero, then we ## don't ever give up. ## -## .. bro:see:: tcp_max_initial_window tcp_excessive_data_without_further_acks +## .. zeek:see:: tcp_max_initial_window tcp_excessive_data_without_further_acks const tcp_max_above_hole_without_any_acks = 16384 &redef; ## If we've seen this much data without any of it being acked, we give up @@ -1026,7 +1026,7 @@ const tcp_max_above_hole_without_any_acks = 16384 &redef; ## track the current window on a connection and use it to infer that data ## has in fact gone too far, but for now we just make this quite beefy. ## -## .. bro:see:: tcp_max_initial_window tcp_max_above_hole_without_any_acks +## .. zeek:see:: tcp_max_initial_window tcp_max_above_hole_without_any_acks const tcp_excessive_data_without_further_acks = 10 * 1024 * 1024 &redef; ## Number of TCP segments to buffer beyond what's been acknowledged already @@ -1037,46 +1037,46 @@ const tcp_max_old_segments = 0 &redef; ## For services without a handler, these sets define originator-side ports ## that still trigger reassembly. ## -## .. bro:see:: tcp_reassembler_ports_resp +## .. zeek:see:: tcp_reassembler_ports_resp const tcp_reassembler_ports_orig: set[port] = {} &redef; ## For services without a handler, these sets define responder-side ports ## that still trigger reassembly. ## -## .. bro:see:: tcp_reassembler_ports_orig +## .. zeek:see:: tcp_reassembler_ports_orig const tcp_reassembler_ports_resp: set[port] = {} &redef; ## Defines destination TCP ports for which the contents of the originator stream -## should be delivered via :bro:see:`tcp_contents`. +## should be delivered via :zeek:see:`tcp_contents`. ## -## .. bro:see:: tcp_content_delivery_ports_resp tcp_content_deliver_all_orig +## .. zeek:see:: tcp_content_delivery_ports_resp tcp_content_deliver_all_orig ## tcp_content_deliver_all_resp udp_content_delivery_ports_orig ## udp_content_delivery_ports_resp udp_content_deliver_all_orig ## udp_content_deliver_all_resp tcp_contents const tcp_content_delivery_ports_orig: table[port] of bool = {} &redef; ## Defines destination TCP ports for which the contents of the responder stream -## should be delivered via :bro:see:`tcp_contents`. +## should be delivered via :zeek:see:`tcp_contents`. ## -## .. bro:see:: tcp_content_delivery_ports_orig tcp_content_deliver_all_orig +## .. zeek:see:: tcp_content_delivery_ports_orig tcp_content_deliver_all_orig ## tcp_content_deliver_all_resp udp_content_delivery_ports_orig ## udp_content_delivery_ports_resp udp_content_deliver_all_orig ## udp_content_deliver_all_resp tcp_contents const tcp_content_delivery_ports_resp: table[port] of bool = {} &redef; ## If true, all TCP originator-side traffic is reported via -## :bro:see:`tcp_contents`. +## :zeek:see:`tcp_contents`. ## -## .. bro:see:: tcp_content_delivery_ports_orig tcp_content_delivery_ports_resp +## .. zeek:see:: tcp_content_delivery_ports_orig tcp_content_delivery_ports_resp ## tcp_content_deliver_all_resp udp_content_delivery_ports_orig ## udp_content_delivery_ports_resp udp_content_deliver_all_orig ## udp_content_deliver_all_resp tcp_contents const tcp_content_deliver_all_orig = F &redef; ## If true, all TCP responder-side traffic is reported via -## :bro:see:`tcp_contents`. +## :zeek:see:`tcp_contents`. ## -## .. bro:see:: tcp_content_delivery_ports_orig +## .. zeek:see:: tcp_content_delivery_ports_orig ## tcp_content_delivery_ports_resp ## tcp_content_deliver_all_orig udp_content_delivery_ports_orig ## udp_content_delivery_ports_resp udp_content_deliver_all_orig @@ -1084,9 +1084,9 @@ const tcp_content_deliver_all_orig = F &redef; const tcp_content_deliver_all_resp = F &redef; ## Defines UDP destination ports for which the contents of the originator stream -## should be delivered via :bro:see:`udp_contents`. +## should be delivered via :zeek:see:`udp_contents`. ## -## .. bro:see:: tcp_content_delivery_ports_orig +## .. zeek:see:: tcp_content_delivery_ports_orig ## tcp_content_delivery_ports_resp ## tcp_content_deliver_all_orig tcp_content_deliver_all_resp ## udp_content_delivery_ports_resp udp_content_deliver_all_orig @@ -1094,18 +1094,18 @@ const tcp_content_deliver_all_resp = F &redef; const udp_content_delivery_ports_orig: table[port] of bool = {} &redef; ## Defines UDP destination ports for which the contents of the responder stream -## should be delivered via :bro:see:`udp_contents`. +## should be delivered via :zeek:see:`udp_contents`. ## -## .. bro:see:: tcp_content_delivery_ports_orig +## .. zeek:see:: tcp_content_delivery_ports_orig ## tcp_content_delivery_ports_resp tcp_content_deliver_all_orig ## tcp_content_deliver_all_resp udp_content_delivery_ports_orig ## udp_content_deliver_all_orig udp_content_deliver_all_resp udp_contents const udp_content_delivery_ports_resp: table[port] of bool = {} &redef; ## If true, all UDP originator-side traffic is reported via -## :bro:see:`udp_contents`. +## :zeek:see:`udp_contents`. ## -## .. bro:see:: tcp_content_delivery_ports_orig +## .. zeek:see:: tcp_content_delivery_ports_orig ## tcp_content_delivery_ports_resp tcp_content_deliver_all_resp ## tcp_content_delivery_ports_orig udp_content_delivery_ports_orig ## udp_content_delivery_ports_resp udp_content_deliver_all_resp @@ -1113,9 +1113,9 @@ const udp_content_delivery_ports_resp: table[port] of bool = {} &redef; const udp_content_deliver_all_orig = F &redef; ## If true, all UDP responder-side traffic is reported via -## :bro:see:`udp_contents`. +## :zeek:see:`udp_contents`. ## -## .. bro:see:: tcp_content_delivery_ports_orig +## .. zeek:see:: tcp_content_delivery_ports_orig ## tcp_content_delivery_ports_resp tcp_content_deliver_all_resp ## tcp_content_delivery_ports_orig udp_content_delivery_ports_orig ## udp_content_delivery_ports_resp udp_content_deliver_all_orig @@ -1124,19 +1124,19 @@ const udp_content_deliver_all_resp = F &redef; ## Check for expired table entries after this amount of time. ## -## .. bro:see:: table_incremental_step table_expire_delay +## .. zeek:see:: table_incremental_step table_expire_delay const table_expire_interval = 10 secs &redef; ## When expiring/serializing table entries, don't work on more than this many ## table entries at a time. ## -## .. bro:see:: table_expire_interval table_expire_delay +## .. zeek:see:: table_expire_interval table_expire_delay const table_incremental_step = 5000 &redef; ## When expiring table entries, wait this amount of time before checking the ## next chunk of entries. ## -## .. bro:see:: table_expire_interval table_incremental_step +## .. zeek:see:: table_expire_interval table_incremental_step const table_expire_delay = 0.01 secs &redef; ## Time to wait before timing out a DNS request. @@ -1158,7 +1158,7 @@ const encap_hdr_size = 0 &redef; ## Whether to use the ``ConnSize`` analyzer to count the number of packets and ## IP-level bytes transferred by each endpoint. If true, these values are -## returned in the connection's :bro:see:`endpoint` record value. +## returned in the connection's :zeek:see:`endpoint` record value. const use_conn_size_analyzer = T &redef; # todo:: these should go into an enum to make them autodoc'able. @@ -1167,7 +1167,7 @@ const ENDIAN_LITTLE = 1; ##< Little endian. const ENDIAN_BIG = 2; ##< Big endian. const ENDIAN_CONFUSED = 3; ##< Tried to determine endian, but failed. -# Values for :bro:see:`set_contents_file` *direction* argument. +# Values for :zeek:see:`set_contents_file` *direction* argument. # todo:: these should go into an enum to make them autodoc'able const CONTENTS_NONE = 0; ##< Turn off recording of contents. const CONTENTS_ORIG = 1; ##< Record originator contents. @@ -1177,7 +1177,7 @@ const CONTENTS_BOTH = 3; ##< Record both originator and responder contents. # Values for code of ICMP *unreachable* messages. The list is not exhaustive. # todo:: these should go into an enum to make them autodoc'able # -# .. bro:see:: icmp_unreachable +# .. zeek:see:: icmp_unreachable const ICMP_UNREACH_NET = 0; ##< Network unreachable. const ICMP_UNREACH_HOST = 1; ##< Host unreachable. const ICMP_UNREACH_PROTOCOL = 2; ##< Protocol unreachable. @@ -1211,7 +1211,7 @@ const IPPROTO_MOBILITY = 135; ##< IPv6 mobility header. ## Values extracted from an IPv6 extension header's (e.g. hop-by-hop or ## destination option headers) option field. ## -## .. bro:see:: ip6_hdr ip6_ext_hdr ip6_hopopts ip6_dstopts +## .. zeek:see:: ip6_hdr ip6_ext_hdr ip6_hopopts ip6_dstopts type ip6_option: record { otype: count; ##< Option type. len: count; ##< Option data length. @@ -1223,10 +1223,10 @@ type ip6_options: vector of ip6_option; ## Values extracted from an IPv6 Hop-by-Hop options extension header. ## -## .. bro:see:: pkt_hdr ip4_hdr ip6_hdr ip6_ext_hdr ip6_option +## .. zeek:see:: pkt_hdr ip4_hdr ip6_hdr ip6_ext_hdr ip6_option type ip6_hopopts: record { ## Protocol number of the next header (RFC 1700 et seq., IANA assigned - ## number), e.g. :bro:id:`IPPROTO_ICMP`. + ## number), e.g. :zeek:id:`IPPROTO_ICMP`. nxt: count; ## Length of header in 8-octet units, excluding first unit. len: count; @@ -1236,10 +1236,10 @@ type ip6_hopopts: record { ## Values extracted from an IPv6 Destination options extension header. ## -## .. bro:see:: pkt_hdr ip4_hdr ip6_hdr ip6_ext_hdr ip6_option +## .. zeek:see:: pkt_hdr ip4_hdr ip6_hdr ip6_ext_hdr ip6_option type ip6_dstopts: record { ## Protocol number of the next header (RFC 1700 et seq., IANA assigned - ## number), e.g. :bro:id:`IPPROTO_ICMP`. + ## number), e.g. :zeek:id:`IPPROTO_ICMP`. nxt: count; ## Length of header in 8-octet units, excluding first unit. len: count; @@ -1249,10 +1249,10 @@ type ip6_dstopts: record { ## Values extracted from an IPv6 Routing extension header. ## -## .. bro:see:: pkt_hdr ip4_hdr ip6_hdr ip6_ext_hdr +## .. zeek:see:: pkt_hdr ip4_hdr ip6_hdr ip6_ext_hdr type ip6_routing: record { ## Protocol number of the next header (RFC 1700 et seq., IANA assigned - ## number), e.g. :bro:id:`IPPROTO_ICMP`. + ## number), e.g. :zeek:id:`IPPROTO_ICMP`. nxt: count; ## Length of header in 8-octet units, excluding first unit. len: count; @@ -1266,10 +1266,10 @@ type ip6_routing: record { ## Values extracted from an IPv6 Fragment extension header. ## -## .. bro:see:: pkt_hdr ip4_hdr ip6_hdr ip6_ext_hdr +## .. zeek:see:: pkt_hdr ip4_hdr ip6_hdr ip6_ext_hdr type ip6_fragment: record { ## Protocol number of the next header (RFC 1700 et seq., IANA assigned - ## number), e.g. :bro:id:`IPPROTO_ICMP`. + ## number), e.g. :zeek:id:`IPPROTO_ICMP`. nxt: count; ## 8-bit reserved field. rsv1: count; @@ -1285,10 +1285,10 @@ type ip6_fragment: record { ## Values extracted from an IPv6 Authentication extension header. ## -## .. bro:see:: pkt_hdr ip4_hdr ip6_hdr ip6_ext_hdr +## .. zeek:see:: pkt_hdr ip4_hdr ip6_hdr ip6_ext_hdr type ip6_ah: record { ## Protocol number of the next header (RFC 1700 et seq., IANA assigned - ## number), e.g. :bro:id:`IPPROTO_ICMP`. + ## number), e.g. :zeek:id:`IPPROTO_ICMP`. nxt: count; ## Length of header in 4-octet units, excluding first two units. len: count; @@ -1304,7 +1304,7 @@ type ip6_ah: record { ## Values extracted from an IPv6 ESP extension header. ## -## .. bro:see:: pkt_hdr ip4_hdr ip6_hdr ip6_ext_hdr +## .. zeek:see:: pkt_hdr ip4_hdr ip6_hdr ip6_ext_hdr type ip6_esp: record { ## Security Parameters Index. spi: count; @@ -1314,7 +1314,7 @@ type ip6_esp: record { ## Values extracted from an IPv6 Mobility Binding Refresh Request message. ## -## .. bro:see:: ip6_mobility_hdr ip6_hdr ip6_ext_hdr ip6_mobility_msg +## .. zeek:see:: ip6_mobility_hdr ip6_hdr ip6_ext_hdr ip6_mobility_msg type ip6_mobility_brr: record { ## Reserved. rsv: count; @@ -1324,7 +1324,7 @@ type ip6_mobility_brr: record { ## Values extracted from an IPv6 Mobility Home Test Init message. ## -## .. bro:see:: ip6_mobility_hdr ip6_hdr ip6_ext_hdr ip6_mobility_msg +## .. zeek:see:: ip6_mobility_hdr ip6_hdr ip6_ext_hdr ip6_mobility_msg type ip6_mobility_hoti: record { ## Reserved. rsv: count; @@ -1336,7 +1336,7 @@ type ip6_mobility_hoti: record { ## Values extracted from an IPv6 Mobility Care-of Test Init message. ## -## .. bro:see:: ip6_mobility_hdr ip6_hdr ip6_ext_hdr ip6_mobility_msg +## .. zeek:see:: ip6_mobility_hdr ip6_hdr ip6_ext_hdr ip6_mobility_msg type ip6_mobility_coti: record { ## Reserved. rsv: count; @@ -1348,7 +1348,7 @@ type ip6_mobility_coti: record { ## Values extracted from an IPv6 Mobility Home Test message. ## -## .. bro:see:: ip6_mobility_hdr ip6_hdr ip6_ext_hdr ip6_mobility_msg +## .. zeek:see:: ip6_mobility_hdr ip6_hdr ip6_ext_hdr ip6_mobility_msg type ip6_mobility_hot: record { ## Home Nonce Index. nonce_idx: count; @@ -1362,7 +1362,7 @@ type ip6_mobility_hot: record { ## Values extracted from an IPv6 Mobility Care-of Test message. ## -## .. bro:see:: ip6_mobility_hdr ip6_hdr ip6_ext_hdr ip6_mobility_msg +## .. zeek:see:: ip6_mobility_hdr ip6_hdr ip6_ext_hdr ip6_mobility_msg type ip6_mobility_cot: record { ## Care-of Nonce Index. nonce_idx: count; @@ -1376,7 +1376,7 @@ type ip6_mobility_cot: record { ## Values extracted from an IPv6 Mobility Binding Update message. ## -## .. bro:see:: ip6_mobility_hdr ip6_hdr ip6_ext_hdr ip6_mobility_msg +## .. zeek:see:: ip6_mobility_hdr ip6_hdr ip6_ext_hdr ip6_mobility_msg type ip6_mobility_bu: record { ## Sequence number. seq: count; @@ -1396,7 +1396,7 @@ type ip6_mobility_bu: record { ## Values extracted from an IPv6 Mobility Binding Acknowledgement message. ## -## .. bro:see:: ip6_mobility_hdr ip6_hdr ip6_ext_hdr ip6_mobility_msg +## .. zeek:see:: ip6_mobility_hdr ip6_hdr ip6_ext_hdr ip6_mobility_msg type ip6_mobility_back: record { ## Status. status: count; @@ -1412,7 +1412,7 @@ type ip6_mobility_back: record { ## Values extracted from an IPv6 Mobility Binding Error message. ## -## .. bro:see:: ip6_mobility_hdr ip6_hdr ip6_ext_hdr ip6_mobility_msg +## .. zeek:see:: ip6_mobility_hdr ip6_hdr ip6_ext_hdr ip6_mobility_msg type ip6_mobility_be: record { ## Status. status: count; @@ -1424,7 +1424,7 @@ type ip6_mobility_be: record { ## Values extracted from an IPv6 Mobility header's message data. ## -## .. bro:see:: ip6_mobility_hdr ip6_hdr ip6_ext_hdr +## .. zeek:see:: ip6_mobility_hdr ip6_hdr ip6_ext_hdr type ip6_mobility_msg: record { ## The type of message from the header's MH Type field. id: count; @@ -1448,10 +1448,10 @@ type ip6_mobility_msg: record { ## Values extracted from an IPv6 Mobility header. ## -## .. bro:see:: pkt_hdr ip4_hdr ip6_hdr ip6_ext_hdr +## .. zeek:see:: pkt_hdr ip4_hdr ip6_hdr ip6_ext_hdr type ip6_mobility_hdr: record { ## Protocol number of the next header (RFC 1700 et seq., IANA assigned - ## number), e.g. :bro:id:`IPPROTO_ICMP`. + ## number), e.g. :zeek:id:`IPPROTO_ICMP`. nxt: count; ## Length of header in 8-octet units, excluding first unit. len: count; @@ -1467,7 +1467,7 @@ type ip6_mobility_hdr: record { ## A general container for a more specific IPv6 extension header. ## -## .. bro:see:: pkt_hdr ip4_hdr ip6_hopopts ip6_dstopts ip6_routing ip6_fragment +## .. zeek:see:: pkt_hdr ip4_hdr ip6_hopopts ip6_dstopts ip6_routing ip6_fragment ## ip6_ah ip6_esp type ip6_ext_hdr: record { ## The RFC 1700 et seq. IANA assigned number identifying the type of @@ -1494,7 +1494,7 @@ type ip6_ext_hdr_chain: vector of ip6_ext_hdr; ## Values extracted from an IPv6 header. ## -## .. bro:see:: pkt_hdr ip4_hdr ip6_ext_hdr ip6_hopopts ip6_dstopts +## .. zeek:see:: pkt_hdr ip4_hdr ip6_ext_hdr ip6_hopopts ip6_dstopts ## ip6_routing ip6_fragment ip6_ah ip6_esp type ip6_hdr: record { class: count; ##< Traffic class. @@ -1502,7 +1502,7 @@ type ip6_hdr: record { len: count; ##< Payload length. nxt: count; ##< Protocol number of the next header ##< (RFC 1700 et seq., IANA assigned number) - ##< e.g. :bro:id:`IPPROTO_ICMP`. + ##< e.g. :zeek:id:`IPPROTO_ICMP`. hlim: count; ##< Hop limit. src: addr; ##< Source address. dst: addr; ##< Destination address. @@ -1511,7 +1511,7 @@ type ip6_hdr: record { ## Values extracted from an IPv4 header. ## -## .. bro:see:: pkt_hdr ip6_hdr discarder_check_ip +## .. zeek:see:: pkt_hdr ip6_hdr discarder_check_ip type ip4_hdr: record { hl: count; ##< Header length in bytes. tos: count; ##< Type of service. @@ -1536,7 +1536,7 @@ const TH_FLAGS = 63; ##< Mask combining all flags. ## Values extracted from a TCP header. ## -## .. bro:see:: pkt_hdr discarder_check_tcp +## .. zeek:see:: pkt_hdr discarder_check_tcp type tcp_hdr: record { sport: port; ##< source port. dport: port; ##< destination port @@ -1550,7 +1550,7 @@ type tcp_hdr: record { ## Values extracted from a UDP header. ## -## .. bro:see:: pkt_hdr discarder_check_udp +## .. zeek:see:: pkt_hdr discarder_check_udp type udp_hdr: record { sport: port; ##< source port dport: port; ##< destination port @@ -1559,14 +1559,14 @@ type udp_hdr: record { ## Values extracted from an ICMP header. ## -## .. bro:see:: pkt_hdr discarder_check_icmp +## .. zeek:see:: pkt_hdr discarder_check_icmp type icmp_hdr: record { icmp_type: count; ##< type of message }; ## A packet header, consisting of an IP header and transport-layer header. ## -## .. bro:see:: new_packet +## .. zeek:see:: new_packet type pkt_hdr: record { ip: ip4_hdr &optional; ##< The IPv4 header if an IPv4 packet. ip6: ip6_hdr &optional; ##< The IPv6 header if an IPv6 packet. @@ -1577,7 +1577,7 @@ type pkt_hdr: record { ## Values extracted from the layer 2 header. ## -## .. bro:see:: pkt_hdr +## .. zeek:see:: pkt_hdr type l2_hdr: record { encap: link_encap; ##< L2 link encapsulation. len: count; ##< Total frame length on wire. @@ -1591,9 +1591,9 @@ type l2_hdr: record { }; ## A raw packet header, consisting of L2 header and everything in -## :bro:see:`pkt_hdr`. . +## :zeek:see:`pkt_hdr`. . ## -## .. bro:see:: raw_packet pkt_hdr +## .. zeek:see:: raw_packet pkt_hdr type raw_pkt_hdr: record { l2: l2_hdr; ##< The layer 2 header. ip: ip4_hdr &optional; ##< The IPv4 header if an IPv4 packet. @@ -1606,7 +1606,7 @@ type raw_pkt_hdr: record { ## A Teredo origin indication header. See :rfc:`4380` for more information ## about the Teredo protocol. ## -## .. bro:see:: teredo_bubble teredo_origin_indication teredo_authentication +## .. zeek:see:: teredo_bubble teredo_origin_indication teredo_authentication ## teredo_hdr type teredo_auth: record { id: string; ##< Teredo client identifier. @@ -1622,7 +1622,7 @@ type teredo_auth: record { ## A Teredo authentication header. See :rfc:`4380` for more information ## about the Teredo protocol. ## -## .. bro:see:: teredo_bubble teredo_origin_indication teredo_authentication +## .. zeek:see:: teredo_bubble teredo_origin_indication teredo_authentication ## teredo_hdr type teredo_origin: record { p: port; ##< Unobfuscated UDP port of Teredo client. @@ -1632,7 +1632,7 @@ type teredo_origin: record { ## A Teredo packet header. See :rfc:`4380` for more information about the ## Teredo protocol. ## -## .. bro:see:: teredo_bubble teredo_origin_indication teredo_authentication +## .. zeek:see:: teredo_bubble teredo_origin_indication teredo_authentication type teredo_hdr: record { auth: teredo_auth &optional; ##< Teredo authentication header. origin: teredo_origin &optional; ##< Teredo origin indication header. @@ -1831,7 +1831,7 @@ global log_file_name: function(tag: string): string &redef; global open_log_file: function(tag: string): file &redef; ## Specifies a directory for Bro to store its persistent state. All globals can -## be declared persistent via the :bro:attr:`&persistent` attribute. +## be declared persistent via the :zeek:attr:`&persistent` attribute. const state_dir = ".state" &redef; ## Length of the delays inserted when storing state incrementally. To avoid @@ -1892,7 +1892,7 @@ global secondary_filters: table[string] of event(filter: string, pkt: pkt_hdr) ## Maximum length of payload passed to discarder functions. ## -## .. bro:see:: discarder_check_tcp discarder_check_udp discarder_check_icmp +## .. zeek:see:: discarder_check_tcp discarder_check_udp discarder_check_icmp ## discarder_check_ip global discarder_maxlen = 128 &redef; @@ -1905,7 +1905,7 @@ global discarder_maxlen = 128 &redef; ## ## Returns: True if the packet should not be analyzed any further. ## -## .. bro:see:: discarder_check_tcp discarder_check_udp discarder_check_icmp +## .. zeek:see:: discarder_check_tcp discarder_check_udp discarder_check_icmp ## discarder_maxlen ## ## .. note:: This is very low-level functionality and potentially expensive. @@ -1919,11 +1919,11 @@ global discarder_check_ip: function(p: pkt_hdr): bool; ## ## p: The IP and TCP headers of the considered packet. ## -## d: Up to :bro:see:`discarder_maxlen` bytes of the TCP payload. +## d: Up to :zeek:see:`discarder_maxlen` bytes of the TCP payload. ## ## Returns: True if the packet should not be analyzed any further. ## -## .. bro:see:: discarder_check_ip discarder_check_udp discarder_check_icmp +## .. zeek:see:: discarder_check_ip discarder_check_udp discarder_check_icmp ## discarder_maxlen ## ## .. note:: This is very low-level functionality and potentially expensive. @@ -1937,11 +1937,11 @@ global discarder_check_tcp: function(p: pkt_hdr, d: string): bool; ## ## p: The IP and UDP headers of the considered packet. ## -## d: Up to :bro:see:`discarder_maxlen` bytes of the UDP payload. +## d: Up to :zeek:see:`discarder_maxlen` bytes of the UDP payload. ## ## Returns: True if the packet should not be analyzed any further. ## -## .. bro:see:: discarder_check_ip discarder_check_tcp discarder_check_icmp +## .. zeek:see:: discarder_check_ip discarder_check_tcp discarder_check_icmp ## discarder_maxlen ## ## .. note:: This is very low-level functionality and potentially expensive. @@ -1957,7 +1957,7 @@ global discarder_check_udp: function(p: pkt_hdr, d: string): bool; ## ## Returns: True if the packet should not be analyzed any further. ## -## .. bro:see:: discarder_check_ip discarder_check_tcp discarder_check_udp +## .. zeek:see:: discarder_check_ip discarder_check_tcp discarder_check_udp ## discarder_maxlen ## ## .. note:: This is very low-level functionality and potentially expensive. @@ -1979,7 +1979,7 @@ const max_remote_events_processed = 10 &redef; # These need to match the definitions in Login.h. # -# .. bro:see:: get_login_state +# .. zeek:see:: get_login_state # # todo:: use enum to make them autodoc'able const LOGIN_STATE_AUTHENTICATE = 0; # Trying to authenticate. @@ -2061,7 +2061,7 @@ global login_timeouts: set[string] &redef; ## A MIME header key/value pair. ## -## .. bro:see:: mime_header_list http_all_headers mime_all_headers mime_one_header +## .. zeek:see:: mime_header_list http_all_headers mime_all_headers mime_one_header type mime_header_rec: record { name: string; ##< The header name. value: string; ##< The header value. @@ -2069,22 +2069,22 @@ type mime_header_rec: record { ## A list of MIME headers. ## -## .. bro:see:: mime_header_rec http_all_headers mime_all_headers +## .. zeek:see:: mime_header_rec http_all_headers mime_all_headers type mime_header_list: table[count] of mime_header_rec; ## The length of MIME data segments delivered to handlers of -## :bro:see:`mime_segment_data`. +## :zeek:see:`mime_segment_data`. ## -## .. bro:see:: mime_segment_data mime_segment_overlap_length +## .. zeek:see:: mime_segment_data mime_segment_overlap_length global mime_segment_length = 1024 &redef; ## The number of bytes of overlap between successive segments passed to -## :bro:see:`mime_segment_data`. +## :zeek:see:`mime_segment_data`. global mime_segment_overlap_length = 0 &redef; ## An RPC portmapper mapping. ## -## .. bro:see:: pm_mappings +## .. zeek:see:: pm_mappings type pm_mapping: record { program: count; ##< The RPC program. version: count; ##< The program version. @@ -2093,12 +2093,12 @@ type pm_mapping: record { ## Table of RPC portmapper mappings. ## -## .. bro:see:: pm_request_dump +## .. zeek:see:: pm_request_dump type pm_mappings: table[count] of pm_mapping; ## An RPC portmapper request. ## -## .. bro:see:: pm_attempt_getport pm_request_getport +## .. zeek:see:: pm_attempt_getport pm_request_getport type pm_port_request: record { program: count; ##< The RPC program. version: count; ##< The program version. @@ -2107,7 +2107,7 @@ type pm_port_request: record { ## An RPC portmapper *callit* request. ## -## .. bro:see:: pm_attempt_callit pm_request_callit +## .. zeek:see:: pm_attempt_callit pm_request_callit type pm_callit_request: record { program: count; ##< The RPC program. version: count; ##< The program version. @@ -2128,7 +2128,7 @@ type pm_callit_request: record { ## Mapping of numerical RPC status codes to readable messages. ## -## .. bro:see:: pm_attempt_callit pm_attempt_dump pm_attempt_getport +## .. zeek:see:: pm_attempt_callit pm_attempt_dump pm_attempt_getport ## pm_attempt_null pm_attempt_set pm_attempt_unset rpc_dialogue rpc_reply const RPC_status = { [RPC_SUCCESS] = "ok", @@ -2145,17 +2145,17 @@ const RPC_status = { module NFS3; export { - ## If true, :bro:see:`nfs_proc_read` and :bro:see:`nfs_proc_write` + ## If true, :zeek:see:`nfs_proc_read` and :zeek:see:`nfs_proc_write` ## events return the file data that has been read/written. ## - ## .. bro:see:: NFS3::return_data_max NFS3::return_data_first_only + ## .. zeek:see:: NFS3::return_data_max NFS3::return_data_first_only const return_data = F &redef; - ## If :bro:id:`NFS3::return_data` is true, how much data should be + ## If :zeek:id:`NFS3::return_data` is true, how much data should be ## returned at most. const return_data_max = 512 &redef; - ## If :bro:id:`NFS3::return_data` is true, whether to *only* return data + ## If :zeek:id:`NFS3::return_data` is true, whether to *only* return data ## if the read or write offset is 0, i.e., only return data for the ## beginning of the file. const return_data_first_only = T &redef; @@ -2171,7 +2171,7 @@ export { ## analyzer. Depending on the reassembler, this might be well after the ## first packet of the request was received. ## - ## .. bro:see:: nfs_proc_create nfs_proc_getattr nfs_proc_lookup + ## .. zeek:see:: nfs_proc_create nfs_proc_getattr nfs_proc_lookup ## nfs_proc_mkdir nfs_proc_not_implemented nfs_proc_null ## nfs_proc_read nfs_proc_readdir nfs_proc_readlink nfs_proc_remove ## nfs_proc_rmdir nfs_proc_write nfs_reply_status @@ -2206,7 +2206,7 @@ export { ## NFS file attributes. Field names are based on RFC 1813. ## - ## .. bro:see:: nfs_proc_sattr + ## .. zeek:see:: nfs_proc_sattr type sattr_t: record { mode: count &optional; ##< Mode uid: count &optional; ##< User ID. @@ -2218,7 +2218,7 @@ export { ## NFS file attributes. Field names are based on RFC 1813. ## - ## .. bro:see:: nfs_proc_getattr + ## .. zeek:see:: nfs_proc_getattr type fattr_t: record { ftype: file_type_t; ##< File type. mode: count; ##< Mode @@ -2238,7 +2238,7 @@ export { ## NFS symlinkdata attributes. Field names are based on RFC 1813 ## - ## .. bro:see:: nfs_proc_symlink + ## .. zeek:see:: nfs_proc_symlink type symlinkdata_t: record { symlink_attributes: sattr_t; ##< The initial attributes for the symbolic link nfspath: string &optional; ##< The string containing the symbolic link data. @@ -2246,7 +2246,7 @@ export { ## NFS *readdir* arguments. ## - ## .. bro:see:: nfs_proc_readdir + ## .. zeek:see:: nfs_proc_readdir type diropargs_t : record { dirfh: string; ##< The file handle of the directory. fname: string; ##< The name of the file we are interested in. @@ -2254,7 +2254,7 @@ export { ## NFS *rename* arguments. ## - ## .. bro:see:: nfs_proc_rename + ## .. zeek:see:: nfs_proc_rename type renameopargs_t : record { src_dirfh : string; src_fname : string; @@ -2264,7 +2264,7 @@ export { ## NFS *symlink* arguments. ## - ## .. bro:see:: nfs_proc_symlink + ## .. zeek:see:: nfs_proc_symlink type symlinkargs_t: record { link : diropargs_t; ##< The location of the link to be created. symlinkdata: symlinkdata_t; ##< The symbolic link to be created. @@ -2272,7 +2272,7 @@ export { ## NFS *link* arguments. ## - ## .. bro:see:: nfs_proc_link + ## .. zeek:see:: nfs_proc_link type linkargs_t: record { fh : string; ##< The file handle for the existing file system object. link : diropargs_t; ##< The location of the link to be created. @@ -2280,7 +2280,7 @@ export { ## NFS *sattr* arguments. ## - ## .. bro:see:: nfs_proc_sattr + ## .. zeek:see:: nfs_proc_sattr type sattrargs_t: record { fh : string; ##< The file handle for the existing file system object. new_attributes: sattr_t; ##< The new attributes for the file. @@ -2290,7 +2290,7 @@ export { ## lookup succeeded, *fh* is always set and *obj_attr* and *dir_attr* ## may be set. ## - ## .. bro:see:: nfs_proc_lookup + ## .. zeek:see:: nfs_proc_lookup type lookup_reply_t: record { fh: string &optional; ##< File handle of object looked up. obj_attr: fattr_t &optional; ##< Optional attributes associated w/ file @@ -2299,7 +2299,7 @@ export { ## NFS *read* arguments. ## - ## .. bro:see:: nfs_proc_read + ## .. zeek:see:: nfs_proc_read type readargs_t: record { fh: string; ##< File handle to read from. offset: count; ##< Offset in file. @@ -2318,7 +2318,7 @@ export { ## NFS *readline* reply. If the request fails, *attr* may be set. If the ## request succeeds, *attr* may be set and all other fields are set. ## - ## .. bro:see:: nfs_proc_readlink + ## .. zeek:see:: nfs_proc_readlink type readlink_reply_t: record { attr: fattr_t &optional; ##< Attributes. nfspath: string &optional; ##< Contents of the symlink; in general a pathname as text. @@ -2326,7 +2326,7 @@ export { ## NFS *write* arguments. ## - ## .. bro:see:: nfs_proc_write + ## .. zeek:see:: nfs_proc_write type writeargs_t: record { fh: string; ##< File handle to write to. offset: count; ##< Offset in file. @@ -2337,7 +2337,7 @@ export { ## NFS *wcc* attributes. ## - ## .. bro:see:: NFS3::write_reply_t + ## .. zeek:see:: NFS3::write_reply_t type wcc_attr_t: record { size: count; ##< The size. atime: time; ##< Access time. @@ -2346,7 +2346,7 @@ export { ## NFS *link* reply. ## - ## .. bro:see:: nfs_proc_link + ## .. zeek:see:: nfs_proc_link type link_reply_t: record { post_attr: fattr_t &optional; ##< Optional post-operation attributes of the file system object identified by file preattr: wcc_attr_t &optional; ##< Optional attributes associated w/ file. @@ -2365,7 +2365,7 @@ export { ## If the request succeeds, *pre|post* attr may be set and all other ## fields are set. ## - ## .. bro:see:: nfs_proc_write + ## .. zeek:see:: nfs_proc_write type write_reply_t: record { preattr: wcc_attr_t &optional; ##< Pre operation attributes. postattr: fattr_t &optional; ##< Post operation attributes. @@ -2379,7 +2379,7 @@ export { ## *attr*'s may be set. Note: no guarantee that *fh* is set after ## success. ## - ## .. bro:see:: nfs_proc_create nfs_proc_mkdir + ## .. zeek:see:: nfs_proc_create nfs_proc_mkdir type newobj_reply_t: record { fh: string &optional; ##< File handle of object created. obj_attr: fattr_t &optional; ##< Optional attributes associated w/ new object. @@ -2389,7 +2389,7 @@ export { ## NFS reply for *remove*, *rmdir*. Corresponds to *wcc_data* in the spec. ## - ## .. bro:see:: nfs_proc_remove nfs_proc_rmdir + ## .. zeek:see:: nfs_proc_remove nfs_proc_rmdir type delobj_reply_t: record { dir_pre_attr: wcc_attr_t &optional; ##< Optional attributes associated w/ dir. dir_post_attr: fattr_t &optional; ##< Optional attributes associated w/ dir. @@ -2397,7 +2397,7 @@ export { ## NFS reply for *rename*. Corresponds to *wcc_data* in the spec. ## - ## .. bro:see:: nfs_proc_rename + ## .. zeek:see:: nfs_proc_rename type renameobj_reply_t: record { src_dir_pre_attr: wcc_attr_t; src_dir_post_attr: fattr_t; @@ -2407,7 +2407,7 @@ export { ## NFS *readdir* arguments. Used for both *readdir* and *readdirplus*. ## - ## .. bro:see:: nfs_proc_readdir + ## .. zeek:see:: nfs_proc_readdir type readdirargs_t: record { isplus: bool; ##< Is this a readdirplus request? dirfh: string; ##< The directory filehandle. @@ -2420,7 +2420,7 @@ export { ## NFS *direntry*. *fh* and *attr* are used for *readdirplus*. However, ## even for *readdirplus* they may not be filled out. ## - ## .. bro:see:: NFS3::direntry_vec_t NFS3::readdir_reply_t + ## .. zeek:see:: NFS3::direntry_vec_t NFS3::readdir_reply_t type direntry_t: record { fileid: count; ##< E.g., inode number. fname: string; ##< Filename. @@ -2431,7 +2431,7 @@ export { ## Vector of NFS *direntry*. ## - ## .. bro:see:: NFS3::readdir_reply_t + ## .. zeek:see:: NFS3::readdir_reply_t type direntry_vec_t: vector of direntry_t; ## NFS *readdir* reply. Used for *readdir* and *readdirplus*. If an is @@ -2473,7 +2473,7 @@ export { # analyzer. Depending on the reassembler, this might be well after the # first packet of the request was received. # - # .. bro:see:: mount_proc_mnt mount_proc_dump mount_proc_umnt + # .. zeek:see:: mount_proc_mnt mount_proc_dump mount_proc_umnt # mount_proc_umntall mount_proc_export mount_proc_not_implemented type info_t: record { ## The RPC status. @@ -2506,7 +2506,7 @@ export { ## MOUNT *mnt* arguments. ## - ## .. bro:see:: mount_proc_mnt + ## .. zeek:see:: mount_proc_mnt type dirmntargs_t : record { dirname: string; ##< Name of directory to mount }; @@ -2514,7 +2514,7 @@ export { ## MOUNT lookup reply. If the mount failed, *dir_attr* may be set. If the ## mount succeeded, *fh* is always set. ## - ## .. bro:see:: mount_proc_mnt + ## .. zeek:see:: mount_proc_mnt type mnt_reply_t: record { dirfh: string &optional; ##< Dir handle auth_flavors: vector of auth_flavor_t &optional; ##< Returned authentication flavors @@ -2571,7 +2571,7 @@ module GLOBAL; ## An NTP message. ## -## .. bro:see:: ntp_message +## .. zeek:see:: ntp_message type ntp_msg: record { id: count; ##< Message ID. code: count; ##< Message code. @@ -2730,7 +2730,7 @@ export { ## ## For more information, see MS-SMB2:2.2.16 ## - ## .. bro:see:: smb1_nt_create_andx_response smb2_create_response + ## .. zeek:see:: smb1_nt_create_andx_response smb2_create_response type SMB::MACTimes: record { ## The time when data was last written to the file. modified : time &log; @@ -2746,7 +2746,7 @@ export { ## only comes into play as a heuristic to identify named ## pipes when the drive mapping wasn't seen by Bro. ## - ## .. bro:see:: smb_pipe_connect_heuristic + ## .. zeek:see:: smb_pipe_connect_heuristic const SMB::pipe_filenames: set[string] &redef; } @@ -2755,7 +2755,7 @@ module SMB1; export { ## An SMB1 header. ## - ## .. bro:see:: smb1_message smb1_empty_response smb1_error + ## .. zeek:see:: smb1_message smb1_empty_response smb1_error ## smb1_check_directory_request smb1_check_directory_response ## smb1_close_request smb1_create_directory_request ## smb1_create_directory_response smb1_echo_request @@ -3112,7 +3112,7 @@ export { ## ## For more information, see MS-SMB2:2.2.1.1 and MS-SMB2:2.2.1.2 ## - ## .. bro:see:: smb2_message smb2_close_request smb2_close_response + ## .. zeek:see:: smb2_message smb2_close_request smb2_close_response ## smb2_create_request smb2_create_response smb2_negotiate_request ## smb2_negotiate_response smb2_read_request ## smb2_session_setup_request smb2_session_setup_response @@ -3150,7 +3150,7 @@ export { ## ## For more information, see MS-SMB2:2.2.14.1 ## - ## .. bro:see:: smb2_close_request smb2_create_response smb2_read_request + ## .. zeek:see:: smb2_close_request smb2_create_response smb2_read_request ## smb2_file_rename smb2_file_delete smb2_write_request type SMB2::GUID: record { ## A file handle that remains persistent when reconnected after a disconnect @@ -3163,7 +3163,7 @@ export { ## ## For more information, see MS-CIFS:2.2.1.2.3 and MS-FSCC:2.6 ## - ## .. bro:see:: smb2_create_response + ## .. zeek:see:: smb2_create_response type SMB2::FileAttrs: record { ## The file is read only. Applications can read the file but cannot ## write to it or delete it. @@ -3214,7 +3214,7 @@ export { ## ## For more information, see MS-SMB2:2.2.16 ## - ## .. bro:see:: smb2_close_response + ## .. zeek:see:: smb2_close_response type SMB2::CloseResponse: record { ## The size, in bytes of the data that is allocated to the file. alloc_size : count; @@ -3289,7 +3289,7 @@ export { ## ## For more information, see MS-SMB2:2.2.4 ## - ## .. bro:see:: smb2_negotiate_response + ## .. zeek:see:: smb2_negotiate_response type SMB2::NegotiateResponse: record { ## The preferred common SMB2 Protocol dialect number from the array that was sent in the SMB2 ## NEGOTIATE Request. @@ -3314,7 +3314,7 @@ export { ## ## For more information, see MS-SMB2:2.2.5 ## - ## .. bro:see:: smb2_session_setup_request + ## .. zeek:see:: smb2_session_setup_request type SMB2::SessionSetupRequest: record { ## The security mode field specifies whether SMB signing is enabled or required at the client. security_mode: count; @@ -3325,7 +3325,7 @@ export { ## ## For more information, see MS-SMB2:2.2.6 ## - ## .. bro:see:: smb2_session_setup_response + ## .. zeek:see:: smb2_session_setup_response type SMB2::SessionSetupFlags: record { ## If set, the client has been authenticated as a guest user. guest: bool; @@ -3341,7 +3341,7 @@ export { ## ## For more information, see MS-SMB2:2.2.6 ## - ## .. bro:see:: smb2_session_setup_response + ## .. zeek:see:: smb2_session_setup_response type SMB2::SessionSetupResponse: record { ## Additional information about the session flags: SMB2::SessionSetupFlags; @@ -3352,7 +3352,7 @@ export { ## ## For more information, see MS-SMB2:2.2.9 ## - ## .. bro:see:: smb2_tree_connect_response + ## .. zeek:see:: smb2_tree_connect_response type SMB2::TreeConnectResponse: record { ## The type of share being accessed. Physical disk, named pipe, or printer. share_type: count; @@ -3362,7 +3362,7 @@ export { ## ## For more information, see MS-SMB2:2.2.13 ## - ## .. bro:see:: smb2_create_request + ## .. zeek:see:: smb2_create_request type SMB2::CreateRequest: record { ## Name of the file filename : string; @@ -3377,7 +3377,7 @@ export { ## ## For more information, see MS-SMB2:2.2.14 ## - ## .. bro:see:: smb2_create_response + ## .. zeek:see:: smb2_create_response type SMB2::CreateResponse: record { ## The SMB2 GUID for the file. file_id : SMB2::GUID; @@ -3395,7 +3395,7 @@ export { ## ## For more information, see MS-SMB2:2.2.41 ## - ## .. bro:see:: smb2_transform_header smb2_message smb2_close_request smb2_close_response + ## .. zeek:see:: smb2_transform_header smb2_message smb2_close_request smb2_close_response ## smb2_create_request smb2_create_response smb2_negotiate_request ## smb2_negotiate_response smb2_read_request ## smb2_session_setup_request smb2_session_setup_response @@ -3424,11 +3424,11 @@ export { ## A list of addresses offered by a DHCP server. Could be routers, ## DNS servers, or other. ## - ## .. bro:see:: dhcp_message + ## .. zeek:see:: dhcp_message type DHCP::Addrs: vector of addr; ## A DHCP message. - ## .. bro:see:: dhcp_message + ## .. zeek:see:: dhcp_message type DHCP::Msg: record { op: count; ##< Message OP code. 1 = BOOTREQUEST, 2 = BOOTREPLY m_type: count; ##< The type of DHCP message. @@ -3447,7 +3447,7 @@ export { }; ## DHCP Client Identifier (Option 61) - ## .. bro:see:: dhcp_message + ## .. zeek:see:: dhcp_message type DHCP::ClientID: record { hwtype: count; hwaddr: string; @@ -3467,7 +3467,7 @@ export { }; ## DHCP Relay Agent Information Option (Option 82) - ## .. bro:see:: dhcp_message + ## .. zeek:see:: dhcp_message type DHCP::SubOpt: record { code: count; value: string; @@ -3565,7 +3565,7 @@ export { module GLOBAL; ## A DNS message. ## -## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl +## .. zeek:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl ## dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply ## dns_SRV_reply dns_TSIG_addl dns_TXT_reply dns_WKS_reply dns_end ## dns_message dns_query_reply dns_rejected dns_request @@ -3590,7 +3590,7 @@ type dns_msg: record { ## A DNS SOA record. ## -## .. bro:see:: dns_SOA_reply +## .. zeek:see:: dns_SOA_reply type dns_soa: record { mname: string; ##< Primary source of data for zone. rname: string; ##< Mailbox for responsible person. @@ -3603,7 +3603,7 @@ type dns_soa: record { ## An additional DNS EDNS record. ## -## .. bro:see:: dns_EDNS_addl +## .. zeek:see:: dns_EDNS_addl type dns_edns_additional: record { query: string; ##< Query. qtype: count; ##< Query type. @@ -3618,7 +3618,7 @@ type dns_edns_additional: record { ## An additional DNS TSIG record. ## -## .. bro:see:: dns_TSIG_addl +## .. zeek:see:: dns_TSIG_addl type dns_tsig_additional: record { query: string; ##< Query. qtype: count; ##< Query type. @@ -3633,7 +3633,7 @@ type dns_tsig_additional: record { ## A DNSSEC RRSIG record. ## -## .. bro:see:: dns_RRSIG +## .. zeek:see:: dns_RRSIG type dns_rrsig_rr: record { query: string; ##< Query. answer_type: count; ##< Ans type. @@ -3651,7 +3651,7 @@ type dns_rrsig_rr: record { ## A DNSSEC DNSKEY record. ## -## .. bro:see:: dns_DNSKEY +## .. zeek:see:: dns_DNSKEY type dns_dnskey_rr: record { query: string; ##< Query. answer_type: count; ##< Ans type. @@ -3664,7 +3664,7 @@ type dns_dnskey_rr: record { ## A DNSSEC NSEC3 record. ## -## .. bro:see:: dns_NSEC3 +## .. zeek:see:: dns_NSEC3 type dns_nsec3_rr: record { query: string; ##< Query. answer_type: count; ##< Ans type. @@ -3681,7 +3681,7 @@ type dns_nsec3_rr: record { ## A DNSSEC DS record. ## -## .. bro:see:: dns_DS +## .. zeek:see:: dns_DS type dns_ds_rr: record { query: string; ##< Query. answer_type: count; ##< Ans type. @@ -3694,7 +3694,7 @@ type dns_ds_rr: record { # DNS answer types. # -# .. bro:see:: dns_answerr +# .. zeek:see:: dns_answerr # # todo:: use enum to make them autodoc'able const DNS_QUERY = 0; ##< A query. This shouldn't occur, just for completeness. @@ -3704,12 +3704,12 @@ const DNS_ADDL = 3; ##< An additional record. ## The general part of a DNS reply. ## -## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_HINFO_reply +## .. zeek:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_HINFO_reply ## dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply dns_SRV_reply ## dns_TXT_reply dns_WKS_reply type dns_answer: record { - ## Answer type. One of :bro:see:`DNS_QUERY`, :bro:see:`DNS_ANS`, - ## :bro:see:`DNS_AUTH` and :bro:see:`DNS_ADDL`. + ## Answer type. One of :zeek:see:`DNS_QUERY`, :zeek:see:`DNS_ANS`, + ## :zeek:see:`DNS_AUTH` and :zeek:see:`DNS_ADDL`. answer_type: count; query: string; ##< Query. qtype: count; ##< Query type. @@ -3720,23 +3720,23 @@ type dns_answer: record { ## For DNS servers in these sets, omit processing the AUTH records they include ## in their replies. ## -## .. bro:see:: dns_skip_all_auth dns_skip_addl +## .. zeek:see:: dns_skip_all_auth dns_skip_addl global dns_skip_auth: set[addr] &redef; ## For DNS servers in these sets, omit processing the ADDL records they include ## in their replies. ## -## .. bro:see:: dns_skip_all_addl dns_skip_auth +## .. zeek:see:: dns_skip_all_addl dns_skip_auth global dns_skip_addl: set[addr] &redef; ## If true, all DNS AUTH records are skipped. ## -## .. bro:see:: dns_skip_all_addl dns_skip_auth +## .. zeek:see:: dns_skip_all_addl dns_skip_auth global dns_skip_all_auth = T &redef; ## If true, all DNS ADDL records are skipped. ## -## .. bro:see:: dns_skip_all_auth dns_skip_addl +## .. zeek:see:: dns_skip_all_auth dns_skip_addl global dns_skip_all_addl = T &redef; ## If a DNS request includes more than this many queries, assume it's non-DNS @@ -3751,7 +3751,7 @@ const dns_resolver = [::] &redef; ## HTTP session statistics. ## -## .. bro:see:: http_stats +## .. zeek:see:: http_stats type http_stats_rec: record { num_requests: count; ##< Number of requests. num_replies: count; ##< Number of replies. @@ -3761,7 +3761,7 @@ type http_stats_rec: record { ## HTTP message statistics. ## -## .. bro:see:: http_message_done +## .. zeek:see:: http_message_done type http_message_stat: record { ## When the request/reply line was complete. start: time; @@ -3779,25 +3779,25 @@ type http_message_stat: record { ## Maximum number of HTTP entity data delivered to events. ## -## .. bro:see:: http_entity_data skip_http_entity_data skip_http_data +## .. zeek:see:: http_entity_data skip_http_entity_data skip_http_data global http_entity_data_delivery_size = 1500 &redef; ## Skip HTTP data for performance considerations. The skipped ## portion will not go through TCP reassembly. ## -## .. bro:see:: http_entity_data skip_http_entity_data http_entity_data_delivery_size +## .. zeek:see:: http_entity_data skip_http_entity_data http_entity_data_delivery_size const skip_http_data = F &redef; ## Maximum length of HTTP URIs passed to events. Longer ones will be truncated ## to prevent over-long URIs (usually sent by worms) from slowing down event ## processing. A value of -1 means "do not truncate". ## -## .. bro:see:: http_request +## .. zeek:see:: http_request const truncate_http_URI = -1 &redef; ## IRC join information. ## -## .. bro:see:: irc_join_list +## .. zeek:see:: irc_join_list type irc_join_info: record { nick: string; channel: string; @@ -3807,7 +3807,7 @@ type irc_join_info: record { ## Set of IRC join information. ## -## .. bro:see:: irc_join_message +## .. zeek:see:: irc_join_message type irc_join_list: set[irc_join_info]; module PE; @@ -4016,7 +4016,7 @@ type backdoor_endp_stats: record { ## Description of a signature match. ## -## .. bro:see:: signature_match +## .. zeek:see:: signature_match type signature_state: record { sig_id: string; ##< ID of the matching signature. conn: connection; ##< Matching connection. @@ -4046,7 +4046,7 @@ type software: record { ## Quality of passive fingerprinting matches. ## -## .. bro:see:: OS_version +## .. zeek:see:: OS_version type OS_version_inference: enum { direct_inference, ##< TODO. generic_inference, ##< TODO. @@ -4055,7 +4055,7 @@ type OS_version_inference: enum { ## Passive fingerprinting match. ## -## .. bro:see:: OS_version_found +## .. zeek:see:: OS_version_found type OS_version: record { genre: string; ##< Linux, Windows, AIX, ... detail: string; ##< Kernel version or such. @@ -4065,17 +4065,17 @@ type OS_version: record { ## Defines for which subnets we should do passive fingerprinting. ## -## .. bro:see:: OS_version_found +## .. zeek:see:: OS_version_found global generate_OS_version_event: set[subnet] &redef; -# Type used to report load samples via :bro:see:`load_sample`. For now, it's a +# Type used to report load samples via :zeek:see:`load_sample`. For now, it's a # set of names (event names, source file names, and perhaps ````), which were seen during the sample. type load_sample_info: set[string]; ## A BitTorrent peer. ## -## .. bro:see:: bittorrent_peer_set +## .. zeek:see:: bittorrent_peer_set type bittorrent_peer: record { h: addr; ##< The peer's address. p: port; ##< The peer's port. @@ -4083,13 +4083,13 @@ type bittorrent_peer: record { ## A set of BitTorrent peers. ## -## .. bro:see:: bt_tracker_response +## .. zeek:see:: bt_tracker_response type bittorrent_peer_set: set[bittorrent_peer]; ## BitTorrent "benc" value. Note that "benc" = Bencode ("Bee-Encode"), per ## http://en.wikipedia.org/wiki/Bencode. ## -## .. bro:see:: bittorrent_benc_dir +## .. zeek:see:: bittorrent_benc_dir type bittorrent_benc_value: record { i: int &optional; ##< TODO. s: string &optional; ##< TODO. @@ -4099,12 +4099,12 @@ type bittorrent_benc_value: record { ## A table of BitTorrent "benc" values. ## -## .. bro:see:: bt_tracker_response +## .. zeek:see:: bt_tracker_response type bittorrent_benc_dir: table[string] of bittorrent_benc_value; ## Header table type used by BitTorrent analyzer. ## -## .. bro:see:: bt_tracker_request bt_tracker_response +## .. zeek:see:: bt_tracker_request bt_tracker_response ## bt_tracker_response_not_ok type bt_tracker_headers: table[string] of string; @@ -4399,7 +4399,7 @@ export { }; ## A ``VarBindList`` data structure from either :rfc:`1157` or :rfc:`3416`. - ## A sequences of :bro:see:`SNMP::Binding`, which maps an OIDs to values. + ## A sequences of :zeek:see:`SNMP::Binding`, which maps an OIDs to values. type SNMP::Bindings: vector of SNMP::Binding; ## A ``PDU`` data structure from either :rfc:`1157` or :rfc:`3416`. @@ -4642,77 +4642,77 @@ const log_encryption_key = "" &redef; ## Write profiling info into this file in regular intervals. The easiest way to ## activate profiling is loading :doc:`/scripts/policy/misc/profiling.zeek`. ## -## .. bro:see:: profiling_interval expensive_profiling_multiple segment_profiling +## .. zeek:see:: profiling_interval expensive_profiling_multiple segment_profiling global profiling_file: file &redef; ## Update interval for profiling (0 disables). The easiest way to activate ## profiling is loading :doc:`/scripts/policy/misc/profiling.zeek`. ## -## .. bro:see:: profiling_file expensive_profiling_multiple segment_profiling +## .. zeek:see:: profiling_file expensive_profiling_multiple segment_profiling const profiling_interval = 0 secs &redef; -## Multiples of :bro:see:`profiling_interval` at which (more expensive) memory +## Multiples of :zeek:see:`profiling_interval` at which (more expensive) memory ## profiling is done (0 disables). ## -## .. bro:see:: profiling_interval profiling_file segment_profiling +## .. zeek:see:: profiling_interval profiling_file segment_profiling const expensive_profiling_multiple = 0 &redef; ## If true, then write segment profiling information (very high volume!) ## in addition to profiling statistics. ## -## .. bro:see:: profiling_interval expensive_profiling_multiple profiling_file +## .. zeek:see:: profiling_interval expensive_profiling_multiple profiling_file const segment_profiling = F &redef; ## Output modes for packet profiling information. ## -## .. bro:see:: pkt_profile_mode pkt_profile_freq pkt_profile_file +## .. zeek:see:: pkt_profile_mode pkt_profile_freq pkt_profile_file type pkt_profile_modes: enum { PKT_PROFILE_MODE_NONE, ##< No output. - PKT_PROFILE_MODE_SECS, ##< Output every :bro:see:`pkt_profile_freq` seconds. - PKT_PROFILE_MODE_PKTS, ##< Output every :bro:see:`pkt_profile_freq` packets. - PKT_PROFILE_MODE_BYTES, ##< Output every :bro:see:`pkt_profile_freq` bytes. + PKT_PROFILE_MODE_SECS, ##< Output every :zeek:see:`pkt_profile_freq` seconds. + PKT_PROFILE_MODE_PKTS, ##< Output every :zeek:see:`pkt_profile_freq` packets. + PKT_PROFILE_MODE_BYTES, ##< Output every :zeek:see:`pkt_profile_freq` bytes. }; ## Output mode for packet profiling information. ## -## .. bro:see:: pkt_profile_modes pkt_profile_freq pkt_profile_file +## .. zeek:see:: pkt_profile_modes pkt_profile_freq pkt_profile_file const pkt_profile_mode = PKT_PROFILE_MODE_NONE &redef; ## Frequency associated with packet profiling. ## -## .. bro:see:: pkt_profile_modes pkt_profile_mode pkt_profile_file +## .. zeek:see:: pkt_profile_modes pkt_profile_mode pkt_profile_file const pkt_profile_freq = 0.0 &redef; ## File where packet profiles are logged. ## -## .. bro:see:: pkt_profile_modes pkt_profile_freq pkt_profile_mode +## .. zeek:see:: pkt_profile_modes pkt_profile_freq pkt_profile_mode global pkt_profile_file: file &redef; -## Rate at which to generate :bro:see:`load_sample` events. As all +## Rate at which to generate :zeek:see:`load_sample` events. As all ## events, the event is only generated if you've also defined a -## :bro:see:`load_sample` handler. Units are inverse number of packets; e.g., +## :zeek:see:`load_sample` handler. Units are inverse number of packets; e.g., ## a value of 20 means "roughly one in every 20 packets". ## -## .. bro:see:: load_sample +## .. zeek:see:: load_sample global load_sample_freq = 20 &redef; ## Whether to attempt to automatically detect SYN/FIN/RST-filtered trace ## and not report missing segments for such connections. ## If this is enabled, then missing data at the end of connections may not -## be reported via :bro:see:`content_gap`. +## be reported via :zeek:see:`content_gap`. const detect_filtered_trace = F &redef; -## Whether we want :bro:see:`content_gap` for partial +## Whether we want :zeek:see:`content_gap` for partial ## connections. A connection is partial if it is missing a full handshake. Note ## that gap reports for partial connections might not be reliable. ## -## .. bro:see:: content_gap partial_connection +## .. zeek:see:: content_gap partial_connection const report_gaps_for_partial = F &redef; ## Flag to prevent Bro from exiting automatically when input is exhausted. ## Normally Bro terminates when all packet sources have gone dry ## and communication isn't enabled. If this flag is set, Bro's main loop will -## instead keep idling until :bro:see:`terminate` is explicitly called. +## instead keep idling until :zeek:see:`terminate` is explicitly called. ## ## This is mainly for testing purposes when termination behaviour needs to be ## controlled for reproducing results. @@ -4720,18 +4720,18 @@ const exit_only_after_terminate = F &redef; ## The CA certificate file to authorize remote Bros/Broccolis. ## -## .. bro:see:: ssl_private_key ssl_passphrase +## .. zeek:see:: ssl_private_key ssl_passphrase const ssl_ca_certificate = "" &redef; ## File containing our private key and our certificate. ## -## .. bro:see:: ssl_ca_certificate ssl_passphrase +## .. zeek:see:: ssl_ca_certificate ssl_passphrase const ssl_private_key = "" &redef; ## The passphrase for our private key. Keeping this undefined ## causes Bro to prompt for the passphrase. ## -## .. bro:see:: ssl_private_key ssl_ca_certificate +## .. zeek:see:: ssl_private_key ssl_ca_certificate const ssl_passphrase = "" &redef; ## Default mode for Bro's user-space dynamic packet filter. If true, packets @@ -4741,7 +4741,7 @@ const ssl_passphrase = "" &redef; ## .. note:: This is not the BPF packet filter but an additional dynamic filter ## that Bro optionally applies just before normal processing starts. ## -## .. bro:see:: install_dst_addr_filter install_dst_net_filter +## .. zeek:see:: install_dst_addr_filter install_dst_net_filter ## install_src_addr_filter install_src_net_filter uninstall_dst_addr_filter ## uninstall_dst_net_filter uninstall_src_addr_filter uninstall_src_net_filter const packet_filter_default = F &redef; @@ -4757,7 +4757,7 @@ const peer_description = "bro" &redef; ## If true, broadcast events received from one peer to all other peers. ## -## .. bro:see:: forward_remote_state_changes +## .. zeek:see:: forward_remote_state_changes ## ## .. note:: This option is only temporary and will disappear once we get a ## more sophisticated script-level communication framework. @@ -4765,7 +4765,7 @@ const forward_remote_events = F &redef; ## If true, broadcast state updates received from one peer to all other peers. ## -## .. bro:see:: forward_remote_events +## .. zeek:see:: forward_remote_events ## ## .. note:: This option is only temporary and will disappear once we get a ## more sophisticated script-level communication framework. @@ -4800,16 +4800,16 @@ const REMOTE_SRC_SCRIPT = 3; ##< Message from a policy script. ## Synchronize trace processing at a regular basis in pseudo-realtime mode. ## -## .. bro:see:: remote_trace_sync_peers +## .. zeek:see:: remote_trace_sync_peers const remote_trace_sync_interval = 0 secs &redef; ## Number of peers across which to synchronize trace processing in ## pseudo-realtime mode. ## -## .. bro:see:: remote_trace_sync_interval +## .. zeek:see:: remote_trace_sync_interval const remote_trace_sync_peers = 0 &redef; -## Whether for :bro:attr:`&synchronized` state to send the old value as a +## Whether for :zeek:attr:`&synchronized` state to send the old value as a ## consistency check. const remote_check_sync_consistency = F &redef; @@ -4817,7 +4817,7 @@ const remote_check_sync_consistency = F &redef; ## signature matching. Enabling this provides more accurate matching at the ## expense of CPU cycles. ## -## .. bro:see:: dpd_buffer_size +## .. zeek:see:: dpd_buffer_size ## dpd_match_only_beginning dpd_ignore_ports ## ## .. note:: Despite the name, this option affects *all* signature matching, not @@ -4832,14 +4832,14 @@ const dpd_reassemble_first_packets = T &redef; ## are activated afterwards. Then only analyzers that can deal with partial ## connections will be able to analyze the session. ## -## .. bro:see:: dpd_reassemble_first_packets dpd_match_only_beginning +## .. zeek:see:: dpd_reassemble_first_packets dpd_match_only_beginning ## dpd_ignore_ports const dpd_buffer_size = 1024 &redef; -## If true, stops signature matching if :bro:see:`dpd_buffer_size` has been +## If true, stops signature matching if :zeek:see:`dpd_buffer_size` has been ## reached. ## -## .. bro:see:: dpd_reassemble_first_packets dpd_buffer_size +## .. zeek:see:: dpd_reassemble_first_packets dpd_buffer_size ## dpd_ignore_ports ## ## .. note:: Despite the name, this option affects *all* signature matching, not @@ -4849,7 +4849,7 @@ const dpd_match_only_beginning = T &redef; ## If true, don't consider any ports for deciding which protocol analyzer to ## use. ## -## .. bro:see:: dpd_reassemble_first_packets dpd_buffer_size +## .. zeek:see:: dpd_reassemble_first_packets dpd_buffer_size ## dpd_match_only_beginning const dpd_ignore_ports = F &redef; @@ -4876,7 +4876,7 @@ const suppress_local_output = F &redef; ## Holds the filename of the trace file given with ``-w`` (empty if none). ## -## .. bro:see:: record_all_packets +## .. zeek:see:: record_all_packets const trace_output_file = ""; ## If a trace file is given with ``-w``, dump *all* packets seen by Bro into it. @@ -4885,16 +4885,16 @@ const trace_output_file = ""; ## actually process them, which can be helpful for debugging in case the ## analysis triggers a crash. ## -## .. bro:see:: trace_output_file +## .. zeek:see:: trace_output_file const record_all_packets = F &redef; -## Ignore certain TCP retransmissions for :bro:see:`conn_stats`. Some +## Ignore certain TCP retransmissions for :zeek:see:`conn_stats`. Some ## connections (e.g., SSH) retransmit the acknowledged last byte to keep the ## connection alive. If *ignore_keep_alive_rexmit* is set to true, such ## retransmissions will be excluded in the rexmit counter in -## :bro:see:`conn_stats`. +## :zeek:see:`conn_stats`. ## -## .. bro:see:: conn_stats +## .. zeek:see:: conn_stats const ignore_keep_alive_rexmit = F &redef; module JSON; @@ -4938,14 +4938,14 @@ export { ## With this set, the Teredo analyzer waits until it sees both sides ## of a connection using a valid Teredo encapsulation before issuing - ## a :bro:see:`protocol_confirmation`. If it's false, the first + ## a :zeek:see:`protocol_confirmation`. If it's false, the first ## occurrence of a packet with valid Teredo encapsulation causes a ## confirmation. const delay_teredo_confirmation = T &redef; ## With this set, the GTP analyzer waits until the most-recent upflow ## and downflow packets are a valid GTPv1 encapsulation before - ## issuing :bro:see:`protocol_confirmation`. If it's false, the + ## issuing :zeek:see:`protocol_confirmation`. If it's false, the ## first occurrence of a packet with valid GTPv1 encapsulation causes ## confirmation. Since the same inner connection can be carried ## differing outer upflow/downflow connections, setting to false @@ -4965,7 +4965,7 @@ export { ## The set of UDP ports used for VXLAN traffic. Traffic using this ## UDP destination port will attempt to be decapsulated. Note that if ## if you customize this, you may still want to manually ensure that - ## :bro:see:`likely_server_ports` also gets populated accordingly. + ## :zeek:see:`likely_server_ports` also gets populated accordingly. const vxlan_ports: set[port] = { 4789/udp } &redef; } # end export @@ -5044,7 +5044,7 @@ export { ## "conn" weirds, counters and expiration timers are kept for the duration ## of the connection for each named weird and reset when necessary. E.g. ## if a "conn" weird by the name of "foo" is seen more than - ## :bro:see:`Weird::sampling_threshold` times, then an expiration timer + ## :zeek:see:`Weird::sampling_threshold` times, then an expiration timer ## begins for "foo" and upon triggering will reset the counter for "foo" ## and unthrottle its rate-limiting until it once again exceeds the ## threshold. @@ -5064,7 +5064,7 @@ export { ## The threshold, in bytes, at which the BinPAC flowbuffer of a given ## connection/analyzer will have its capacity contracted to - ## :bro:see:`BinPAC::flowbuffer_capacity_min` after parsing a full unit. + ## :zeek:see:`BinPAC::flowbuffer_capacity_min` after parsing a full unit. ## I.e. this is the maximum capacity to reserve in between the parsing of ## units. If, after parsing a unit, the flowbuffer capacity is greater ## than this value, it will be contracted. diff --git a/scripts/base/misc/find-filtered-trace.zeek b/scripts/base/misc/find-filtered-trace.zeek index a756f78551..f7bdbb9e91 100644 --- a/scripts/base/misc/find-filtered-trace.zeek +++ b/scripts/base/misc/find-filtered-trace.zeek @@ -1,7 +1,7 @@ ##! Discovers trace files that contain TCP traffic consisting only of ##! control packets (e.g. it's been filtered to contain only SYN/FIN/RST ##! packets and no content). On finding such a trace, a warning is -##! emitted that suggests toggling the :bro:see:`detect_filtered_trace` +##! emitted that suggests toggling the :zeek:see:`detect_filtered_trace` ##! option may be desired if the user does not want Bro to report ##! missing TCP segments. diff --git a/scripts/base/protocols/conn/contents.zeek b/scripts/base/protocols/conn/contents.zeek index dbfbbd0dc1..ea689c6350 100644 --- a/scripts/base/protocols/conn/contents.zeek +++ b/scripts/base/protocols/conn/contents.zeek @@ -2,7 +2,7 @@ ##! responders data or both. By default nothing is extracted, and in order ##! to actually extract data the ``c$extract_orig`` and/or the ##! ``c$extract_resp`` variable must be set to ``T``. One way to achieve this -##! would be to handle the :bro:id:`connection_established` event elsewhere +##! would be to handle the :zeek:id:`connection_established` event elsewhere ##! and set the ``extract_orig`` and ``extract_resp`` options there. ##! However, there may be trouble with the timing due to event queue delay. ##! diff --git a/scripts/base/protocols/conn/main.zeek b/scripts/base/protocols/conn/main.zeek index cb391a8bf4..ecc9e436ac 100644 --- a/scripts/base/protocols/conn/main.zeek +++ b/scripts/base/protocols/conn/main.zeek @@ -78,13 +78,13 @@ export { ## If the connection is originated locally, this value will be T. ## If it was originated remotely it will be F. In the case that - ## the :bro:id:`Site::local_nets` variable is undefined, this + ## the :zeek:id:`Site::local_nets` variable is undefined, this ## field will be left empty at all times. local_orig: bool &log &optional; ## If the connection is responded to locally, this value will be T. ## If it was responded to remotely it will be F. In the case that - ## the :bro:id:`Site::local_nets` variable is undefined, this + ## the :zeek:id:`Site::local_nets` variable is undefined, this ## field will be left empty at all times. local_resp: bool &log &optional; @@ -128,18 +128,18 @@ export { ## (at least) 10 times; the third instance, 100 times; etc. history: string &log &optional; ## Number of packets that the originator sent. - ## Only set if :bro:id:`use_conn_size_analyzer` = T. + ## Only set if :zeek:id:`use_conn_size_analyzer` = T. orig_pkts: count &log &optional; ## Number of IP level bytes that the originator sent (as seen on ## the wire, taken from the IP total_length header field). - ## Only set if :bro:id:`use_conn_size_analyzer` = T. + ## Only set if :zeek:id:`use_conn_size_analyzer` = T. orig_ip_bytes: count &log &optional; ## Number of packets that the responder sent. - ## Only set if :bro:id:`use_conn_size_analyzer` = T. + ## Only set if :zeek:id:`use_conn_size_analyzer` = T. resp_pkts: count &log &optional; ## Number of IP level bytes that the responder sent (as seen on ## the wire, taken from the IP total_length header field). - ## Only set if :bro:id:`use_conn_size_analyzer` = T. + ## Only set if :zeek:id:`use_conn_size_analyzer` = T. resp_ip_bytes: count &log &optional; ## If this connection was over a tunnel, indicate the ## *uid* values for any encapsulating parent connections @@ -147,7 +147,7 @@ export { tunnel_parents: set[string] &log &optional; }; - ## Event that can be handled to access the :bro:type:`Conn::Info` + ## Event that can be handled to access the :zeek:type:`Conn::Info` ## record as it is sent on to the logging framework. global log_conn: event(rec: Info); } diff --git a/scripts/base/protocols/dhcp/main.zeek b/scripts/base/protocols/dhcp/main.zeek index 20998c082c..1f98cd0583 100644 --- a/scripts/base/protocols/dhcp/main.zeek +++ b/scripts/base/protocols/dhcp/main.zeek @@ -89,13 +89,13 @@ export { ## This event is used internally to distribute data around clusters ## since DHCP doesn't follow the normal "connection" model used by ## most protocols. It can also be handled to extend the DHCP log. - ## bro:see::`DHCP::log_info`. + ## :zeek:see:`DHCP::log_info`. global DHCP::aggregate_msgs: event(ts: time, id: conn_id, uid: string, is_orig: bool, msg: DHCP::Msg, options: DHCP::Options); ## This is a global variable that is only to be used in the - ## :bro::see::`DHCP::aggregate_msgs` event. It can be used to avoid + ## :zeek:see:`DHCP::aggregate_msgs` event. It can be used to avoid ## looking up the info record for a transaction ID in every event handler - ## for :bro:see::`DHCP::aggregate_msgs`. + ## for :zeek:see:`DHCP::aggregate_msgs`. global DHCP::log_info: Info; ## Event that can be handled to access the DHCP diff --git a/scripts/base/protocols/dns/main.zeek b/scripts/base/protocols/dns/main.zeek index 8504d614f6..f91a94b0cb 100644 --- a/scripts/base/protocols/dns/main.zeek +++ b/scripts/base/protocols/dns/main.zeek @@ -80,7 +80,7 @@ export { saw_reply: bool &default=F; }; - ## An event that can be handled to access the :bro:type:`DNS::Info` + ## An event that can be handled to access the :zeek:type:`DNS::Info` ## record as it is sent to the logging framework. global log_dns: event(rec: Info); @@ -109,7 +109,7 @@ export { ## is_query: Indicator for if this is being called for a query or a response. global set_session: hook(c: connection, msg: dns_msg, is_query: bool); - ## Yields a queue of :bro:see:`DNS::Info` objects for a given + ## Yields a queue of :zeek:see:`DNS::Info` objects for a given ## DNS message query/transaction ID. type PendingMessages: table[count] of Queue::Queue; @@ -126,7 +126,7 @@ export { option max_pending_query_ids = 50; ## A record type which tracks the status of DNS queries for a given - ## :bro:type:`connection`. + ## :zeek:type:`connection`. type State: record { ## A single query that hasn't been matched with a response yet. ## Note this is maintained separate from the *pending_queries* diff --git a/scripts/base/protocols/ftp/gridftp.zeek b/scripts/base/protocols/ftp/gridftp.zeek index cdbe354a08..ef6965d3ca 100644 --- a/scripts/base/protocols/ftp/gridftp.zeek +++ b/scripts/base/protocols/ftp/gridftp.zeek @@ -6,7 +6,7 @@ ##! indicating the GSI mechanism for GSSAPI was used. This analysis ##! is all supported internally, this script simply adds the "gridftp" ##! label to the *service* field of the control channel's -##! :bro:type:`connection` record. +##! :zeek:type:`connection` record. ##! ##! GridFTP data channels are identified by a heuristic that relies on ##! the fact that default settings for GridFTP clients typically @@ -33,7 +33,7 @@ export { option size_threshold = 1073741824; ## Time during which we check whether a connection's size exceeds the - ## :bro:see:`GridFTP::size_threshold`. + ## :zeek:see:`GridFTP::size_threshold`. option max_time = 2 min; ## Whether to skip further processing of the GridFTP data channel once @@ -46,8 +46,8 @@ export { global data_channel_detected: event(c: connection); ## The initial criteria used to determine whether to start polling - ## the connection for the :bro:see:`GridFTP::size_threshold` to have - ## been exceeded. This is called in a :bro:see:`ssl_established` event + ## the connection for the :zeek:see:`GridFTP::size_threshold` to have + ## been exceeded. This is called in a :zeek:see:`ssl_established` event ## handler and by default looks for both a client and server certificate ## and for a NULL bulk cipher. One way in which this function could be ## redefined is to make it also consider client/server certificate @@ -56,7 +56,7 @@ export { ## c: The connection which may possibly be a GridFTP data channel. ## ## Returns: true if the connection should be further polled for an - ## exceeded :bro:see:`GridFTP::size_threshold`, else false. + ## exceeded :zeek:see:`GridFTP::size_threshold`, else false. const data_channel_initial_criteria: function(c: connection): bool &redef; } diff --git a/scripts/base/protocols/ftp/main.zeek b/scripts/base/protocols/ftp/main.zeek index 78a4dbabff..1c2dce17f8 100644 --- a/scripts/base/protocols/ftp/main.zeek +++ b/scripts/base/protocols/ftp/main.zeek @@ -36,7 +36,7 @@ export { ## Parse FTP reply codes into the three constituent single digit values. global parse_ftp_reply_code: function(code: count): ReplyCode; - ## Event that can be handled to access the :bro:type:`FTP::Info` + ## Event that can be handled to access the :zeek:type:`FTP::Info` ## record as it is sent on to the logging framework. global log_ftp: event(rec: Info); } diff --git a/scripts/base/protocols/ftp/utils.zeek b/scripts/base/protocols/ftp/utils.zeek index 74aeaa1e03..44c621b361 100644 --- a/scripts/base/protocols/ftp/utils.zeek +++ b/scripts/base/protocols/ftp/utils.zeek @@ -7,16 +7,16 @@ module FTP; export { - ## Creates a URL from an :bro:type:`FTP::Info` record. + ## Creates a URL from an :zeek:type:`FTP::Info` record. ## - ## rec: An :bro:type:`FTP::Info` record. + ## rec: An :zeek:type:`FTP::Info` record. ## ## Returns: A URL, not prefixed by ``"ftp://"``. global build_url: function(rec: Info): string; - ## Creates a URL from an :bro:type:`FTP::Info` record. + ## Creates a URL from an :zeek:type:`FTP::Info` record. ## - ## rec: An :bro:type:`FTP::Info` record. + ## rec: An :zeek:type:`FTP::Info` record. ## ## Returns: A URL prefixed with ``"ftp://"``. global build_url_ftp: function(rec: Info): string; diff --git a/scripts/base/protocols/http/entities.zeek b/scripts/base/protocols/http/entities.zeek index c16bb3f630..0a72c6b76e 100644 --- a/scripts/base/protocols/http/entities.zeek +++ b/scripts/base/protocols/http/entities.zeek @@ -14,44 +14,44 @@ export { }; ## Maximum number of originator files to log. - ## :bro:see:`HTTP::max_files_policy` even is called once this + ## :zeek:see:`HTTP::max_files_policy` even is called once this ## limit is reached to determine if it's enforced. option max_files_orig = 15; ## Maximum number of responder files to log. - ## :bro:see:`HTTP::max_files_policy` even is called once this + ## :zeek:see:`HTTP::max_files_policy` even is called once this ## limit is reached to determine if it's enforced. option max_files_resp = 15; ## Called when reaching the max number of files across a given HTTP - ## connection according to :bro:see:`HTTP::max_files_orig` - ## or :bro:see:`HTTP::max_files_resp`. Break from the hook + ## connection according to :zeek:see:`HTTP::max_files_orig` + ## or :zeek:see:`HTTP::max_files_resp`. Break from the hook ## early to signal that the file limit should not be applied. global max_files_policy: hook(f: fa_file, is_orig: bool); redef record Info += { ## An ordered vector of file unique IDs. - ## Limited to :bro:see:`HTTP::max_files_orig` entries. + ## Limited to :zeek:see:`HTTP::max_files_orig` entries. orig_fuids: vector of string &log &optional; ## An ordered vector of filenames from the client. - ## Limited to :bro:see:`HTTP::max_files_orig` entries. + ## Limited to :zeek:see:`HTTP::max_files_orig` entries. orig_filenames: vector of string &log &optional; ## An ordered vector of mime types. - ## Limited to :bro:see:`HTTP::max_files_orig` entries. + ## Limited to :zeek:see:`HTTP::max_files_orig` entries. orig_mime_types: vector of string &log &optional; ## An ordered vector of file unique IDs. - ## Limited to :bro:see:`HTTP::max_files_resp` entries. + ## Limited to :zeek:see:`HTTP::max_files_resp` entries. resp_fuids: vector of string &log &optional; ## An ordered vector of filenames from the server. - ## Limited to :bro:see:`HTTP::max_files_resp` entries. + ## Limited to :zeek:see:`HTTP::max_files_resp` entries. resp_filenames: vector of string &log &optional; ## An ordered vector of mime types. - ## Limited to :bro:see:`HTTP::max_files_resp` entries. + ## Limited to :zeek:see:`HTTP::max_files_resp` entries. resp_mime_types: vector of string &log &optional; ## The current entity. diff --git a/scripts/base/protocols/http/utils.zeek b/scripts/base/protocols/http/utils.zeek index 67f13f2640..a48841cef5 100644 --- a/scripts/base/protocols/http/utils.zeek +++ b/scripts/base/protocols/http/utils.zeek @@ -17,18 +17,18 @@ export { ## Returns: A vector of strings containing the keys. global extract_keys: function(data: string, kv_splitter: pattern): string_vec; - ## Creates a URL from an :bro:type:`HTTP::Info` record. This should + ## Creates a URL from an :zeek:type:`HTTP::Info` record. This should ## handle edge cases such as proxied requests appropriately. ## - ## rec: An :bro:type:`HTTP::Info` record. + ## rec: An :zeek:type:`HTTP::Info` record. ## ## Returns: A URL, not prefixed by ``"http://"``. global build_url: function(rec: Info): string; - ## Creates a URL from an :bro:type:`HTTP::Info` record. This should + ## Creates a URL from an :zeek:type:`HTTP::Info` record. This should ## handle edge cases such as proxied requests appropriately. ## - ## rec: An :bro:type:`HTTP::Info` record. + ## rec: An :zeek:type:`HTTP::Info` record. ## ## Returns: A URL prefixed with ``"http://"``. global build_url_http: function(rec: Info): string; diff --git a/scripts/base/protocols/ssh/main.zeek b/scripts/base/protocols/ssh/main.zeek index 2e70bc1aba..293c529b6d 100644 --- a/scripts/base/protocols/ssh/main.zeek +++ b/scripts/base/protocols/ssh/main.zeek @@ -75,7 +75,7 @@ export { ## c: The connection over which the :abbr:`SSH (Secure Shell)` ## connection took place. ## - ## .. bro:see:: ssh_server_version ssh_client_version + ## .. zeek:see:: ssh_server_version ssh_client_version ## ssh_auth_successful ssh_auth_result ssh_auth_attempted ## ssh_capabilities ssh2_server_host_key ssh1_server_host_key ## ssh_server_host_key ssh_encrypted_packet ssh2_dh_server_params @@ -98,7 +98,7 @@ export { ## auth_attempts: The number of authentication attempts that were ## observed. ## - ## .. bro:see:: ssh_server_version ssh_client_version + ## .. zeek:see:: ssh_server_version ssh_client_version ## ssh_auth_successful ssh_auth_failed ssh_auth_attempted ## ssh_capabilities ssh2_server_host_key ssh1_server_host_key ## ssh_server_host_key ssh_encrypted_packet ssh2_dh_server_params @@ -106,10 +106,10 @@ export { global ssh_auth_result: event(c: connection, result: bool, auth_attempts: count); ## Event that can be handled when the analyzer sees an SSH server host - ## key. This abstracts :bro:id:`ssh1_server_host_key` and - ## :bro:id:`ssh2_server_host_key`. + ## key. This abstracts :zeek:id:`ssh1_server_host_key` and + ## :zeek:id:`ssh2_server_host_key`. ## - ## .. bro:see:: ssh_server_version ssh_client_version + ## .. zeek:see:: ssh_server_version ssh_client_version ## ssh_auth_successful ssh_auth_failed ssh_auth_result ## ssh_auth_attempted ssh_capabilities ssh2_server_host_key ## ssh1_server_host_key ssh_encrypted_packet ssh2_dh_server_params diff --git a/scripts/base/utils/active-http.zeek b/scripts/base/utils/active-http.zeek index 8243a7a9a9..27eb6e2bb2 100644 --- a/scripts/base/utils/active-http.zeek +++ b/scripts/base/utils/active-http.zeek @@ -46,7 +46,7 @@ export { }; ## Perform an HTTP request according to the - ## :bro:type:`ActiveHTTP::Request` record. This is an asynchronous + ## :zeek:type:`ActiveHTTP::Request` record. This is an asynchronous ## function and must be called within a "when" statement. ## ## req: A record instance representing all options for an HTTP request. diff --git a/scripts/base/utils/conn-ids.zeek b/scripts/base/utils/conn-ids.zeek index 6601b665e5..b5d7fffd77 100644 --- a/scripts/base/utils/conn-ids.zeek +++ b/scripts/base/utils/conn-ids.zeek @@ -13,7 +13,7 @@ export { ## on the right to the originator on the left. global reverse_id_string: function(id: conn_id): string; - ## Calls :bro:id:`id_string` or :bro:id:`reverse_id_string` if the + ## Calls :zeek:id:`id_string` or :zeek:id:`reverse_id_string` if the ## second argument is T or F, respectively. global directed_id_string: function(id: conn_id, is_orig: bool): string; } diff --git a/scripts/base/utils/dir.zeek b/scripts/base/utils/dir.zeek index eb5597a7b7..678e81d7ed 100644 --- a/scripts/base/utils/dir.zeek +++ b/scripts/base/utils/dir.zeek @@ -6,7 +6,7 @@ module Dir; export { ## The default interval this module checks for files in directories when - ## using the :bro:see:`Dir::monitor` function. + ## using the :zeek:see:`Dir::monitor` function. option polling_interval = 30sec; ## Register a directory to monitor with a callback that is called diff --git a/scripts/base/utils/exec.zeek b/scripts/base/utils/exec.zeek index fe44853541..85500bf9c2 100644 --- a/scripts/base/utils/exec.zeek +++ b/scripts/base/utils/exec.zeek @@ -8,7 +8,7 @@ export { type Command: record { ## The command line to execute. Use care to avoid injection ## attacks (i.e., if the command uses untrusted/variable data, - ## sanitize it with :bro:see:`safe_shell_quote`). + ## sanitize it with :zeek:see:`safe_shell_quote`). cmd: string; ## Provide standard input to the program as a string. stdin: string &default=""; diff --git a/scripts/base/utils/geoip-distance.zeek b/scripts/base/utils/geoip-distance.zeek index 8d3149cb03..8aa2601500 100644 --- a/scripts/base/utils/geoip-distance.zeek +++ b/scripts/base/utils/geoip-distance.zeek @@ -10,7 +10,7 @@ ## Returns: The distance between *a1* and *a2* in miles, or -1.0 if GeoIP data ## is not available for either of the IP addresses. ## -## .. bro:see:: haversine_distance lookup_location +## .. zeek:see:: haversine_distance lookup_location function haversine_distance_ip(a1: addr, a2: addr): double { local loc1 = lookup_location(a1); diff --git a/scripts/base/utils/paths.zeek b/scripts/base/utils/paths.zeek index 6de5b85e2e..fdc9bd5d3d 100644 --- a/scripts/base/utils/paths.zeek +++ b/scripts/base/utils/paths.zeek @@ -75,7 +75,7 @@ function build_path(dir: string, file_name: string): string } ## Returns a compressed path to a file given a directory and file name. -## See :bro:id:`build_path` and :bro:id:`compress_path`. +## See :zeek:id:`build_path` and :zeek:id:`compress_path`. function build_path_compressed(dir: string, file_name: string): string { return compress_path(build_path(dir, file_name)); diff --git a/scripts/base/utils/patterns.zeek b/scripts/base/utils/patterns.zeek index 47b8cf4e37..6d955339f8 100644 --- a/scripts/base/utils/patterns.zeek +++ b/scripts/base/utils/patterns.zeek @@ -37,7 +37,7 @@ type PatternMatchResult: record { }; ## Matches the given pattern against the given string, returning -## a :bro:type:`PatternMatchResult` record. +## a :zeek:type:`PatternMatchResult` record. ## For example: ``match_pattern("foobar", /o*[a-k]/)`` returns ## ``[matched=T, str=f, off=1]``, because the *first* match is for ## zero o's followed by an [a-k], but ``match_pattern("foobar", /o+[a-k]/)`` diff --git a/scripts/base/utils/site.zeek b/scripts/base/utils/site.zeek index 541dcb3f9a..949f340410 100644 --- a/scripts/base/utils/site.zeek +++ b/scripts/base/utils/site.zeek @@ -22,9 +22,9 @@ export { option local_nets: set[subnet] = {}; ## This is used for retrieving the subnet when using multiple entries in - ## :bro:id:`Site::local_nets`. It's populated automatically from there. + ## :zeek:id:`Site::local_nets`. It's populated automatically from there. ## A membership query can be done with an - ## :bro:type:`addr` and the table will yield the subnet it was found + ## :zeek:type:`addr` and the table will yield the subnet it was found ## within. global local_nets_table: table[subnet] of subnet = {}; @@ -45,33 +45,33 @@ export { ## Function that returns true if an address corresponds to one of ## the local networks, false if not. - ## The function inspects :bro:id:`Site::local_nets`. + ## The function inspects :zeek:id:`Site::local_nets`. global is_local_addr: function(a: addr): bool; ## Function that returns true if an address corresponds to one of ## the neighbor networks, false if not. - ## The function inspects :bro:id:`Site::neighbor_nets`. + ## The function inspects :zeek:id:`Site::neighbor_nets`. global is_neighbor_addr: function(a: addr): bool; ## Function that returns true if an address corresponds to one of ## the private/unrouted networks, false if not. - ## The function inspects :bro:id:`Site::private_address_space`. + ## The function inspects :zeek:id:`Site::private_address_space`. global is_private_addr: function(a: addr): bool; ## Function that returns true if a host name is within a local ## DNS zone. - ## The function inspects :bro:id:`Site::local_zones`. + ## The function inspects :zeek:id:`Site::local_zones`. global is_local_name: function(name: string): bool; ## Function that returns true if a host name is within a neighbor ## DNS zone. - ## The function inspects :bro:id:`Site::neighbor_zones`. + ## The function inspects :zeek:id:`Site::neighbor_zones`. global is_neighbor_name: function(name: string): bool; ## Function that returns a comma-separated list of email addresses ## that are considered administrators for the IP address provided as ## an argument. - ## The function inspects :bro:id:`Site::local_admins`. + ## The function inspects :zeek:id:`Site::local_admins`. global get_emails: function(a: addr): string; } diff --git a/scripts/base/utils/thresholds.zeek b/scripts/base/utils/thresholds.zeek index 31d1d3e84f..d30e9f2b0a 100644 --- a/scripts/base/utils/thresholds.zeek +++ b/scripts/base/utils/thresholds.zeek @@ -1,8 +1,8 @@ ##! Functions for using multiple thresholds with a counting tracker. For ##! example, you may want to generate a notice when something happens 10 times ##! and again when it happens 100 times but nothing in between. You can use -##! the :bro:id:`check_threshold` function to define your threshold points -##! and the :bro:type:`TrackCount` variable where you are keeping track of your +##! the :zeek:id:`check_threshold` function to define your threshold points +##! and the :zeek:type:`TrackCount` variable where you are keeping track of your ##! counter. module GLOBAL; @@ -18,12 +18,12 @@ export { }; ## The thresholds you would like to use as defaults with the - ## :bro:id:`default_check_threshold` function. + ## :zeek:id:`default_check_threshold` function. const default_notice_thresholds: vector of count = { 30, 100, 1000, 10000, 100000, 1000000, 10000000, } &redef; - ## This will check if a :bro:type:`TrackCount` variable has crossed any + ## This will check if a :zeek:type:`TrackCount` variable has crossed any ## thresholds in a given set. ## ## v: a vector holding counts that represent thresholds. @@ -34,8 +34,8 @@ export { ## Returns: T if a threshold has been crossed, else F. global check_threshold: function(v: vector of count, tracker: TrackCount): bool; - ## This will use the :bro:id:`default_notice_thresholds` variable to - ## check a :bro:type:`TrackCount` variable to see if it has crossed + ## This will use the :zeek:id:`default_notice_thresholds` variable to + ## check a :zeek:type:`TrackCount` variable to see if it has crossed ## another threshold. global default_check_threshold: function(tracker: TrackCount): bool; } diff --git a/scripts/base/utils/urls.zeek b/scripts/base/utils/urls.zeek index a34b6a02c1..c6ec41cbfc 100644 --- a/scripts/base/utils/urls.zeek +++ b/scripts/base/utils/urls.zeek @@ -3,7 +3,7 @@ ## A regular expression for matching and extracting URLs. const url_regex = /^([a-zA-Z\-]{3,5})(:\/\/[^\/?#"'\r\n><]*)([^?#"'\r\n><]*)([^[:blank:]\r\n"'><]*|\??[^"'\r\n><]*)/ &redef; -## A URI, as parsed by :bro:id:`decompose_uri`. +## A URI, as parsed by :zeek:id:`decompose_uri`. type URI: record { ## The URL's scheme.. scheme: string &optional; diff --git a/scripts/broxygen/README b/scripts/broxygen/README deleted file mode 100644 index ac7f522285..0000000000 --- a/scripts/broxygen/README +++ /dev/null @@ -1,4 +0,0 @@ -This package is loaded during the process which automatically generates -reference documentation for all Bro scripts (i.e. "Broxygen"). Its only -purpose is to provide an easy way to load all known Bro scripts plus any -extra scripts needed or used by the documentation process. diff --git a/scripts/policy/frameworks/dpd/packet-segment-logging.zeek b/scripts/policy/frameworks/dpd/packet-segment-logging.zeek index 35a52c3870..7dff2b07f8 100644 --- a/scripts/policy/frameworks/dpd/packet-segment-logging.zeek +++ b/scripts/policy/frameworks/dpd/packet-segment-logging.zeek @@ -1,6 +1,6 @@ ##! This script enables logging of packet segment data when a protocol ##! parsing violation is encountered. The amount of data from the -##! packet logged is set by the :bro:see:`DPD::packet_segment_size` variable. +##! packet logged is set by the :zeek:see:`DPD::packet_segment_size` variable. ##! A caveat to logging packet data is that in some cases, the packet may ##! not be the packet that actually caused the protocol violation. diff --git a/scripts/policy/frameworks/notice/extend-email/hostnames.zeek b/scripts/policy/frameworks/notice/extend-email/hostnames.zeek index 9ee58d3e0b..5be74c7913 100644 --- a/scripts/policy/frameworks/notice/extend-email/hostnames.zeek +++ b/scripts/policy/frameworks/notice/extend-email/hostnames.zeek @@ -1,6 +1,6 @@ -##! Loading this script extends the :bro:enum:`Notice::ACTION_EMAIL` action +##! Loading this script extends the :zeek:enum:`Notice::ACTION_EMAIL` action ##! by appending to the email the hostnames associated with -##! :bro:type:`Notice::Info`'s *src* and *dst* fields as determined by a +##! :zeek:type:`Notice::Info`'s *src* and *dst* fields as determined by a ##! DNS lookup. @load base/frameworks/notice/main diff --git a/scripts/policy/frameworks/packet-filter/shunt.zeek b/scripts/policy/frameworks/packet-filter/shunt.zeek index 13ff27252c..3a08dfaddd 100644 --- a/scripts/policy/frameworks/packet-filter/shunt.zeek +++ b/scripts/policy/frameworks/packet-filter/shunt.zeek @@ -23,7 +23,7 @@ export { ## update done by the `PacketFilter` framework. global unshunt_host_pair: function(id: conn_id): bool; - ## Performs the same function as the :bro:id:`PacketFilter::unshunt_host_pair` + ## Performs the same function as the :zeek:id:`PacketFilter::unshunt_host_pair` ## function, but it forces an immediate filter update. global force_unshunt_host_pair: function(id: conn_id): bool; @@ -34,7 +34,7 @@ export { global current_shunted_host_pairs: function(): set[conn_id]; redef enum Notice::Type += { - ## Indicative that :bro:id:`PacketFilter::max_bpf_shunts` + ## Indicative that :zeek:id:`PacketFilter::max_bpf_shunts` ## connections are already being shunted with BPF filters and ## no more are allowed. No_More_Conn_Shunts_Available, diff --git a/scripts/policy/frameworks/software/version-changes.zeek b/scripts/policy/frameworks/software/version-changes.zeek index 215a64d6b7..865cc20447 100644 --- a/scripts/policy/frameworks/software/version-changes.zeek +++ b/scripts/policy/frameworks/software/version-changes.zeek @@ -12,7 +12,7 @@ export { ## For certain software, a version changing may matter. In that ## case, this notice will be generated. Software that matters ## if the version changes can be configured with the - ## :bro:id:`Software::interesting_version_changes` variable. + ## :zeek:id:`Software::interesting_version_changes` variable. Software_Version_Change, }; diff --git a/scripts/policy/integration/barnyard2/main.zeek b/scripts/policy/integration/barnyard2/main.zeek index 7d0bb59d5a..876467eb8a 100644 --- a/scripts/policy/integration/barnyard2/main.zeek +++ b/scripts/policy/integration/barnyard2/main.zeek @@ -18,8 +18,8 @@ export { alert: AlertData &log; }; - ## This can convert a Barnyard :bro:type:`Barnyard2::PacketID` value to - ## a :bro:type:`conn_id` value in the case that you might need to index + ## This can convert a Barnyard :zeek:type:`Barnyard2::PacketID` value to + ## a :zeek:type:`conn_id` value in the case that you might need to index ## into an existing data structure elsewhere within Bro. global pid2cid: function(p: PacketID): conn_id; } diff --git a/scripts/policy/misc/capture-loss.zeek b/scripts/policy/misc/capture-loss.zeek index 302919597f..c6516d46eb 100644 --- a/scripts/policy/misc/capture-loss.zeek +++ b/scripts/policy/misc/capture-loss.zeek @@ -41,7 +41,7 @@ export { option watch_interval = 15mins; ## The percentage of missed data that is considered "too much" - ## when the :bro:enum:`CaptureLoss::Too_Much_Loss` notice should be + ## when the :zeek:enum:`CaptureLoss::Too_Much_Loss` notice should be ## generated. The value is expressed as a double between 0 and 1 with 1 ## being 100%. option too_much_loss: double = 0.1; diff --git a/scripts/policy/misc/detect-traceroute/main.zeek b/scripts/policy/misc/detect-traceroute/main.zeek index 8271277af6..091ceceed6 100644 --- a/scripts/policy/misc/detect-traceroute/main.zeek +++ b/scripts/policy/misc/detect-traceroute/main.zeek @@ -34,7 +34,7 @@ export { const icmp_time_exceeded_threshold: double = 3 &redef; ## Interval at which to watch for the - ## :bro:id:`Traceroute::icmp_time_exceeded_threshold` variable to be + ## :zeek:id:`Traceroute::icmp_time_exceeded_threshold` variable to be ## crossed. At the end of each interval the counter is reset. const icmp_time_exceeded_interval = 3min &redef; diff --git a/scripts/policy/misc/profiling.zeek b/scripts/policy/misc/profiling.zeek index 5a0dfe5fcf..fed8c41f54 100644 --- a/scripts/policy/misc/profiling.zeek +++ b/scripts/policy/misc/profiling.zeek @@ -9,7 +9,7 @@ redef profiling_file = open_log_file("prof"); redef profiling_interval = 15 secs; ## Set the expensive profiling interval (multiple of -## :bro:id:`profiling_interval`). +## :zeek:id:`profiling_interval`). redef expensive_profiling_multiple = 20; event zeek_init() diff --git a/scripts/policy/misc/scan.zeek b/scripts/policy/misc/scan.zeek index 6468767674..26dc54ce90 100644 --- a/scripts/policy/misc/scan.zeek +++ b/scripts/policy/misc/scan.zeek @@ -15,17 +15,17 @@ export { redef enum Notice::Type += { ## Address scans detect that a host appears to be scanning some ## number of destinations on a single port. This notice is - ## generated when more than :bro:id:`Scan::addr_scan_threshold` + ## generated when more than :zeek:id:`Scan::addr_scan_threshold` ## unique hosts are seen over the previous - ## :bro:id:`Scan::addr_scan_interval` time range. + ## :zeek:id:`Scan::addr_scan_interval` time range. Address_Scan, ## Port scans detect that an attacking host appears to be ## scanning a single victim host on several ports. This notice ## is generated when an attacking host attempts to connect to - ## :bro:id:`Scan::port_scan_threshold` + ## :zeek:id:`Scan::port_scan_threshold` ## unique ports on a single host over the previous - ## :bro:id:`Scan::port_scan_interval` time range. + ## :zeek:id:`Scan::port_scan_interval` time range. Port_Scan, }; diff --git a/scripts/policy/misc/trim-trace-file.zeek b/scripts/policy/misc/trim-trace-file.zeek index 2d78977d8c..3f50406f3b 100644 --- a/scripts/policy/misc/trim-trace-file.zeek +++ b/scripts/policy/misc/trim-trace-file.zeek @@ -11,7 +11,7 @@ export { ## tracefile rotation is required with the caveat that the script ## doesn't currently attempt to get back on schedule automatically and ## the next trim likely won't happen on the - ## :bro:id:`TrimTraceFile::trim_interval`. + ## :zeek:id:`TrimTraceFile::trim_interval`. global go: event(first_trim: bool); } diff --git a/scripts/policy/protocols/conn/known-hosts.zeek b/scripts/policy/protocols/conn/known-hosts.zeek index 493784a859..702ab59ca3 100644 --- a/scripts/policy/protocols/conn/known-hosts.zeek +++ b/scripts/policy/protocols/conn/known-hosts.zeek @@ -28,22 +28,22 @@ export { const use_host_store = T &redef; ## The hosts whose existence should be logged and tracked. - ## See :bro:type:`Host` for possible choices. + ## See :zeek:type:`Host` for possible choices. option host_tracking = LOCAL_HOSTS; ## Holds the set of all known hosts. Keys in the store are addresses ## and their associated value will always be the "true" boolean. global host_store: Cluster::StoreInfo; - ## The Broker topic name to use for :bro:see:`Known::host_store`. + ## The Broker topic name to use for :zeek:see:`Known::host_store`. const host_store_name = "bro/known/hosts" &redef; - ## The expiry interval of new entries in :bro:see:`Known::host_store`. + ## The expiry interval of new entries in :zeek:see:`Known::host_store`. ## This also changes the interval at which hosts get logged. const host_store_expiry = 1day &redef; ## The timeout interval to use for operations against - ## :bro:see:`Known::host_store`. + ## :zeek:see:`Known::host_store`. option host_store_timeout = 15sec; ## The set of all known addresses to store for preventing duplicate @@ -56,7 +56,7 @@ export { ## proxy nodes. global hosts: set[addr] &create_expire=1day &redef; - ## An event that can be handled to access the :bro:type:`Known::HostsInfo` + ## An event that can be handled to access the :zeek:type:`Known::HostsInfo` ## record as it is sent on to the logging framework. global log_known_hosts: event(rec: HostsInfo); } diff --git a/scripts/policy/protocols/conn/known-services.zeek b/scripts/policy/protocols/conn/known-services.zeek index 63d9f7fa71..767962b791 100644 --- a/scripts/policy/protocols/conn/known-services.zeek +++ b/scripts/policy/protocols/conn/known-services.zeek @@ -34,7 +34,7 @@ export { const use_service_store = T &redef; ## The hosts whose services should be tracked and logged. - ## See :bro:type:`Host` for possible choices. + ## See :zeek:type:`Host` for possible choices. option service_tracking = LOCAL_HOSTS; type AddrPortPair: record { @@ -43,19 +43,19 @@ export { }; ## Holds the set of all known services. Keys in the store are - ## :bro:type:`Known::AddrPortPair` and their associated value is + ## :zeek:type:`Known::AddrPortPair` and their associated value is ## always the boolean value of "true". global service_store: Cluster::StoreInfo; - ## The Broker topic name to use for :bro:see:`Known::service_store`. + ## The Broker topic name to use for :zeek:see:`Known::service_store`. const service_store_name = "bro/known/services" &redef; - ## The expiry interval of new entries in :bro:see:`Known::service_store`. + ## The expiry interval of new entries in :zeek:see:`Known::service_store`. ## This also changes the interval at which services get logged. const service_store_expiry = 1day &redef; ## The timeout interval to use for operations against - ## :bro:see:`Known::service_store`. + ## :zeek:see:`Known::service_store`. option service_store_timeout = 15sec; ## Tracks the set of daily-detected services for preventing the logging @@ -68,7 +68,7 @@ export { ## This set is automatically populated and shouldn't be directly modified. global services: set[addr, port] &create_expire=1day; - ## Event that can be handled to access the :bro:type:`Known::ServicesInfo` + ## Event that can be handled to access the :zeek:type:`Known::ServicesInfo` ## record as it is sent on to the logging framework. global log_known_services: event(rec: ServicesInfo); } diff --git a/scripts/policy/protocols/dhcp/deprecated_events.zeek b/scripts/policy/protocols/dhcp/deprecated_events.zeek index 941e5c72c3..553d13bc05 100644 --- a/scripts/policy/protocols/dhcp/deprecated_events.zeek +++ b/scripts/policy/protocols/dhcp/deprecated_events.zeek @@ -11,9 +11,9 @@ ## .. note:: This type is included to support the deprecated events dhcp_ack, ## dhcp_decline, dhcp_discover, dhcp_inform, dhcp_nak, dhcp_offer, ## dhcp_release and dhcp_request and is thus similarly deprecated -## itself. Use :bro:see:`dhcp_message` instead. +## itself. Use :zeek:see:`dhcp_message` instead. ## -## .. bro:see:: dhcp_message dhcp_ack dhcp_decline dhcp_discover +## .. zeek:see:: dhcp_message dhcp_ack dhcp_decline dhcp_discover ## dhcp_inform dhcp_nak dhcp_offer dhcp_release dhcp_request type dhcp_msg: record { op: count; ##< Message OP code. 1 = BOOTREQUEST, 2 = BOOTREPLY @@ -28,9 +28,9 @@ type dhcp_msg: record { ## ## .. note:: This type is included to support the deprecated events dhcp_ack ## and dhcp_offer and is thus similarly deprecated -## itself. Use :bro:see:`dhcp_message` instead. +## itself. Use :zeek:see:`dhcp_message` instead. ## -## .. bro:see:: dhcp_message dhcp_ack dhcp_offer +## .. zeek:see:: dhcp_message dhcp_ack dhcp_offer type dhcp_router_list: table[count] of addr; ## Generated for DHCP messages of type *DHCPDISCOVER* (client broadcast to locate @@ -44,7 +44,7 @@ type dhcp_router_list: table[count] of addr; ## ## host_name: The value of the host name option, if specified by the client. ## -## .. bro:see:: dhcp_message dhcp_discover dhcp_offer dhcp_request +## .. zeek:see:: dhcp_message dhcp_discover dhcp_offer dhcp_request ## dhcp_decline dhcp_ack dhcp_nak dhcp_release dhcp_inform ## ## .. note:: This event has been deprecated, and will be removed in the next version. @@ -74,7 +74,7 @@ global dhcp_discover: event(c: connection, msg: dhcp_msg, req_addr: addr, host_n ## host_name: Optional host name value. May differ from the host name requested ## from the client. ## -## .. bro:see:: dhcp_message dhcp_discover dhcp_request dhcp_decline +## .. zeek:see:: dhcp_message dhcp_discover dhcp_request dhcp_decline ## dhcp_ack dhcp_nak dhcp_release dhcp_inform ## ## .. note:: This event has been deprecated, and will be removed in the next version. @@ -101,7 +101,7 @@ global dhcp_offer: event(c: connection, msg: dhcp_msg, mask: addr, router: dhcp_ ## ## host_name: The value of the host name option, if specified by the client. ## -## .. bro:see:: dhcp_message dhcp_discover dhcp_offer dhcp_decline +## .. zeek:see:: dhcp_message dhcp_discover dhcp_offer dhcp_decline ## dhcp_ack dhcp_nak dhcp_release dhcp_inform ## ## .. note:: This event has been deprecated, and will be removed in the next version. @@ -122,7 +122,7 @@ global dhcp_request: event(c: connection, msg: dhcp_msg, req_addr: addr, serv_ad ## ## host_name: Optional host name value. ## -## .. bro:see:: dhcp_message dhcp_discover dhcp_offer dhcp_request +## .. zeek:see:: dhcp_message dhcp_discover dhcp_offer dhcp_request ## dhcp_ack dhcp_nak dhcp_release dhcp_inform ## ## .. note:: This event has been deprecated, and will be removed in the next version. @@ -152,7 +152,7 @@ global dhcp_decline: event(c: connection, msg: dhcp_msg, host_name: string) &dep ## host_name: Optional host name value. May differ from the host name requested ## from the client. ## -## .. bro:see:: dhcp_message dhcp_discover dhcp_offer dhcp_request +## .. zeek:see:: dhcp_message dhcp_discover dhcp_offer dhcp_request ## dhcp_decline dhcp_nak dhcp_release dhcp_inform ## ## .. note:: This event has been deprecated, and will be removed in the next version. @@ -170,7 +170,7 @@ global dhcp_ack: event(c: connection, msg: dhcp_msg, mask: addr, router: dhcp_ro ## ## host_name: Optional host name value. ## -## .. bro:see:: dhcp_message dhcp_discover dhcp_offer dhcp_request +## .. zeek:see:: dhcp_message dhcp_discover dhcp_offer dhcp_request ## dhcp_decline dhcp_ack dhcp_release dhcp_inform ## ## .. note:: This event has been deprecated, and will be removed in the next version. @@ -191,7 +191,7 @@ global dhcp_nak: event(c: connection, msg: dhcp_msg, host_name: string) &depreca ## ## host_name: The value of the host name option, if specified by the client. ## -## .. bro:see:: dhcp_message dhcp_discover dhcp_offer dhcp_request +## .. zeek:see:: dhcp_message dhcp_discover dhcp_offer dhcp_request ## dhcp_decline dhcp_ack dhcp_nak dhcp_inform ## ## .. note:: This event has been deprecated, and will be removed in the next version. @@ -209,7 +209,7 @@ global dhcp_release: event(c: connection, msg: dhcp_msg, host_name: string) &dep ## ## host_name: The value of the host name option, if specified by the client. ## -## .. bro:see:: dhcp_message dhcp_discover dhcp_offer dhcp_request +## .. zeek:see:: dhcp_message dhcp_discover dhcp_offer dhcp_request ## dhcp_decline dhcp_ack dhcp_nak dhcp_release ## ## .. note:: This event has been deprecated, and will be removed in the next version. diff --git a/scripts/policy/protocols/dns/detect-external-names.zeek b/scripts/policy/protocols/dns/detect-external-names.zeek index ea56e5676f..9533f396a2 100644 --- a/scripts/policy/protocols/dns/detect-external-names.zeek +++ b/scripts/policy/protocols/dns/detect-external-names.zeek @@ -1,6 +1,6 @@ ##! This script detects names which are not within zones considered to be ##! local but resolving to addresses considered local. -##! The :bro:id:`Site::local_zones` variable **must** be set appropriately for +##! The :zeek:id:`Site::local_zones` variable **must** be set appropriately for ##! this detection. @load base/frameworks/notice @@ -11,7 +11,7 @@ module DNS; export { redef enum Notice::Type += { ## Raised when a non-local name is found to be pointing at a - ## local host. The :bro:id:`Site::local_zones` variable + ## local host. The :zeek:id:`Site::local_zones` variable ## **must** be set appropriately for this detection. External_Name, }; diff --git a/scripts/policy/protocols/http/detect-sqli.zeek b/scripts/policy/protocols/http/detect-sqli.zeek index 3ad9efbfe2..5baf6b89ab 100644 --- a/scripts/policy/protocols/http/detect-sqli.zeek +++ b/scripts/policy/protocols/http/detect-sqli.zeek @@ -35,7 +35,7 @@ export { const sqli_requests_threshold: double = 50.0 &redef; ## Interval at which to watch for the - ## :bro:id:`HTTP::sqli_requests_threshold` variable to be crossed. + ## :zeek:id:`HTTP::sqli_requests_threshold` variable to be crossed. ## At the end of each interval the counter is reset. const sqli_requests_interval = 5min &redef; diff --git a/scripts/policy/protocols/smtp/entities-excerpt.zeek b/scripts/policy/protocols/smtp/entities-excerpt.zeek index f4ee2b07d5..4dad6d3e39 100644 --- a/scripts/policy/protocols/smtp/entities-excerpt.zeek +++ b/scripts/policy/protocols/smtp/entities-excerpt.zeek @@ -13,7 +13,7 @@ export { ## This is the default value for how much of the entity body should be ## included for all MIME entities. The lesser of this value and - ## :bro:see:`default_file_bof_buffer_size` will be used. + ## :zeek:see:`default_file_bof_buffer_size` will be used. option default_entity_excerpt_len = 0; } diff --git a/scripts/policy/protocols/ssh/detect-bruteforcing.zeek b/scripts/policy/protocols/ssh/detect-bruteforcing.zeek index 208f3db04c..4368258b98 100644 --- a/scripts/policy/protocols/ssh/detect-bruteforcing.zeek +++ b/scripts/policy/protocols/ssh/detect-bruteforcing.zeek @@ -11,7 +11,7 @@ module SSH; export { redef enum Notice::Type += { ## Indicates that a host has been identified as crossing the - ## :bro:id:`SSH::password_guesses_limit` threshold with + ## :zeek:id:`SSH::password_guesses_limit` threshold with ## failed logins. Password_Guessing, ## Indicates that a host previously identified as a "password diff --git a/scripts/policy/protocols/ssh/geo-data.zeek b/scripts/policy/protocols/ssh/geo-data.zeek index af9e05f011..5c98f62229 100644 --- a/scripts/policy/protocols/ssh/geo-data.zeek +++ b/scripts/policy/protocols/ssh/geo-data.zeek @@ -8,7 +8,7 @@ module SSH; export { redef enum Notice::Type += { ## If an SSH login is seen to or from a "watched" country based - ## on the :bro:id:`SSH::watched_countries` variable then this + ## on the :zeek:id:`SSH::watched_countries` variable then this ## notice will be generated. Watched_Country_Login, }; diff --git a/scripts/policy/protocols/ssh/interesting-hostnames.zeek b/scripts/policy/protocols/ssh/interesting-hostnames.zeek index 064556f9c4..92f7bfc1dd 100644 --- a/scripts/policy/protocols/ssh/interesting-hostnames.zeek +++ b/scripts/policy/protocols/ssh/interesting-hostnames.zeek @@ -12,7 +12,7 @@ export { redef enum Notice::Type += { ## Generated if a login originates or responds with a host where ## the reverse hostname lookup resolves to a name matched by the - ## :bro:id:`SSH::interesting_hostnames` regular expression. + ## :zeek:id:`SSH::interesting_hostnames` regular expression. Interesting_Hostname_Login, }; diff --git a/scripts/policy/protocols/ssl/expiring-certs.zeek b/scripts/policy/protocols/ssl/expiring-certs.zeek index 1e806942d7..630d23d145 100644 --- a/scripts/policy/protocols/ssl/expiring-certs.zeek +++ b/scripts/policy/protocols/ssl/expiring-certs.zeek @@ -15,7 +15,7 @@ export { ## and the certificate is now invalid. Certificate_Expired, ## Indicates that a certificate is going to expire within - ## :bro:id:`SSL::notify_when_cert_expiring_in`. + ## :zeek:id:`SSL::notify_when_cert_expiring_in`. Certificate_Expires_Soon, ## Indicates that a certificate's NotValidBefore date is future ## dated. @@ -30,7 +30,7 @@ export { option notify_certs_expiration = LOCAL_HOSTS; ## The time before a certificate is going to expire that you would like - ## to start receiving :bro:enum:`SSL::Certificate_Expires_Soon` notices. + ## to start receiving :zeek:enum:`SSL::Certificate_Expires_Soon` notices. option notify_when_cert_expiring_in = 30days; } diff --git a/scripts/policy/protocols/ssl/known-certs.zeek b/scripts/policy/protocols/ssl/known-certs.zeek index 3841b77d87..3a8ec75922 100644 --- a/scripts/policy/protocols/ssl/known-certs.zeek +++ b/scripts/policy/protocols/ssl/known-certs.zeek @@ -43,19 +43,19 @@ export { }; ## Holds the set of all known certificates. Keys in the store are of - ## type :bro:type:`Known::AddrCertHashPair` and their associated value is + ## type :zeek:type:`Known::AddrCertHashPair` and their associated value is ## always the boolean value of "true". global cert_store: Cluster::StoreInfo; - ## The Broker topic name to use for :bro:see:`Known::cert_store`. + ## The Broker topic name to use for :zeek:see:`Known::cert_store`. const cert_store_name = "bro/known/certs" &redef; - ## The expiry interval of new entries in :bro:see:`Known::cert_store`. + ## The expiry interval of new entries in :zeek:see:`Known::cert_store`. ## This also changes the interval at which certs get logged. option cert_store_expiry = 1day; ## The timeout interval to use for operations against - ## :bro:see:`Known::cert_store`. + ## :zeek:see:`Known::cert_store`. option cert_store_timeout = 15sec; ## The set of all known certificates to store for preventing duplicate diff --git a/scripts/zeexygen/README b/scripts/zeexygen/README new file mode 100644 index 0000000000..f099b09833 --- /dev/null +++ b/scripts/zeexygen/README @@ -0,0 +1,4 @@ +This package is loaded during the process which automatically generates +reference documentation for all Zeek scripts (i.e. "Zeexygen"). Its only +purpose is to provide an easy way to load all known Zeek scripts plus any +extra scripts needed or used by the documentation process. diff --git a/scripts/broxygen/__load__.zeek b/scripts/zeexygen/__load__.zeek similarity index 100% rename from scripts/broxygen/__load__.zeek rename to scripts/zeexygen/__load__.zeek diff --git a/scripts/broxygen/example.zeek b/scripts/zeexygen/example.zeek similarity index 88% rename from scripts/broxygen/example.zeek rename to scripts/zeexygen/example.zeek index d241051b7d..69affed96a 100644 --- a/scripts/broxygen/example.zeek +++ b/scripts/zeexygen/example.zeek @@ -1,4 +1,4 @@ -##! This is an example script that demonstrates Broxygen-style +##! This is an example script that demonstrates Zeexygen-style ##! documentation. It generally will make most sense when viewing ##! the script's raw source code and comparing to the HTML-rendered ##! version. @@ -11,14 +11,14 @@ ##! .. tip:: You can embed directives and roles within ``##``-stylized comments. ##! ##! There's also a custom role to reference any identifier node in -##! the Bro Sphinx domain that's good for "see alsos", e.g. +##! the Zeek Sphinx domain that's good for "see alsos", e.g. ##! -##! See also: :bro:see:`BroxygenExample::a_var`, -##! :bro:see:`BroxygenExample::ONE`, :bro:see:`SSH::Info` +##! See also: :zeek:see:`ZeexygenExample::a_var`, +##! :zeek:see:`ZeexygenExample::ONE`, :zeek:see:`SSH::Info` ##! ##! And a custom directive does the equivalent references: ##! -##! .. bro:see:: BroxygenExample::a_var BroxygenExample::ONE SSH::Info +##! .. zeek:see:: ZeexygenExample::a_var ZeexygenExample::ONE SSH::Info # Comments that use a single pound sign (#) are not significant to # a script's auto-generated documentation, but ones that use a @@ -30,7 +30,7 @@ # variable declarations to associate with the last-declared identifier. # # Generally, the auto-doc comments (##) are associated with the -# next declaration/identifier found in the script, but Broxygen +# next declaration/identifier found in the script, but Zeexygen # will track/render identifiers regardless of whether they have any # of these special comments associated with them. # @@ -49,19 +49,19 @@ # "module" statements are self-documenting, don't use any ``##`` style # comments with them. -module BroxygenExample; +module ZeexygenExample; # Redefinitions of "Notice::Type" are self-documenting, but # more information can be supplied in two different ways. redef enum Notice::Type += { ## Any number of this type of comment - ## will document "Broxygen_One". - Broxygen_One, - Broxygen_Two, ##< Any number of this type of comment - ##< will document "BROXYGEN_TWO". - Broxygen_Three, + ## will document "Zeexygen_One". + Zeexygen_One, + Zeexygen_Two, ##< Any number of this type of comment + ##< will document "ZEEXYGEN_TWO". + Zeexygen_Three, ## Omitting comments is fine, and so is mixing ``##`` and ``##<``, but - Broxygen_Four, ##< it's probably best to use only one style consistently. + Zeexygen_Four, ##< it's probably best to use only one style consistently. }; # All redefs are automatically tracked. Comments of the "##" form can be use @@ -110,7 +110,7 @@ export { type ComplexRecord: record { field1: count; ##< Counts something. field2: bool; ##< Toggles something. - field3: SimpleRecord; ##< Broxygen automatically tracks types + field3: SimpleRecord; ##< Zeexygen automatically tracks types ##< and cross-references are automatically ##< inserted in to generated docs. msg: string &default="blah"; ##< Attributes are self-documenting. @@ -163,9 +163,9 @@ export { ## Summarize "an_event" here. ## Give more details about "an_event" here. ## - ## BroxygenExample::a_function should not be confused as a parameter + ## ZeexygenExample::a_function should not be confused as a parameter ## in the generated docs, but it also doesn't generate a cross-reference - ## link. Use the see role instead: :bro:see:`BroxygenExample::a_function`. + ## link. Use the see role instead: :zeek:see:`ZeexygenExample::a_function`. ## ## name: Describe the argument here. global an_event: event(name: string); diff --git a/src/Attr.cc b/src/Attr.cc index 47ea7d4f06..2f9673346c 100644 --- a/src/Attr.cc +++ b/src/Attr.cc @@ -51,7 +51,7 @@ void Attr::Describe(ODesc* d) const void Attr::DescribeReST(ODesc* d) const { - d->Add(":bro:attr:`"); + d->Add(":zeek:attr:`"); AddTag(d); d->Add("`"); @@ -64,14 +64,14 @@ void Attr::DescribeReST(ODesc* d) const if ( expr->Tag() == EXPR_NAME ) { - d->Add(":bro:see:`"); + d->Add(":zeek:see:`"); expr->Describe(d); d->Add("`"); } else if ( expr->Type()->Tag() == TYPE_FUNC ) { - d->Add(":bro:type:`"); + d->Add(":zeek:type:`"); d->Add(expr->Type()->AsFuncType()->FlavorString()); d->Add("`"); } diff --git a/src/CMakeLists.txt b/src/CMakeLists.txt index da7042f956..94aca30eb9 100644 --- a/src/CMakeLists.txt +++ b/src/CMakeLists.txt @@ -143,7 +143,7 @@ set(bro_PLUGIN_LIBS CACHE INTERNAL "plugin libraries" FORCE) add_subdirectory(analyzer) add_subdirectory(broker) -add_subdirectory(broxygen) +add_subdirectory(zeexygen) add_subdirectory(file_analysis) add_subdirectory(input) add_subdirectory(iosource) diff --git a/src/DebugLogger.cc b/src/DebugLogger.cc index 07590590df..baddd2bdd8 100644 --- a/src/DebugLogger.cc +++ b/src/DebugLogger.cc @@ -18,7 +18,7 @@ DebugLogger::Stream DebugLogger::streams[NUM_DBGS] = { { "dpd", 0, false }, { "tm", 0, false }, { "logging", 0, false }, {"input", 0, false }, { "threading", 0, false }, { "file_analysis", 0, false }, - { "plugins", 0, false }, { "broxygen", 0, false }, + { "plugins", 0, false }, { "zeexygen", 0, false }, { "pktio", 0, false }, { "broker", 0, false }, { "scripts", 0, false} }; diff --git a/src/DebugLogger.h b/src/DebugLogger.h index 1eb8e30417..8026e8ba3c 100644 --- a/src/DebugLogger.h +++ b/src/DebugLogger.h @@ -30,7 +30,7 @@ enum DebugStream { DBG_THREADING, // Threading system DBG_FILE_ANALYSIS, // File analysis DBG_PLUGINS, // Plugin system - DBG_BROXYGEN, // Broxygen + DBG_ZEEXYGEN, // Zeexygen DBG_PKTIO, // Packet sources and dumpers. DBG_BROKER, // Broker communication DBG_SCRIPTS, // Script initialization diff --git a/src/ID.cc b/src/ID.cc index fd99d7c937..24c1c829ff 100644 --- a/src/ID.cc +++ b/src/ID.cc @@ -14,7 +14,7 @@ #include "PersistenceSerializer.h" #include "Scope.h" #include "Traverse.h" -#include "broxygen/Manager.h" +#include "zeexygen/Manager.h" ID::ID(const char* arg_name, IDScope arg_scope, bool arg_is_export) { @@ -651,9 +651,9 @@ void ID::DescribeExtended(ODesc* d) const void ID::DescribeReSTShort(ODesc* d) const { if ( is_type ) - d->Add(":bro:type:`"); + d->Add(":zeek:type:`"); else - d->Add(":bro:id:`"); + d->Add(":zeek:id:`"); d->Add(name); d->Add("`"); @@ -661,7 +661,7 @@ void ID::DescribeReSTShort(ODesc* d) const if ( type ) { d->Add(": "); - d->Add(":bro:type:`"); + d->Add(":zeek:type:`"); if ( ! is_type && ! type->GetName().empty() ) d->Add(type->GetName().c_str()); @@ -682,7 +682,7 @@ void ID::DescribeReSTShort(ODesc* d) const if ( is_type ) d->Add(type_name(t)); else - d->Add(broxygen_mgr->GetEnumTypeName(Name()).c_str()); + d->Add(zeexygen_mgr->GetEnumTypeName(Name()).c_str()); break; default: @@ -706,18 +706,18 @@ void ID::DescribeReST(ODesc* d, bool roles_only) const if ( roles_only ) { if ( is_type ) - d->Add(":bro:type:`"); + d->Add(":zeek:type:`"); else - d->Add(":bro:id:`"); + d->Add(":zeek:id:`"); d->Add(name); d->Add("`"); } else { if ( is_type ) - d->Add(".. bro:type:: "); + d->Add(".. zeek:type:: "); else - d->Add(".. bro:id:: "); + d->Add(".. zeek:id:: "); d->Add(name); } @@ -730,7 +730,7 @@ void ID::DescribeReST(ODesc* d, bool roles_only) const if ( ! is_type && ! type->GetName().empty() ) { - d->Add(":bro:type:`"); + d->Add(":zeek:type:`"); d->Add(type->GetName()); d->Add("`"); } diff --git a/src/Type.cc b/src/Type.cc index 741f1cfc0f..0bc7d0e3fe 100644 --- a/src/Type.cc +++ b/src/Type.cc @@ -8,8 +8,8 @@ #include "Scope.h" #include "Serializer.h" #include "Reporter.h" -#include "broxygen/Manager.h" -#include "broxygen/utils.h" +#include "zeexygen/Manager.h" +#include "zeexygen/utils.h" #include #include @@ -190,7 +190,7 @@ void BroType::Describe(ODesc* d) const void BroType::DescribeReST(ODesc* d, bool roles_only) const { - d->Add(fmt(":bro:type:`%s`", type_name(Tag()))); + d->Add(fmt(":zeek:type:`%s`", type_name(Tag()))); } void BroType::SetError() @@ -478,7 +478,7 @@ void IndexType::Describe(ODesc* d) const void IndexType::DescribeReST(ODesc* d, bool roles_only) const { - d->Add(":bro:type:`"); + d->Add(":zeek:type:`"); if ( IsSet() ) d->Add("set"); @@ -497,7 +497,7 @@ void IndexType::DescribeReST(ODesc* d, bool roles_only) const if ( ! t->GetName().empty() ) { - d->Add(":bro:type:`"); + d->Add(":zeek:type:`"); d->Add(t->GetName()); d->Add("`"); } @@ -513,7 +513,7 @@ void IndexType::DescribeReST(ODesc* d, bool roles_only) const if ( ! yield_type->GetName().empty() ) { - d->Add(":bro:type:`"); + d->Add(":zeek:type:`"); d->Add(yield_type->GetName()); d->Add("`"); } @@ -800,7 +800,7 @@ void FuncType::Describe(ODesc* d) const void FuncType::DescribeReST(ODesc* d, bool roles_only) const { - d->Add(":bro:type:`"); + d->Add(":zeek:type:`"); d->Add(FlavorString()); d->Add("`"); d->Add(" ("); @@ -813,7 +813,7 @@ void FuncType::DescribeReST(ODesc* d, bool roles_only) const if ( ! yield->GetName().empty() ) { - d->Add(":bro:type:`"); + d->Add(":zeek:type:`"); d->Add(yield->GetName()); d->Add("`"); } @@ -957,7 +957,7 @@ void TypeDecl::DescribeReST(ODesc* d, bool roles_only) const if ( ! type->GetName().empty() ) { - d->Add(":bro:type:`"); + d->Add(":zeek:type:`"); d->Add(type->GetName()); d->Add("`"); } @@ -1073,7 +1073,7 @@ void RecordType::Describe(ODesc* d) const void RecordType::DescribeReST(ODesc* d, bool roles_only) const { d->PushType(this); - d->Add(":bro:type:`record`"); + d->Add(":zeek:type:`record`"); if ( num_fields == 0 ) return; @@ -1197,8 +1197,8 @@ void RecordType::DescribeFieldsReST(ODesc* d, bool func_args) const if ( func_args ) continue; - using broxygen::IdentifierInfo; - IdentifierInfo* doc = broxygen_mgr->GetIdentifierInfo(GetName()); + using zeexygen::IdentifierInfo; + IdentifierInfo* doc = zeexygen_mgr->GetIdentifierInfo(GetName()); if ( ! doc ) { @@ -1217,7 +1217,7 @@ void RecordType::DescribeFieldsReST(ODesc* d, bool func_args) const field_from_script != type_from_script ) { d->PushIndent(); - d->Add(broxygen::redef_indication(field_from_script).c_str()); + d->Add(zeexygen::redef_indication(field_from_script).c_str()); d->PopIndent(); } @@ -1237,7 +1237,7 @@ void RecordType::DescribeFieldsReST(ODesc* d, bool func_args) const { string s = cmnts[i]; - if ( broxygen::prettify_params(s) ) + if ( zeexygen::prettify_params(s) ) d->NL(); d->Add(s.c_str()); @@ -1405,7 +1405,7 @@ void OpaqueType::Describe(ODesc* d) const void OpaqueType::DescribeReST(ODesc* d, bool roles_only) const { - d->Add(fmt(":bro:type:`%s` of %s", type_name(Tag()), name.c_str())); + d->Add(fmt(":zeek:type:`%s` of %s", type_name(Tag()), name.c_str())); } IMPLEMENT_SERIAL(OpaqueType, SER_OPAQUE_TYPE); @@ -1505,7 +1505,7 @@ void EnumType::CheckAndAddName(const string& module_name, const char* name, if ( deprecated ) id->MakeDeprecated(); - broxygen_mgr->Identifier(id); + zeexygen_mgr->Identifier(id); } else { @@ -1597,7 +1597,7 @@ EnumVal* EnumType::GetVal(bro_int_t i) void EnumType::DescribeReST(ODesc* d, bool roles_only) const { - d->Add(":bro:type:`enum`"); + d->Add(":zeek:type:`enum`"); // Create temporary, reverse name map so that enums can be documented // in ascending order of their actual integral value instead of by name. @@ -1614,12 +1614,12 @@ void EnumType::DescribeReST(ODesc* d, bool roles_only) const d->PushIndent(); if ( roles_only ) - d->Add(fmt(":bro:enum:`%s`", it->second.c_str())); + d->Add(fmt(":zeek:enum:`%s`", it->second.c_str())); else - d->Add(fmt(".. bro:enum:: %s %s", it->second.c_str(), GetName().c_str())); + d->Add(fmt(".. zeek:enum:: %s %s", it->second.c_str(), GetName().c_str())); - using broxygen::IdentifierInfo; - IdentifierInfo* doc = broxygen_mgr->GetIdentifierInfo(it->second); + using zeexygen::IdentifierInfo; + IdentifierInfo* doc = zeexygen_mgr->GetIdentifierInfo(it->second); if ( ! doc ) { @@ -1634,7 +1634,7 @@ void EnumType::DescribeReST(ODesc* d, bool roles_only) const if ( doc->GetDeclaringScript() ) enum_from_script = doc->GetDeclaringScript()->Name(); - IdentifierInfo* type_doc = broxygen_mgr->GetIdentifierInfo(GetName()); + IdentifierInfo* type_doc = zeexygen_mgr->GetIdentifierInfo(GetName()); if ( type_doc && type_doc->GetDeclaringScript() ) type_from_script = type_doc->GetDeclaringScript()->Name(); @@ -1644,7 +1644,7 @@ void EnumType::DescribeReST(ODesc* d, bool roles_only) const { d->NL(); d->PushIndent(); - d->Add(broxygen::redef_indication(enum_from_script).c_str()); + d->Add(zeexygen::redef_indication(enum_from_script).c_str()); d->PopIndent(); } @@ -1818,12 +1818,12 @@ void VectorType::Describe(ODesc* d) const void VectorType::DescribeReST(ODesc* d, bool roles_only) const { - d->Add(fmt(":bro:type:`%s` of ", type_name(Tag()))); + d->Add(fmt(":zeek:type:`%s` of ", type_name(Tag()))); if ( yield_type->GetName().empty() ) yield_type->DescribeReST(d, roles_only); else - d->Add(fmt(":bro:type:`%s`", yield_type->GetName().c_str())); + d->Add(fmt(":zeek:type:`%s`", yield_type->GetName().c_str())); } BroType* base_type_no_ref(TypeTag tag) diff --git a/src/analyzer/protocol/arp/events.bif b/src/analyzer/protocol/arp/events.bif index efee33d7f4..e12d0acd1c 100644 --- a/src/analyzer/protocol/arp/events.bif +++ b/src/analyzer/protocol/arp/events.bif @@ -15,7 +15,7 @@ ## ## THA: The target hardware address. ## -## .. bro:see:: arp_reply bad_arp +## .. zeek:see:: arp_reply bad_arp event arp_request%(mac_src: string, mac_dst: string, SPA: addr, SHA: string, TPA: addr, THA: string%); @@ -36,7 +36,7 @@ event arp_request%(mac_src: string, mac_dst: string, SPA: addr, SHA: string, ## ## THA: The target hardware address. ## -## .. bro:see:: arp_request bad_arp +## .. zeek:see:: arp_request bad_arp event arp_reply%(mac_src: string, mac_dst: string, SPA: addr, SHA: string, TPA: addr, THA: string%); @@ -54,7 +54,7 @@ event arp_reply%(mac_src: string, mac_dst: string, SPA: addr, SHA: string, ## ## explanation: A short description of why the ARP packet is considered "bad". ## -## .. bro:see:: arp_reply arp_request +## .. zeek:see:: arp_reply arp_request ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet diff --git a/src/analyzer/protocol/bittorrent/events.bif b/src/analyzer/protocol/bittorrent/events.bif index 8c4ddc146f..d86b497437 100644 --- a/src/analyzer/protocol/bittorrent/events.bif +++ b/src/analyzer/protocol/bittorrent/events.bif @@ -3,7 +3,7 @@ ## See `Wikipedia `__ for ## more information about the BitTorrent protocol. ## -## .. bro:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke +## .. zeek:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke ## bittorrent_peer_have bittorrent_peer_interested bittorrent_peer_keep_alive ## bittorrent_peer_not_interested bittorrent_peer_piece bittorrent_peer_port ## bittorrent_peer_request bittorrent_peer_unchoke bittorrent_peer_unknown @@ -16,7 +16,7 @@ event bittorrent_peer_handshake%(c: connection, is_orig: bool, ## See `Wikipedia `__ for ## more information about the BitTorrent protocol. ## -## .. bro:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke +## .. zeek:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke ## bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_interested ## bittorrent_peer_not_interested bittorrent_peer_piece bittorrent_peer_port ## bittorrent_peer_request bittorrent_peer_unchoke bittorrent_peer_unknown @@ -28,7 +28,7 @@ event bittorrent_peer_keep_alive%(c: connection, is_orig: bool%); ## See `Wikipedia `__ for ## more information about the BitTorrent protocol. ## -## .. bro:see:: bittorrent_peer_bitfield bittorrent_peer_cancel +## .. zeek:see:: bittorrent_peer_bitfield bittorrent_peer_cancel ## bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_interested ## bittorrent_peer_keep_alive bittorrent_peer_not_interested bittorrent_peer_piece ## bittorrent_peer_port bittorrent_peer_request bittorrent_peer_unchoke @@ -40,7 +40,7 @@ event bittorrent_peer_choke%(c: connection, is_orig: bool%); ## See `Wikipedia `__ for ## more information about the BitTorrent protocol. ## -## .. bro:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke +## .. zeek:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke ## bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_interested ## bittorrent_peer_keep_alive bittorrent_peer_not_interested bittorrent_peer_piece ## bittorrent_peer_port bittorrent_peer_request @@ -52,7 +52,7 @@ event bittorrent_peer_unchoke%(c: connection, is_orig: bool%); ## See `Wikipedia `__ for ## more information about the BitTorrent protocol. ## -## .. bro:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke +## .. zeek:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke ## bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_keep_alive ## bittorrent_peer_not_interested bittorrent_peer_piece bittorrent_peer_port ## bittorrent_peer_request bittorrent_peer_unchoke bittorrent_peer_unknown @@ -64,7 +64,7 @@ event bittorrent_peer_interested%(c: connection, is_orig: bool%); ## See `Wikipedia `__ for ## more information about the BitTorrent protocol. ## -## .. bro:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke +## .. zeek:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke ## bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_interested ## bittorrent_peer_keep_alive bittorrent_peer_piece bittorrent_peer_port ## bittorrent_peer_request bittorrent_peer_unchoke bittorrent_peer_unknown @@ -76,7 +76,7 @@ event bittorrent_peer_not_interested%(c: connection, is_orig: bool%); ## See `Wikipedia `__ for ## more information about the BitTorrent protocol. ## -## .. bro:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke +## .. zeek:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke ## bittorrent_peer_handshake bittorrent_peer_interested bittorrent_peer_keep_alive ## bittorrent_peer_not_interested bittorrent_peer_piece bittorrent_peer_port ## bittorrent_peer_request bittorrent_peer_unchoke bittorrent_peer_unknown @@ -88,7 +88,7 @@ event bittorrent_peer_have%(c: connection, is_orig: bool, piece_index: count%); ## See `Wikipedia `__ for ## more information about the BitTorrent protocol. ## -## .. bro:see:: bittorrent_peer_cancel bittorrent_peer_choke bittorrent_peer_handshake +## .. zeek:see:: bittorrent_peer_cancel bittorrent_peer_choke bittorrent_peer_handshake ## bittorrent_peer_have bittorrent_peer_interested bittorrent_peer_keep_alive ## bittorrent_peer_not_interested bittorrent_peer_piece bittorrent_peer_port ## bittorrent_peer_request bittorrent_peer_unchoke bittorrent_peer_unknown @@ -100,7 +100,7 @@ event bittorrent_peer_bitfield%(c: connection, is_orig: bool, bitfield: string%) ## See `Wikipedia `__ for ## more information about the BitTorrent protocol. ## -## .. bro:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke +## .. zeek:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke ## bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_interested ## bittorrent_peer_keep_alive bittorrent_peer_not_interested bittorrent_peer_piece ## bittorrent_peer_port bittorrent_peer_unchoke bittorrent_peer_unknown @@ -113,7 +113,7 @@ event bittorrent_peer_request%(c: connection, is_orig: bool, index: count, ## See `Wikipedia `__ for ## more information about the BitTorrent protocol. ## -## .. bro:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke +## .. zeek:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke ## bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_interested ## bittorrent_peer_keep_alive bittorrent_peer_not_interested bittorrent_peer_port ## bittorrent_peer_request bittorrent_peer_unchoke bittorrent_peer_unknown @@ -126,7 +126,7 @@ event bittorrent_peer_piece%(c: connection, is_orig: bool, index: count, ## See `Wikipedia `__ for ## more information about the BitTorrent protocol. ## -## .. bro:see:: bittorrent_peer_bitfield bittorrent_peer_choke +## .. zeek:see:: bittorrent_peer_bitfield bittorrent_peer_choke ## bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_interested ## bittorrent_peer_keep_alive bittorrent_peer_not_interested bittorrent_peer_piece ## bittorrent_peer_port bittorrent_peer_request bittorrent_peer_unchoke @@ -139,7 +139,7 @@ event bittorrent_peer_cancel%(c: connection, is_orig: bool, index: count, ## See `Wikipedia `__ for ## more information about the BitTorrent protocol. ## -## .. bro:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke +## .. zeek:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke ## bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_interested ## bittorrent_peer_keep_alive bittorrent_peer_not_interested bittorrent_peer_piece ## bittorrent_peer_request bittorrent_peer_unchoke bittorrent_peer_unknown @@ -151,7 +151,7 @@ event bittorrent_peer_port%(c: connection, is_orig: bool, listen_port: port%); ## See `Wikipedia `__ for ## more information about the BitTorrent protocol. ## -## .. bro:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke +## .. zeek:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke ## bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_interested ## bittorrent_peer_keep_alive bittorrent_peer_not_interested bittorrent_peer_piece ## bittorrent_peer_port bittorrent_peer_request bittorrent_peer_unchoke @@ -164,7 +164,7 @@ event bittorrent_peer_unknown%(c: connection, is_orig: bool, message_id: count, ## See `Wikipedia `__ for ## more information about the BitTorrent protocol. ## -## .. bro:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke +## .. zeek:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke ## bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_interested ## bittorrent_peer_keep_alive bittorrent_peer_not_interested bittorrent_peer_piece ## bittorrent_peer_port bittorrent_peer_request bittorrent_peer_unchoke @@ -176,7 +176,7 @@ event bittorrent_peer_weird%(c: connection, is_orig: bool, msg: string%); ## See `Wikipedia `__ for ## more information about the BitTorrent protocol. ## -## .. bro:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke +## .. zeek:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke ## bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_interested ## bittorrent_peer_keep_alive bittorrent_peer_not_interested bittorrent_peer_piece ## bittorrent_peer_port bittorrent_peer_request bittorrent_peer_unchoke @@ -189,7 +189,7 @@ event bt_tracker_request%(c: connection, uri: string, ## See `Wikipedia `__ for ## more information about the BitTorrent protocol. ## -## .. bro:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke +## .. zeek:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke ## bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_interested ## bittorrent_peer_keep_alive bittorrent_peer_not_interested bittorrent_peer_piece ## bittorrent_peer_port bittorrent_peer_request bittorrent_peer_unchoke @@ -204,7 +204,7 @@ event bt_tracker_response%(c: connection, status: count, ## See `Wikipedia `__ for ## more information about the BitTorrent protocol. ## -## .. bro:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke +## .. zeek:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke ## bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_interested ## bittorrent_peer_keep_alive bittorrent_peer_not_interested bittorrent_peer_piece ## bittorrent_peer_port bittorrent_peer_request bittorrent_peer_unchoke @@ -217,7 +217,7 @@ event bt_tracker_response_not_ok%(c: connection, status: count, ## See `Wikipedia `__ for ## more information about the BitTorrent protocol. ## -## .. bro:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke +## .. zeek:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke ## bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_interested ## bittorrent_peer_keep_alive bittorrent_peer_not_interested bittorrent_peer_piece ## bittorrent_peer_port bittorrent_peer_request bittorrent_peer_unchoke diff --git a/src/analyzer/protocol/conn-size/events.bif b/src/analyzer/protocol/conn-size/events.bif index 38b263db57..9b1007ec3b 100644 --- a/src/analyzer/protocol/conn-size/events.bif +++ b/src/analyzer/protocol/conn-size/events.bif @@ -8,7 +8,7 @@ ## ## is_orig: true if the threshold was crossed by the originator of the connection ## -## .. bro:see:: set_current_conn_packets_threshold set_current_conn_bytes_threshold conn_packets_threshold_crossed +## .. zeek:see:: set_current_conn_packets_threshold set_current_conn_bytes_threshold conn_packets_threshold_crossed ## get_current_conn_bytes_threshold get_current_conn_packets_threshold event conn_bytes_threshold_crossed%(c: connection, threshold: count, is_orig: bool%); @@ -22,6 +22,6 @@ event conn_bytes_threshold_crossed%(c: connection, threshold: count, is_orig: bo ## ## is_orig: true if the threshold was crossed by the originator of the connection ## -## .. bro:see:: set_current_conn_packets_threshold set_current_conn_bytes_threshold conn_bytes_threshold_crossed +## .. zeek:see:: set_current_conn_packets_threshold set_current_conn_bytes_threshold conn_bytes_threshold_crossed ## get_current_conn_bytes_threshold get_current_conn_packets_threshold event conn_packets_threshold_crossed%(c: connection, threshold: count, is_orig: bool%); diff --git a/src/analyzer/protocol/conn-size/functions.bif b/src/analyzer/protocol/conn-size/functions.bif index d4ad045da7..9dc91bb722 100644 --- a/src/analyzer/protocol/conn-size/functions.bif +++ b/src/analyzer/protocol/conn-size/functions.bif @@ -26,7 +26,7 @@ static analyzer::Analyzer* GetConnsizeAnalyzer(Val* cid) ## ## is_orig: If true, threshold is set for bytes from originator, otherwhise for bytes from responder. ## -## .. bro:see:: set_current_conn_packets_threshold conn_bytes_threshold_crossed conn_packets_threshold_crossed +## .. zeek:see:: set_current_conn_packets_threshold conn_bytes_threshold_crossed conn_packets_threshold_crossed ## get_current_conn_bytes_threshold get_current_conn_packets_threshold function set_current_conn_bytes_threshold%(cid: conn_id, threshold: count, is_orig: bool%): bool %{ @@ -49,7 +49,7 @@ function set_current_conn_bytes_threshold%(cid: conn_id, threshold: count, is_or ## ## is_orig: If true, threshold is set for packets from originator, otherwhise for packets from responder. ## -## .. bro:see:: set_current_conn_bytes_threshold conn_bytes_threshold_crossed conn_packets_threshold_crossed +## .. zeek:see:: set_current_conn_bytes_threshold conn_bytes_threshold_crossed conn_packets_threshold_crossed ## get_current_conn_bytes_threshold get_current_conn_packets_threshold function set_current_conn_packets_threshold%(cid: conn_id, threshold: count, is_orig: bool%): bool %{ @@ -70,7 +70,7 @@ function set_current_conn_packets_threshold%(cid: conn_id, threshold: count, is_ ## ## Returns: 0 if no threshold is set or the threshold in bytes ## -## .. bro:see:: set_current_conn_packets_threshold conn_bytes_threshold_crossed conn_packets_threshold_crossed +## .. zeek:see:: set_current_conn_packets_threshold conn_bytes_threshold_crossed conn_packets_threshold_crossed ## get_current_conn_packets_threshold function get_current_conn_bytes_threshold%(cid: conn_id, is_orig: bool%): count %{ @@ -89,7 +89,7 @@ function get_current_conn_bytes_threshold%(cid: conn_id, is_orig: bool%): count ## ## Returns: 0 if no threshold is set or the threshold in packets ## -## .. bro:see:: set_current_conn_packets_threshold conn_bytes_threshold_crossed conn_packets_threshold_crossed +## .. zeek:see:: set_current_conn_packets_threshold conn_bytes_threshold_crossed conn_packets_threshold_crossed ## get_current_conn_bytes_threshold function get_current_conn_packets_threshold%(cid: conn_id, is_orig: bool%): count %{ diff --git a/src/analyzer/protocol/dce-rpc/events.bif b/src/analyzer/protocol/dce-rpc/events.bif index 1e4a4e0d51..1f2b61255c 100644 --- a/src/analyzer/protocol/dce-rpc/events.bif +++ b/src/analyzer/protocol/dce-rpc/events.bif @@ -12,7 +12,7 @@ ## ## ptype: Enum representation of the prodecure type of the message. ## -## .. bro:see:: dce_rpc_bind dce_rpc_bind_ack dce_rpc_request dce_rpc_response +## .. zeek:see:: dce_rpc_bind dce_rpc_bind_ack dce_rpc_request dce_rpc_response event dce_rpc_message%(c: connection, is_orig: bool, fid: count, ptype_id: count, ptype: DCE_RPC::PType%); ## Generated for every :abbr:`DCE-RPC (Distributed Computing Environment/Remote Procedure Calls)` bind request message. @@ -33,7 +33,7 @@ event dce_rpc_message%(c: connection, is_orig: bool, fid: count, ptype_id: count ## ## ver_minor: The minor version of the endpoint being requested. ## -## .. bro:see:: dce_rpc_message dce_rpc_bind_ack dce_rpc_request dce_rpc_response +## .. zeek:see:: dce_rpc_message dce_rpc_bind_ack dce_rpc_request dce_rpc_response event dce_rpc_bind%(c: connection, fid: count, ctx_id: count, uuid: string, ver_major: count, ver_minor: count%); ## Generated for every :abbr:`DCE-RPC (Distributed Computing Environment/Remote Procedure Calls)` alter context request message. @@ -54,7 +54,7 @@ event dce_rpc_bind%(c: connection, fid: count, ctx_id: count, uuid: string, ver_ ## ## ver_minor: The minor version of the endpoint being requested. ## -## .. bro:see:: dce_rpc_message dce_rpc_bind dce_rpc_bind_ack dce_rpc_request dce_rpc_response dce_rpc_alter_context_resp +## .. zeek:see:: dce_rpc_message dce_rpc_bind dce_rpc_bind_ack dce_rpc_request dce_rpc_response dce_rpc_alter_context_resp event dce_rpc_alter_context%(c: connection, fid: count, ctx_id: count, uuid: string, ver_major: count, ver_minor: count%); ## Generated for every :abbr:`DCE-RPC (Distributed Computing Environment/Remote Procedure Calls)` bind request ack message. @@ -67,7 +67,7 @@ event dce_rpc_alter_context%(c: connection, fid: count, ctx_id: count, uuid: str ## ## sec_addr: Secondary address for the ack. ## -## .. bro:see:: dce_rpc_message dce_rpc_bind dce_rpc_request dce_rpc_response +## .. zeek:see:: dce_rpc_message dce_rpc_bind dce_rpc_request dce_rpc_response event dce_rpc_bind_ack%(c: connection, fid: count, sec_addr: string%); ## Generated for every :abbr:`DCE-RPC (Distributed Computing Environment/Remote Procedure Calls)` alter context response message. @@ -78,7 +78,7 @@ event dce_rpc_bind_ack%(c: connection, fid: count, sec_addr: string%); ## message. Zero will be used if the :abbr:`DCE-RPC (Distributed Computing Environment/Remote Procedure Calls)` was ## not transported over a pipe. ## -## .. bro:see:: dce_rpc_message dce_rpc_bind dce_rpc_bind_ack dce_rpc_request dce_rpc_response dce_rpc_alter_context +## .. zeek:see:: dce_rpc_message dce_rpc_bind dce_rpc_bind_ack dce_rpc_request dce_rpc_response dce_rpc_alter_context event dce_rpc_alter_context_resp%(c: connection, fid: count%); ## Generated for every :abbr:`DCE-RPC (Distributed Computing Environment/Remote Procedure Calls)` request message. @@ -95,7 +95,7 @@ event dce_rpc_alter_context_resp%(c: connection, fid: count%); ## ## stub_len: Length of the data for the request. ## -## .. bro:see:: dce_rpc_message dce_rpc_bind dce_rpc_bind_ack dce_rpc_response +## .. zeek:see:: dce_rpc_message dce_rpc_bind dce_rpc_bind_ack dce_rpc_response event dce_rpc_request%(c: connection, fid: count, ctx_id: count, opnum: count, stub_len: count%); ## Generated for every :abbr:`DCE-RPC (Distributed Computing Environment/Remote Procedure Calls)` response message. @@ -112,5 +112,5 @@ event dce_rpc_request%(c: connection, fid: count, ctx_id: count, opnum: count, s ## ## stub_len: Length of the data for the response. ## -## .. bro:see:: dce_rpc_message dce_rpc_bind dce_rpc_bind_ack dce_rpc_request +## .. zeek:see:: dce_rpc_message dce_rpc_bind dce_rpc_bind_ack dce_rpc_request event dce_rpc_response%(c: connection, fid: count, ctx_id: count, opnum: count, stub_len: count%); diff --git a/src/analyzer/protocol/dns/events.bif b/src/analyzer/protocol/dns/events.bif index 6fe741d4d9..1113ca2687 100644 --- a/src/analyzer/protocol/dns/events.bif +++ b/src/analyzer/protocol/dns/events.bif @@ -13,7 +13,7 @@ ## ## len: The length of the message's raw representation (i.e., the DNS payload). ## -## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl +## .. zeek:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl ## dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply ## dns_SRV_reply dns_TSIG_addl dns_TXT_reply dns_WKS_reply dns_end ## dns_full_request dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name @@ -40,7 +40,7 @@ event dns_message%(c: connection, is_orig: bool, msg: dns_msg, len: count%); ## ## qclass: The queried resource record class. ## -## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl +## .. zeek:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl ## dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply ## dns_SRV_reply dns_TSIG_addl dns_TXT_reply dns_WKS_reply dns_end ## dns_full_request dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name @@ -69,7 +69,7 @@ event dns_request%(c: connection, msg: dns_msg, query: string, qtype: count, qcl ## ## qclass: The queried resource record class. ## -## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl +## .. zeek:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl ## dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply ## dns_SRV_reply dns_TSIG_addl dns_TXT_reply dns_WKS_reply dns_end ## dns_full_request dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name @@ -95,7 +95,7 @@ event dns_rejected%(c: connection, msg: dns_msg, query: string, qtype: count, qc ## ## qclass: The queried resource record class. ## -## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl +## .. zeek:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl ## dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply ## dns_SRV_reply dns_TSIG_addl dns_TXT_reply dns_WKS_reply dns_end ## dns_full_request dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name @@ -121,7 +121,7 @@ event dns_query_reply%(c: connection, msg: dns_msg, query: string, ## ## a: The address returned by the reply. ## -## .. bro:see:: dns_AAAA_reply dns_A6_reply dns_CNAME_reply dns_EDNS_addl dns_HINFO_reply +## .. zeek:see:: dns_AAAA_reply dns_A6_reply dns_CNAME_reply dns_EDNS_addl dns_HINFO_reply ## dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply dns_SRV_reply ## dns_TSIG_addl dns_TXT_reply dns_WKS_reply dns_end dns_full_request ## dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name @@ -146,7 +146,7 @@ event dns_A_reply%(c: connection, msg: dns_msg, ans: dns_answer, a: addr%); ## ## a: The address returned by the reply. ## -## .. bro:see:: dns_A_reply dns_A6_reply dns_CNAME_reply dns_EDNS_addl dns_HINFO_reply dns_MX_reply +## .. zeek:see:: dns_A_reply dns_A6_reply dns_CNAME_reply dns_EDNS_addl dns_HINFO_reply dns_MX_reply ## dns_NS_reply dns_PTR_reply dns_SOA_reply dns_SRV_reply dns_TSIG_addl ## dns_TXT_reply dns_WKS_reply dns_end dns_full_request dns_mapping_altered ## dns_mapping_lost_name dns_mapping_new_name dns_mapping_unverified @@ -171,7 +171,7 @@ event dns_AAAA_reply%(c: connection, msg: dns_msg, ans: dns_answer, a: addr%); ## ## a: The address returned by the reply. ## -## .. bro:see:: dns_A_reply dns_AAAA_reply dns_CNAME_reply dns_EDNS_addl dns_HINFO_reply dns_MX_reply +## .. zeek:see:: dns_A_reply dns_AAAA_reply dns_CNAME_reply dns_EDNS_addl dns_HINFO_reply dns_MX_reply ## dns_NS_reply dns_PTR_reply dns_SOA_reply dns_SRV_reply dns_TSIG_addl ## dns_TXT_reply dns_WKS_reply dns_end dns_full_request dns_mapping_altered ## dns_mapping_lost_name dns_mapping_new_name dns_mapping_unverified @@ -196,7 +196,7 @@ event dns_A6_reply%(c: connection, msg: dns_msg, ans: dns_answer, a: addr%); ## ## name: The name returned by the reply. ## -## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl +## .. zeek:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl ## dns_HINFO_reply dns_MX_reply dns_PTR_reply dns_SOA_reply dns_SRV_reply ## dns_TSIG_addl dns_TXT_reply dns_WKS_reply dns_end dns_full_request ## dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name @@ -221,7 +221,7 @@ event dns_NS_reply%(c: connection, msg: dns_msg, ans: dns_answer, name: string%) ## ## name: The name returned by the reply. ## -## .. bro:see:: dns_AAAA_reply dns_A_reply dns_EDNS_addl dns_HINFO_reply dns_MX_reply +## .. zeek:see:: dns_AAAA_reply dns_A_reply dns_EDNS_addl dns_HINFO_reply dns_MX_reply ## dns_NS_reply dns_PTR_reply dns_SOA_reply dns_SRV_reply dns_TSIG_addl ## dns_TXT_reply dns_WKS_reply dns_end dns_full_request dns_mapping_altered ## dns_mapping_lost_name dns_mapping_new_name dns_mapping_unverified @@ -246,7 +246,7 @@ event dns_CNAME_reply%(c: connection, msg: dns_msg, ans: dns_answer, name: strin ## ## name: The name returned by the reply. ## -## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl +## .. zeek:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl ## dns_HINFO_reply dns_MX_reply dns_NS_reply dns_SOA_reply dns_SRV_reply ## dns_TSIG_addl dns_TXT_reply dns_WKS_reply dns_end dns_full_request ## dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name @@ -271,7 +271,7 @@ event dns_PTR_reply%(c: connection, msg: dns_msg, ans: dns_answer, name: string% ## ## soa: The parsed SOA value. ## -## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl +## .. zeek:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl ## dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SRV_reply ## dns_TSIG_addl dns_TXT_reply dns_WKS_reply dns_end dns_full_request ## dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name @@ -294,7 +294,7 @@ event dns_SOA_reply%(c: connection, msg: dns_msg, ans: dns_answer, soa: dns_soa% ## ## ans: The type-independent part of the parsed answer record. ## -## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl +## .. zeek:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl ## dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply ## dns_SRV_reply dns_TSIG_addl dns_TXT_reply dns_end dns_full_request ## dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name @@ -317,7 +317,7 @@ event dns_WKS_reply%(c: connection, msg: dns_msg, ans: dns_answer%); ## ## ans: The type-independent part of the parsed answer record. ## -## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl dns_MX_reply +## .. zeek:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl dns_MX_reply ## dns_NS_reply dns_PTR_reply dns_SOA_reply dns_SRV_reply dns_TSIG_addl ## dns_TXT_reply dns_WKS_reply dns_end dns_full_request dns_mapping_altered ## dns_mapping_lost_name dns_mapping_new_name dns_mapping_unverified @@ -344,7 +344,7 @@ event dns_HINFO_reply%(c: connection, msg: dns_msg, ans: dns_answer%); ## ## preference: The preference for *name* specified by the reply. ## -## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl +## .. zeek:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl ## dns_HINFO_reply dns_NS_reply dns_PTR_reply dns_SOA_reply dns_SRV_reply ## dns_TSIG_addl dns_TXT_reply dns_WKS_reply dns_end dns_full_request ## dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name @@ -369,7 +369,7 @@ event dns_MX_reply%(c: connection, msg: dns_msg, ans: dns_answer, name: string, ## ## strs: The textual information returned by the reply. ## -## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl +## .. zeek:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl ## dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply ## dns_SRV_reply dns_TSIG_addl dns_WKS_reply dns_end dns_full_request ## dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name @@ -423,7 +423,7 @@ event dns_CAA_reply%(c: connection, msg: dns_msg, ans: dns_answer, flags: count, ## p: Port of the SRV response -- the TCP or UDP port on which the ## service is to be found. ## -## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl +## .. zeek:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl ## dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply ## dns_TSIG_addl dns_TXT_reply dns_WKS_reply dns_end dns_full_request ## dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name @@ -442,7 +442,7 @@ event dns_SRV_reply%(c: connection, msg: dns_msg, ans: dns_answer, target: strin ## ## ans: The type-independent part of the parsed answer record. ## -## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl +## .. zeek:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl ## dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply ## dns_TSIG_addl dns_TXT_reply dns_WKS_reply dns_SRV_reply dns_end event dns_unknown_reply%(c: connection, msg: dns_msg, ans: dns_answer%); @@ -461,7 +461,7 @@ event dns_unknown_reply%(c: connection, msg: dns_msg, ans: dns_answer%); ## ## ans: The parsed EDNS reply. ## -## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_HINFO_reply dns_MX_reply +## .. zeek:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_HINFO_reply dns_MX_reply ## dns_NS_reply dns_PTR_reply dns_SOA_reply dns_SRV_reply dns_TSIG_addl ## dns_TXT_reply dns_WKS_reply dns_end dns_full_request dns_mapping_altered ## dns_mapping_lost_name dns_mapping_new_name dns_mapping_unverified @@ -484,7 +484,7 @@ event dns_EDNS_addl%(c: connection, msg: dns_msg, ans: dns_edns_additional%); ## ## ans: The parsed TSIG reply. ## -## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl +## .. zeek:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl ## dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply ## dns_SRV_reply dns_TXT_reply dns_WKS_reply dns_end dns_full_request ## dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name @@ -573,7 +573,7 @@ event dns_DS%(c: connection, msg: dns_msg, ans: dns_answer, ds: dns_ds_rr%); ## ## msg: The parsed DNS message header. ## -## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl +## .. zeek:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl ## dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply ## dns_SRV_reply dns_TSIG_addl dns_TXT_reply dns_WKS_reply dns_full_request ## dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name diff --git a/src/analyzer/protocol/finger/events.bif b/src/analyzer/protocol/finger/events.bif index e495263b12..d1b9212c22 100644 --- a/src/analyzer/protocol/finger/events.bif +++ b/src/analyzer/protocol/finger/events.bif @@ -11,7 +11,7 @@ ## ## hostname: The request's host name. ## -## .. bro:see:: finger_reply +## .. zeek:see:: finger_reply ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet @@ -28,7 +28,7 @@ event finger_request%(c: connection, full: bool, username: string, hostname: str ## ## reply_line: The reply as returned by the server ## -## .. bro:see:: finger_request +## .. zeek:see:: finger_request ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet diff --git a/src/analyzer/protocol/ftp/events.bif b/src/analyzer/protocol/ftp/events.bif index 16faa417d3..6cc2317936 100644 --- a/src/analyzer/protocol/ftp/events.bif +++ b/src/analyzer/protocol/ftp/events.bif @@ -9,7 +9,7 @@ ## ## arg: The arguments going with the command. ## -## .. bro:see:: ftp_reply fmt_ftp_port parse_eftp_port +## .. zeek:see:: ftp_reply fmt_ftp_port parse_eftp_port ## parse_ftp_epsv parse_ftp_pasv parse_ftp_port event ftp_request%(c: connection, command: string, arg: string%); @@ -29,7 +29,7 @@ event ftp_request%(c: connection, command: string, arg: string%); ## to reassemble the pieces before processing the response any ## further. ## -## .. bro:see:: ftp_request fmt_ftp_port parse_eftp_port +## .. zeek:see:: ftp_request fmt_ftp_port parse_eftp_port ## parse_ftp_epsv parse_ftp_pasv parse_ftp_port event ftp_reply%(c: connection, code: count, msg: string, cont_resp: bool%); diff --git a/src/analyzer/protocol/ftp/functions.bif b/src/analyzer/protocol/ftp/functions.bif index 20c26b7c57..ad9c89fadb 100644 --- a/src/analyzer/protocol/ftp/functions.bif +++ b/src/analyzer/protocol/ftp/functions.bif @@ -117,20 +117,20 @@ static Val* parse_eftp(const char* line) %%} ## Converts a string representation of the FTP PORT command to an -## :bro:type:`ftp_port`. +## :zeek:type:`ftp_port`. ## ## s: The string of the FTP PORT command, e.g., ``"10,0,0,1,4,31"``. ## ## Returns: The FTP PORT, e.g., ``[h=10.0.0.1, p=1055/tcp, valid=T]``. ## -## .. bro:see:: parse_eftp_port parse_ftp_pasv parse_ftp_epsv fmt_ftp_port +## .. zeek:see:: parse_eftp_port parse_ftp_pasv parse_ftp_epsv fmt_ftp_port function parse_ftp_port%(s: string%): ftp_port %{ return parse_port(s->CheckString()); %} ## Converts a string representation of the FTP EPRT command (see :rfc:`2428`) -## to an :bro:type:`ftp_port`. The format is +## to an :zeek:type:`ftp_port`. The format is ## ``"EPRT"``, ## where ```` is a delimiter in the ASCII range 33-126 (usually ``|``). ## @@ -138,19 +138,19 @@ function parse_ftp_port%(s: string%): ftp_port ## ## Returns: The FTP PORT, e.g., ``[h=10.0.0.1, p=1055/tcp, valid=T]``. ## -## .. bro:see:: parse_ftp_port parse_ftp_pasv parse_ftp_epsv fmt_ftp_port +## .. zeek:see:: parse_ftp_port parse_ftp_pasv parse_ftp_epsv fmt_ftp_port function parse_eftp_port%(s: string%): ftp_port %{ return parse_eftp(s->CheckString()); %} -## Converts the result of the FTP PASV command to an :bro:type:`ftp_port`. +## Converts the result of the FTP PASV command to an :zeek:type:`ftp_port`. ## ## str: The string containing the result of the FTP PASV command. ## ## Returns: The FTP PORT, e.g., ``[h=10.0.0.1, p=1055/tcp, valid=T]``. ## -## .. bro:see:: parse_ftp_port parse_eftp_port parse_ftp_epsv fmt_ftp_port +## .. zeek:see:: parse_ftp_port parse_eftp_port parse_ftp_epsv fmt_ftp_port function parse_ftp_pasv%(str: string%): ftp_port %{ const char* s = str->CheckString(); @@ -170,14 +170,14 @@ function parse_ftp_pasv%(str: string%): ftp_port %} ## Converts the result of the FTP EPSV command (see :rfc:`2428`) to an -## :bro:type:`ftp_port`. The format is ``" ()"``, +## :zeek:type:`ftp_port`. The format is ``" ()"``, ## where ```` is a delimiter in the ASCII range 33-126 (usually ``|``). ## ## str: The string containing the result of the FTP EPSV command. ## ## Returns: The FTP PORT, e.g., ``[h=10.0.0.1, p=1055/tcp, valid=T]``. ## -## .. bro:see:: parse_ftp_port parse_eftp_port parse_ftp_pasv fmt_ftp_port +## .. zeek:see:: parse_ftp_port parse_eftp_port parse_ftp_pasv fmt_ftp_port function parse_ftp_epsv%(str: string%): ftp_port %{ const char* s = str->CheckString(); @@ -196,7 +196,7 @@ function parse_ftp_epsv%(str: string%): ftp_port ## ## Returns: The FTP PORT string. ## -## .. bro:see:: parse_ftp_port parse_eftp_port parse_ftp_pasv parse_ftp_epsv +## .. zeek:see:: parse_ftp_port parse_eftp_port parse_ftp_pasv parse_ftp_epsv function fmt_ftp_port%(a: addr, p: port%): string %{ const uint32* addr; diff --git a/src/analyzer/protocol/gnutella/events.bif b/src/analyzer/protocol/gnutella/events.bif index 9384f34e88..f09b0890c7 100644 --- a/src/analyzer/protocol/gnutella/events.bif +++ b/src/analyzer/protocol/gnutella/events.bif @@ -3,7 +3,7 @@ ## See `Wikipedia `__ for more ## information about the Gnutella protocol. ## -## .. bro:see:: gnutella_binary_msg gnutella_establish gnutella_http_notify +## .. zeek:see:: gnutella_binary_msg gnutella_establish gnutella_http_notify ## gnutella_not_establish gnutella_partial_binary_msg gnutella_signature_found ## ## @@ -18,7 +18,7 @@ event gnutella_text_msg%(c: connection, orig: bool, headers: string%); ## See `Wikipedia `__ for more ## information about the Gnutella protocol. ## -## .. bro:see:: gnutella_establish gnutella_http_notify gnutella_not_establish +## .. zeek:see:: gnutella_establish gnutella_http_notify gnutella_not_establish ## gnutella_partial_binary_msg gnutella_signature_found gnutella_text_msg ## ## .. todo:: Bro's current default configuration does not activate the protocol @@ -35,7 +35,7 @@ event gnutella_binary_msg%(c: connection, orig: bool, msg_type: count, ## See `Wikipedia `__ for more ## information about the Gnutella protocol. ## -## .. bro:see:: gnutella_binary_msg gnutella_establish gnutella_http_notify +## .. zeek:see:: gnutella_binary_msg gnutella_establish gnutella_http_notify ## gnutella_not_establish gnutella_signature_found gnutella_text_msg ## ## .. todo:: Bro's current default configuration does not activate the protocol @@ -50,7 +50,7 @@ event gnutella_partial_binary_msg%(c: connection, orig: bool, ## See `Wikipedia `__ for more ## information about the Gnutella protocol. ## -## .. bro:see:: gnutella_binary_msg gnutella_http_notify gnutella_not_establish +## .. zeek:see:: gnutella_binary_msg gnutella_http_notify gnutella_not_establish ## gnutella_partial_binary_msg gnutella_signature_found gnutella_text_msg ## ## .. todo:: Bro's current default configuration does not activate the protocol @@ -64,7 +64,7 @@ event gnutella_establish%(c: connection%); ## See `Wikipedia `__ for more ## information about the Gnutella protocol. ## -## .. bro:see:: gnutella_binary_msg gnutella_establish gnutella_http_notify +## .. zeek:see:: gnutella_binary_msg gnutella_establish gnutella_http_notify ## gnutella_partial_binary_msg gnutella_signature_found gnutella_text_msg ## ## .. todo:: Bro's current default configuration does not activate the protocol @@ -78,7 +78,7 @@ event gnutella_not_establish%(c: connection%); ## See `Wikipedia `__ for more ## information about the Gnutella protocol. ## -## .. bro:see:: gnutella_binary_msg gnutella_establish gnutella_not_establish +## .. zeek:see:: gnutella_binary_msg gnutella_establish gnutella_not_establish ## gnutella_partial_binary_msg gnutella_signature_found gnutella_text_msg ## ## .. todo:: Bro's current default configuration does not activate the protocol diff --git a/src/analyzer/protocol/http/events.bif b/src/analyzer/protocol/http/events.bif index ab005ba8d6..f86ee09ccd 100644 --- a/src/analyzer/protocol/http/events.bif +++ b/src/analyzer/protocol/http/events.bif @@ -2,7 +2,7 @@ ## Generated for HTTP requests. Bro supports persistent and pipelined HTTP ## sessions and raises corresponding events as it parses client/server ## dialogues. This event is generated as soon as a request's initial line has -## been parsed, and before any :bro:id:`http_header` events are raised. +## been parsed, and before any :zeek:id:`http_header` events are raised. ## ## See `Wikipedia `__ ## for more information about the HTTP protocol. @@ -17,7 +17,7 @@ ## ## version: The version number specified in the request (e.g., ``1.1``). ## -## .. bro:see:: http_all_headers http_begin_entity http_content_type http_end_entity +## .. zeek:see:: http_all_headers http_begin_entity http_content_type http_end_entity ## http_entity_data http_event http_header http_message_done http_reply http_stats ## truncate_http_URI http_connection_upgrade event http_request%(c: connection, method: string, original_URI: string, unescaped_URI: string, version: string%); @@ -25,7 +25,7 @@ event http_request%(c: connection, method: string, original_URI: string, unescap ## Generated for HTTP replies. Bro supports persistent and pipelined HTTP ## sessions and raises corresponding events as it parses client/server ## dialogues. This event is generated as soon as a reply's initial line has -## been parsed, and before any :bro:id:`http_header` events are raised. +## been parsed, and before any :zeek:id:`http_header` events are raised. ## ## See `Wikipedia `__ ## for more information about the HTTP protocol. @@ -38,7 +38,7 @@ event http_request%(c: connection, method: string, original_URI: string, unescap ## ## reason: The textual description returned by the server along with *code*. ## -## .. bro:see:: http_all_headers http_begin_entity http_content_type http_end_entity +## .. zeek:see:: http_all_headers http_begin_entity http_content_type http_end_entity ## http_entity_data http_event http_header http_message_done http_request ## http_stats http_connection_upgrade event http_reply%(c: connection, version: string, code: count, reason: string%); @@ -58,7 +58,7 @@ event http_reply%(c: connection, version: string, code: count, reason: string%); ## ## value: The value of the header. ## -## .. bro:see:: http_all_headers http_begin_entity http_content_type http_end_entity +## .. zeek:see:: http_all_headers http_begin_entity http_content_type http_end_entity ## http_entity_data http_event http_message_done http_reply http_request ## http_stats http_connection_upgrade ## @@ -81,7 +81,7 @@ event http_header%(c: connection, is_orig: bool, name: string, value: string%); ## The table is indexed by the position of the header (1 for the first, ## 2 for the second, etc.). ## -## .. bro:see:: http_begin_entity http_content_type http_end_entity http_entity_data +## .. zeek:see:: http_begin_entity http_content_type http_end_entity http_entity_data ## http_event http_header http_message_done http_reply http_request http_stats ## http_connection_upgrade ## @@ -103,7 +103,7 @@ event http_all_headers%(c: connection, is_orig: bool, hlist: mime_header_list%); ## is_orig: True if the entity was sent by the originator of the TCP ## connection. ## -## .. bro:see:: http_all_headers http_content_type http_end_entity http_entity_data +## .. zeek:see:: http_all_headers http_content_type http_end_entity http_entity_data ## http_event http_header http_message_done http_reply http_request http_stats ## mime_begin_entity http_connection_upgrade event http_begin_entity%(c: connection, is_orig: bool%); @@ -122,7 +122,7 @@ event http_begin_entity%(c: connection, is_orig: bool%); ## is_orig: True if the entity was sent by the originator of the TCP ## connection. ## -## .. bro:see:: http_all_headers http_begin_entity http_content_type http_entity_data +## .. zeek:see:: http_all_headers http_begin_entity http_content_type http_entity_data ## http_event http_header http_message_done http_reply http_request ## http_stats mime_end_entity http_connection_upgrade event http_end_entity%(c: connection, is_orig: bool%); @@ -134,7 +134,7 @@ event http_end_entity%(c: connection, is_orig: bool%); ## A common idiom for using this event is to first *reassemble* the data ## at the scripting layer by concatenating it to a successively growing ## string; and only perform further content analysis once the corresponding -## :bro:id:`http_end_entity` event has been raised. Note, however, that doing so +## :zeek:id:`http_end_entity` event has been raised. Note, however, that doing so ## can be quite expensive for HTTP tranders. At the very least, one should ## impose an upper size limit on how much data is being buffered. ## @@ -150,7 +150,7 @@ event http_end_entity%(c: connection, is_orig: bool%); ## ## data: One chunk of raw entity data. ## -## .. bro:see:: http_all_headers http_begin_entity http_content_type http_end_entity +## .. zeek:see:: http_all_headers http_begin_entity http_content_type http_end_entity ## http_event http_header http_message_done http_reply http_request http_stats ## mime_entity_data http_entity_data_delivery_size skip_http_data ## http_connection_upgrade @@ -173,7 +173,7 @@ event http_entity_data%(c: connection, is_orig: bool, length: count, data: strin ## ## subty: The subtype. ## -## .. bro:see:: http_all_headers http_begin_entity http_end_entity http_entity_data +## .. zeek:see:: http_all_headers http_begin_entity http_end_entity http_entity_data ## http_event http_header http_message_done http_reply http_request http_stats ## http_connection_upgrade ## @@ -199,7 +199,7 @@ event http_content_type%(c: connection, is_orig: bool, ty: string, subty: string ## ## stat: Further meta information about the message. ## -## .. bro:see:: http_all_headers http_begin_entity http_content_type http_end_entity +## .. zeek:see:: http_all_headers http_begin_entity http_content_type http_end_entity ## http_entity_data http_event http_header http_reply http_request http_stats ## http_connection_upgrade event http_message_done%(c: connection, is_orig: bool, stat: http_message_stat%); @@ -216,7 +216,7 @@ event http_message_done%(c: connection, is_orig: bool, stat: http_message_stat%) ## ## detail: Further more detailed description of the error. ## -## .. bro:see:: http_all_headers http_begin_entity http_content_type http_end_entity +## .. zeek:see:: http_all_headers http_begin_entity http_content_type http_end_entity ## http_entity_data http_header http_message_done http_reply http_request ## http_stats mime_event http_connection_upgrade event http_event%(c: connection, event_type: string, detail: string%); @@ -230,7 +230,7 @@ event http_event%(c: connection, event_type: string, detail: string%); ## stats: Statistics summarizing HTTP-level properties of the finished ## connection. ## -## .. bro:see:: http_all_headers http_begin_entity http_content_type http_end_entity +## .. zeek:see:: http_all_headers http_begin_entity http_content_type http_end_entity ## http_entity_data http_event http_header http_message_done http_reply ## http_request http_connection_upgrade event http_stats%(c: connection, stats: http_stats_rec%); @@ -243,7 +243,7 @@ event http_stats%(c: connection, stats: http_stats_rec%); ## ## protocol: The protocol to which the connection is switching. ## -## .. bro:see:: http_all_headers http_begin_entity http_content_type http_end_entity +## .. zeek:see:: http_all_headers http_begin_entity http_content_type http_end_entity ## http_entity_data http_event http_header http_message_done http_reply ## http_request event http_connection_upgrade%(c: connection, protocol: string%); diff --git a/src/analyzer/protocol/http/functions.bif b/src/analyzer/protocol/http/functions.bif index 6ef6fecb81..ff4f0015b7 100644 --- a/src/analyzer/protocol/http/functions.bif +++ b/src/analyzer/protocol/http/functions.bif @@ -9,7 +9,7 @@ ## ## is_orig: If true, the client data is skipped, and the server data otherwise. ## -## .. bro:see:: skip_smtp_data +## .. zeek:see:: skip_smtp_data function skip_http_entity_data%(c: connection, is_orig: bool%): any %{ analyzer::ID id = mgr.CurrentAnalyzer(); diff --git a/src/analyzer/protocol/icmp/events.bif b/src/analyzer/protocol/icmp/events.bif index bd55f17b27..ef7d2b7da5 100644 --- a/src/analyzer/protocol/icmp/events.bif +++ b/src/analyzer/protocol/icmp/events.bif @@ -12,10 +12,10 @@ ## icmp: Additional ICMP-specific information augmenting the standard ## connection record *c*. ## -## .. bro:see:: icmp_error_message icmp_sent_payload +## .. zeek:see:: icmp_error_message icmp_sent_payload event icmp_sent%(c: connection, icmp: icmp_conn%); -## The same as :bro:see:`icmp_sent` except containing the ICMP payload. +## The same as :zeek:see:`icmp_sent` except containing the ICMP payload. ## ## c: The connection record for the corresponding ICMP flow. ## @@ -24,7 +24,7 @@ event icmp_sent%(c: connection, icmp: icmp_conn%); ## ## payload: The payload of the ICMP message. ## -## .. bro:see:: icmp_error_message icmp_sent_payload +## .. zeek:see:: icmp_error_message icmp_sent_payload event icmp_sent_payload%(c: connection, icmp: icmp_conn, payload: string%); ## Generated for ICMP *echo request* messages. @@ -45,7 +45,7 @@ event icmp_sent_payload%(c: connection, icmp: icmp_conn, payload: string%); ## payload: The message-specific data of the packet payload, i.e., everything ## after the first 8 bytes of the ICMP header. ## -## .. bro:see:: icmp_echo_reply +## .. zeek:see:: icmp_echo_reply event icmp_echo_request%(c: connection, icmp: icmp_conn, id: count, seq: count, payload: string%); ## Generated for ICMP *echo reply* messages. @@ -66,7 +66,7 @@ event icmp_echo_request%(c: connection, icmp: icmp_conn, id: count, seq: count, ## payload: The message-specific data of the packet payload, i.e., everything ## after the first 8 bytes of the ICMP header. ## -## .. bro:see:: icmp_echo_request +## .. zeek:see:: icmp_echo_request event icmp_echo_reply%(c: connection, icmp: icmp_conn, id: count, seq: count, payload: string%); ## Generated for all ICMPv6 error messages that are not handled @@ -88,7 +88,7 @@ event icmp_echo_reply%(c: connection, icmp: icmp_conn, id: count, seq: count, pa ## context: A record with specifics of the original packet that the message ## refers to. ## -## .. bro:see:: icmp_unreachable icmp_packet_too_big +## .. zeek:see:: icmp_unreachable icmp_packet_too_big ## icmp_time_exceeded icmp_parameter_problem event icmp_error_message%(c: connection, icmp: icmp_conn, code: count, context: icmp_context%); @@ -112,7 +112,7 @@ event icmp_error_message%(c: connection, icmp: icmp_conn, code: count, context: ## includes only a partial IP header for some reason, no ## fields of *context* will be filled out. ## -## .. bro:see:: icmp_error_message icmp_packet_too_big +## .. zeek:see:: icmp_error_message icmp_packet_too_big ## icmp_time_exceeded icmp_parameter_problem event icmp_unreachable%(c: connection, icmp: icmp_conn, code: count, context: icmp_context%); @@ -136,7 +136,7 @@ event icmp_unreachable%(c: connection, icmp: icmp_conn, code: count, context: ic ## a partial IP header for some reason, no fields of *context* will ## be filled out. ## -## .. bro:see:: icmp_error_message icmp_unreachable +## .. zeek:see:: icmp_error_message icmp_unreachable ## icmp_time_exceeded icmp_parameter_problem event icmp_packet_too_big%(c: connection, icmp: icmp_conn, code: count, context: icmp_context%); @@ -160,7 +160,7 @@ event icmp_packet_too_big%(c: connection, icmp: icmp_conn, code: count, context: ## only a partial IP header for some reason, no fields of *context* ## will be filled out. ## -## .. bro:see:: icmp_error_message icmp_unreachable icmp_packet_too_big +## .. zeek:see:: icmp_error_message icmp_unreachable icmp_packet_too_big ## icmp_parameter_problem event icmp_time_exceeded%(c: connection, icmp: icmp_conn, code: count, context: icmp_context%); @@ -184,7 +184,7 @@ event icmp_time_exceeded%(c: connection, icmp: icmp_conn, code: count, context: ## includes only a partial IP header for some reason, no fields ## of *context* will be filled out. ## -## .. bro:see:: icmp_error_message icmp_unreachable icmp_packet_too_big +## .. zeek:see:: icmp_error_message icmp_unreachable icmp_packet_too_big ## icmp_time_exceeded event icmp_parameter_problem%(c: connection, icmp: icmp_conn, code: count, context: icmp_context%); @@ -201,7 +201,7 @@ event icmp_parameter_problem%(c: connection, icmp: icmp_conn, code: count, conte ## ## options: Any Neighbor Discovery options included with message (:rfc:`4861`). ## -## .. bro:see:: icmp_router_advertisement +## .. zeek:see:: icmp_router_advertisement ## icmp_neighbor_solicitation icmp_neighbor_advertisement icmp_redirect event icmp_router_solicitation%(c: connection, icmp: icmp_conn, options: icmp6_nd_options%); @@ -239,7 +239,7 @@ event icmp_router_solicitation%(c: connection, icmp: icmp_conn, options: icmp6_n ## ## options: Any Neighbor Discovery options included with message (:rfc:`4861`). ## -## .. bro:see:: icmp_router_solicitation +## .. zeek:see:: icmp_router_solicitation ## icmp_neighbor_solicitation icmp_neighbor_advertisement icmp_redirect event icmp_router_advertisement%(c: connection, icmp: icmp_conn, cur_hop_limit: count, managed: bool, other: bool, home_agent: bool, pref: count, proxy: bool, rsv: count, router_lifetime: interval, reachable_time: interval, retrans_timer: interval, options: icmp6_nd_options%); @@ -258,7 +258,7 @@ event icmp_router_advertisement%(c: connection, icmp: icmp_conn, cur_hop_limit: ## ## options: Any Neighbor Discovery options included with message (:rfc:`4861`). ## -## .. bro:see:: icmp_router_solicitation icmp_router_advertisement +## .. zeek:see:: icmp_router_solicitation icmp_router_advertisement ## icmp_neighbor_advertisement icmp_redirect event icmp_neighbor_solicitation%(c: connection, icmp: icmp_conn, tgt: addr, options: icmp6_nd_options%); @@ -284,7 +284,7 @@ event icmp_neighbor_solicitation%(c: connection, icmp: icmp_conn, tgt: addr, opt ## ## options: Any Neighbor Discovery options included with message (:rfc:`4861`). ## -## .. bro:see:: icmp_router_solicitation icmp_router_advertisement +## .. zeek:see:: icmp_router_solicitation icmp_router_advertisement ## icmp_neighbor_solicitation icmp_redirect event icmp_neighbor_advertisement%(c: connection, icmp: icmp_conn, router: bool, solicited: bool, override: bool, tgt: addr, options: icmp6_nd_options%); @@ -306,7 +306,7 @@ event icmp_neighbor_advertisement%(c: connection, icmp: icmp_conn, router: bool, ## ## options: Any Neighbor Discovery options included with message (:rfc:`4861`). ## -## .. bro:see:: icmp_router_solicitation icmp_router_advertisement +## .. zeek:see:: icmp_router_solicitation icmp_router_advertisement ## icmp_neighbor_solicitation icmp_neighbor_advertisement event icmp_redirect%(c: connection, icmp: icmp_conn, tgt: addr, dest: addr, options: icmp6_nd_options%); diff --git a/src/analyzer/protocol/ident/events.bif b/src/analyzer/protocol/ident/events.bif index 96a7f37a31..ecbf8efee8 100644 --- a/src/analyzer/protocol/ident/events.bif +++ b/src/analyzer/protocol/ident/events.bif @@ -9,7 +9,7 @@ ## ## rport: The request's remote port. ## -## .. bro:see:: ident_error ident_reply +## .. zeek:see:: ident_error ident_reply ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet @@ -32,7 +32,7 @@ event ident_request%(c: connection, lport: port, rport: port%); ## ## system: The operating system returned by the reply. ## -## .. bro:see:: ident_error ident_request +## .. zeek:see:: ident_error ident_request ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet @@ -53,7 +53,7 @@ event ident_reply%(c: connection, lport: port, rport: port, user_id: string, sys ## ## line: The error description returned by the reply. ## -## .. bro:see:: ident_reply ident_request +## .. zeek:see:: ident_reply ident_request ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet diff --git a/src/analyzer/protocol/irc/events.bif b/src/analyzer/protocol/irc/events.bif index be425817b2..d6af5fbae1 100644 --- a/src/analyzer/protocol/irc/events.bif +++ b/src/analyzer/protocol/irc/events.bif @@ -15,7 +15,7 @@ ## ## arguments: The arguments for the command. ## -## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message +## .. zeek:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message ## irc_global_users irc_invalid_nick irc_invite_message irc_join_message ## irc_kick_message irc_message irc_mode_message irc_names_info irc_network_info ## irc_nick_message irc_notice_message irc_oper_message irc_oper_response @@ -23,7 +23,7 @@ ## ## .. note:: This event is generated only for messages that originate ## at the client-side. Commands coming in from remote trigger -## the :bro:id:`irc_message` event instead. +## the :zeek:id:`irc_message` event instead. event irc_request%(c: connection, is_orig: bool, prefix: string, command: string, arguments: string%); @@ -45,7 +45,7 @@ event irc_request%(c: connection, is_orig: bool, prefix: string, ## ## params: The reply's parameters. ## -## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message +## .. zeek:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message ## irc_global_users irc_invalid_nick irc_invite_message irc_join_message ## irc_kick_message irc_message irc_mode_message irc_names_info irc_network_info ## irc_nick_message irc_notice_message irc_oper_message irc_oper_response @@ -69,7 +69,7 @@ event irc_reply%(c: connection, is_orig: bool, prefix: string, ## ## message: TODO. ## -## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message +## .. zeek:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message ## irc_global_users irc_invalid_nick irc_invite_message irc_join_message ## irc_kick_message irc_mode_message irc_names_info irc_network_info ## irc_nick_message irc_notice_message irc_oper_message irc_oper_response @@ -79,7 +79,7 @@ event irc_reply%(c: connection, is_orig: bool, prefix: string, ## ## This event is generated only for messages that are forwarded by the server ## to the client. Commands coming from client trigger the -## :bro:id:`irc_request` event instead. +## :zeek:id:`irc_request` event instead. event irc_message%(c: connection, is_orig: bool, prefix: string, command: string, message: string%); @@ -98,7 +98,7 @@ event irc_message%(c: connection, is_orig: bool, prefix: string, ## ## message: The text included with the message. ## -## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message +## .. zeek:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message ## irc_global_users irc_invalid_nick irc_invite_message irc_join_message ## irc_kick_message irc_message irc_mode_message irc_names_info irc_network_info ## irc_nick_message irc_notice_message irc_oper_message irc_oper_response @@ -122,7 +122,7 @@ event irc_quit_message%(c: connection, is_orig: bool, nick: string, message: str ## ## message: The text of communication. ## -## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message +## .. zeek:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message ## irc_global_users irc_invalid_nick irc_invite_message irc_join_message ## irc_kick_message irc_message irc_mode_message irc_names_info irc_network_info ## irc_nick_message irc_notice_message irc_oper_message irc_oper_response @@ -147,7 +147,7 @@ event irc_privmsg_message%(c: connection, is_orig: bool, source: string, ## ## message: The text of communication. ## -## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message +## .. zeek:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message ## irc_global_users irc_invalid_nick irc_invite_message irc_join_message ## irc_kick_message irc_message irc_mode_message irc_names_info irc_network_info ## irc_nick_message irc_oper_message irc_oper_response irc_part_message @@ -172,7 +172,7 @@ event irc_notice_message%(c: connection, is_orig: bool, source: string, ## ## message: The text of communication. ## -## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message +## .. zeek:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message ## irc_global_users irc_invalid_nick irc_invite_message irc_join_message ## irc_kick_message irc_message irc_mode_message irc_names_info irc_network_info ## irc_nick_message irc_notice_message irc_oper_message irc_oper_response @@ -193,7 +193,7 @@ event irc_squery_message%(c: connection, is_orig: bool, source: string, ## ## info_list: The user information coming with the command. ## -## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message +## .. zeek:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message ## irc_global_users irc_invalid_nick irc_invite_message irc_kick_message ## irc_message irc_mode_message irc_names_info irc_network_info irc_nick_message ## irc_notice_message irc_oper_message irc_oper_response irc_part_message @@ -217,7 +217,7 @@ event irc_join_message%(c: connection, is_orig: bool, info_list: irc_join_list%) ## ## message: The text coming with the message. ## -## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message +## .. zeek:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message ## irc_global_users irc_invalid_nick irc_invite_message irc_join_message ## irc_kick_message irc_message irc_mode_message irc_names_info irc_network_info ## irc_nick_message irc_notice_message irc_oper_message irc_oper_response @@ -240,7 +240,7 @@ event irc_part_message%(c: connection, is_orig: bool, nick: string, ## ## newnick: The new nickname. ## -## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message +## .. zeek:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message ## irc_global_users irc_invalid_nick irc_invite_message irc_join_message ## irc_kick_message irc_message irc_mode_message irc_names_info irc_network_info ## irc_notice_message irc_oper_message irc_oper_response irc_part_message @@ -257,7 +257,7 @@ event irc_nick_message%(c: connection, is_orig: bool, who: string, newnick: stri ## is_orig: True if the command was sent by the originator of the TCP ## connection. ## -## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message +## .. zeek:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message ## irc_global_users irc_invite_message irc_join_message irc_kick_message ## irc_message irc_mode_message irc_names_info irc_network_info irc_nick_message ## irc_notice_message irc_oper_message irc_oper_response irc_part_message @@ -280,7 +280,7 @@ event irc_invalid_nick%(c: connection, is_orig: bool%); ## ## servers: The number of servers as returned in the reply. ## -## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message +## .. zeek:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message ## irc_global_users irc_invalid_nick irc_invite_message irc_join_message ## irc_kick_message irc_message irc_mode_message irc_names_info irc_nick_message ## irc_notice_message irc_oper_message irc_oper_response irc_part_message @@ -304,7 +304,7 @@ event irc_network_info%(c: connection, is_orig: bool, users: count, ## ## servers: The number of servers as returned in the reply. ## -## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message +## .. zeek:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message ## irc_global_users irc_invalid_nick irc_invite_message irc_join_message ## irc_kick_message irc_message irc_mode_message irc_names_info irc_network_info ## irc_nick_message irc_notice_message irc_oper_message irc_oper_response @@ -324,7 +324,7 @@ event irc_server_info%(c: connection, is_orig: bool, users: count, ## ## chans: The number of channels as returned in the reply. ## -## .. bro:see:: irc_channel_topic irc_dcc_message irc_error_message irc_global_users +## .. zeek:see:: irc_channel_topic irc_dcc_message irc_error_message irc_global_users ## irc_invalid_nick irc_invite_message irc_join_message irc_kick_message ## irc_message irc_mode_message irc_names_info irc_network_info irc_nick_message ## irc_notice_message irc_oper_message irc_oper_response irc_part_message @@ -359,7 +359,7 @@ event irc_channel_info%(c: connection, is_orig: bool, chans: count%); ## ## real_name: The real name. ## -## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message +## .. zeek:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message ## irc_global_users irc_invalid_nick irc_invite_message irc_join_message ## irc_kick_message irc_message irc_mode_message irc_names_info irc_network_info ## irc_nick_message irc_notice_message irc_oper_message irc_oper_response @@ -386,7 +386,7 @@ event irc_who_line%(c: connection, is_orig: bool, target_nick: string, ## ## users: The set of users. ## -## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message +## .. zeek:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message ## irc_global_users irc_invalid_nick irc_invite_message irc_join_message ## irc_kick_message irc_message irc_mode_message irc_network_info irc_nick_message ## irc_notice_message irc_oper_message irc_oper_response irc_part_message @@ -406,7 +406,7 @@ event irc_names_info%(c: connection, is_orig: bool, c_type: string, ## ## nick: The nickname specified in the reply. ## -## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message +## .. zeek:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message ## irc_global_users irc_invalid_nick irc_invite_message irc_join_message ## irc_kick_message irc_message irc_mode_message irc_names_info irc_network_info ## irc_nick_message irc_notice_message irc_oper_message irc_oper_response @@ -427,7 +427,7 @@ event irc_whois_operator_line%(c: connection, is_orig: bool, nick: string%); ## ## chans: The set of channels returned. ## -## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message +## .. zeek:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message ## irc_global_users irc_invalid_nick irc_invite_message irc_join_message ## irc_kick_message irc_message irc_mode_message irc_names_info irc_network_info ## irc_nick_message irc_notice_message irc_oper_message irc_oper_response @@ -453,7 +453,7 @@ event irc_whois_channel_line%(c: connection, is_orig: bool, nick: string, ## ## real_name: The real name specified in the reply. ## -## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message +## .. zeek:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message ## irc_global_users irc_invalid_nick irc_invite_message irc_join_message ## irc_kick_message irc_message irc_mode_message irc_names_info irc_network_info ## irc_nick_message irc_notice_message irc_oper_message irc_oper_response @@ -474,7 +474,7 @@ event irc_whois_user_line%(c: connection, is_orig: bool, nick: string, ## got_oper: True if the *oper* command was executed successfully ## (*youreport*) and false otherwise (*nooperhost*). ## -## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message +## .. zeek:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message ## irc_global_users irc_invalid_nick irc_invite_message irc_join_message ## irc_kick_message irc_message irc_mode_message irc_names_info irc_network_info ## irc_nick_message irc_notice_message irc_oper_message irc_part_message @@ -496,7 +496,7 @@ event irc_oper_response%(c: connection, is_orig: bool, got_oper: bool%); ## ## msg: The message coming with the reply. ## -## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message +## .. zeek:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message ## irc_invalid_nick irc_invite_message irc_join_message irc_kick_message ## irc_message irc_mode_message irc_names_info irc_network_info irc_nick_message ## irc_notice_message irc_oper_message irc_oper_response irc_part_message @@ -517,7 +517,7 @@ event irc_global_users%(c: connection, is_orig: bool, prefix: string, msg: strin ## ## topic: The topic specified in the reply. ## -## .. bro:see:: irc_channel_info irc_dcc_message irc_error_message irc_global_users +## .. zeek:see:: irc_channel_info irc_dcc_message irc_error_message irc_global_users ## irc_invalid_nick irc_invite_message irc_join_message irc_kick_message ## irc_message irc_mode_message irc_names_info irc_network_info irc_nick_message ## irc_notice_message irc_oper_message irc_oper_response irc_part_message @@ -539,7 +539,7 @@ event irc_channel_topic%(c: connection, is_orig: bool, channel: string, topic: s ## ## oper: True if the operator flag was set. ## -## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message +## .. zeek:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message ## irc_global_users irc_invalid_nick irc_invite_message irc_join_message ## irc_kick_message irc_message irc_mode_message irc_names_info irc_network_info ## irc_nick_message irc_notice_message irc_oper_message irc_oper_response @@ -561,7 +561,7 @@ event irc_who_message%(c: connection, is_orig: bool, mask: string, oper: bool%); ## ## users: TODO. ## -## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message +## .. zeek:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message ## irc_global_users irc_invalid_nick irc_invite_message irc_join_message ## irc_kick_message irc_message irc_mode_message irc_names_info irc_network_info ## irc_nick_message irc_notice_message irc_oper_message irc_oper_response @@ -583,7 +583,7 @@ event irc_whois_message%(c: connection, is_orig: bool, server: string, users: st ## ## password: The password specified in the message. ## -## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message +## .. zeek:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message ## irc_global_users irc_invalid_nick irc_invite_message irc_join_message ## irc_kick_message irc_message irc_mode_message irc_names_info irc_network_info ## irc_nick_message irc_notice_message irc_oper_response irc_part_message @@ -610,7 +610,7 @@ event irc_oper_message%(c: connection, is_orig: bool, user: string, password: st ## ## comment: The comment specified in the message. ## -## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message +## .. zeek:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message ## irc_global_users irc_invalid_nick irc_invite_message irc_join_message ## irc_message irc_mode_message irc_names_info irc_network_info irc_nick_message ## irc_notice_message irc_oper_message irc_oper_response irc_part_message @@ -634,7 +634,7 @@ event irc_kick_message%(c: connection, is_orig: bool, prefix: string, ## ## message: The textual description specified in the message. ## -## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_global_users +## .. zeek:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_global_users ## irc_invalid_nick irc_invite_message irc_join_message irc_kick_message ## irc_message irc_mode_message irc_names_info irc_network_info irc_nick_message ## irc_notice_message irc_oper_message irc_oper_response irc_part_message @@ -659,7 +659,7 @@ event irc_error_message%(c: connection, is_orig: bool, prefix: string, message: ## ## channel: The channel specified in the message. ## -## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message +## .. zeek:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message ## irc_global_users irc_invalid_nick irc_join_message irc_kick_message ## irc_message irc_mode_message irc_names_info irc_network_info irc_nick_message ## irc_notice_message irc_oper_message irc_oper_response irc_part_message @@ -683,7 +683,7 @@ event irc_invite_message%(c: connection, is_orig: bool, prefix: string, ## ## params: The parameters coming with the message. ## -## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message +## .. zeek:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message ## irc_global_users irc_invalid_nick irc_invite_message irc_join_message ## irc_kick_message irc_message irc_names_info irc_network_info irc_nick_message ## irc_notice_message irc_oper_message irc_oper_response irc_part_message @@ -708,7 +708,7 @@ event irc_mode_message%(c: connection, is_orig: bool, prefix: string, params: st ## ## message: The textual description specified in the message. ## -## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message +## .. zeek:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message ## irc_global_users irc_invalid_nick irc_invite_message irc_join_message ## irc_kick_message irc_message irc_mode_message irc_names_info irc_network_info ## irc_nick_message irc_notice_message irc_oper_message irc_oper_response @@ -742,7 +742,7 @@ event irc_squit_message%(c: connection, is_orig: bool, prefix: string, ## ## size: The size specified in the message. ## -## .. bro:see:: irc_channel_info irc_channel_topic irc_error_message irc_global_users +## .. zeek:see:: irc_channel_info irc_channel_topic irc_error_message irc_global_users ## irc_invalid_nick irc_invite_message irc_join_message irc_kick_message ## irc_message irc_mode_message irc_names_info irc_network_info irc_nick_message ## irc_notice_message irc_oper_message irc_oper_response irc_part_message @@ -771,7 +771,7 @@ event irc_dcc_message%(c: connection, is_orig: bool, ## ## real_name: The real name specified in the message. ## -## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message +## .. zeek:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message ## irc_global_users irc_invalid_nick irc_invite_message irc_join_message ## irc_kick_message irc_message irc_mode_message irc_names_info irc_network_info ## irc_nick_message irc_notice_message irc_oper_message irc_oper_response @@ -791,7 +791,7 @@ event irc_user_message%(c: connection, is_orig: bool, user: string, host: string ## ## password: The password specified in the message. ## -## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message +## .. zeek:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message ## irc_global_users irc_invalid_nick irc_invite_message irc_join_message ## irc_kick_message irc_message irc_mode_message irc_names_info irc_network_info ## irc_nick_message irc_notice_message irc_oper_message irc_oper_response diff --git a/src/analyzer/protocol/krb/events.bif b/src/analyzer/protocol/krb/events.bif index 19b165a4be..26405442ed 100644 --- a/src/analyzer/protocol/krb/events.bif +++ b/src/analyzer/protocol/krb/events.bif @@ -11,7 +11,7 @@ ## ## msg: A Kerberos KDC request message data structure. ## -## .. bro:see:: krb_as_response krb_tgs_request krb_tgs_response krb_ap_request +## .. zeek:see:: krb_as_response krb_tgs_request krb_tgs_response krb_ap_request ## krb_ap_response krb_priv krb_safe krb_cred krb_error event krb_as_request%(c: connection, msg: KRB::KDC_Request%); @@ -27,7 +27,7 @@ event krb_as_request%(c: connection, msg: KRB::KDC_Request%); ## ## msg: A Kerberos KDC reply message data structure. ## -## .. bro:see:: krb_as_request krb_tgs_request krb_tgs_response krb_ap_request +## .. zeek:see:: krb_as_request krb_tgs_request krb_tgs_response krb_ap_request ## krb_ap_response krb_priv krb_safe krb_cred krb_error event krb_as_response%(c: connection, msg: KRB::KDC_Response%); @@ -44,7 +44,7 @@ event krb_as_response%(c: connection, msg: KRB::KDC_Response%); ## ## msg: A Kerberos KDC request message data structure. ## -## .. bro:see:: krb_as_request krb_as_response krb_tgs_response krb_ap_request +## .. zeek:see:: krb_as_request krb_as_response krb_tgs_response krb_ap_request ## krb_ap_response krb_priv krb_safe krb_cred krb_error event krb_tgs_request%(c: connection, msg: KRB::KDC_Request%); @@ -60,7 +60,7 @@ event krb_tgs_request%(c: connection, msg: KRB::KDC_Request%); ## ## msg: A Kerberos KDC reply message data structure. ## -## .. bro:see:: krb_as_request krb_as_response krb_tgs_request krb_ap_request +## .. zeek:see:: krb_as_request krb_as_response krb_tgs_request krb_ap_request ## krb_ap_response krb_priv krb_safe krb_cred krb_error event krb_tgs_response%(c: connection, msg: KRB::KDC_Response%); @@ -78,7 +78,7 @@ event krb_tgs_response%(c: connection, msg: KRB::KDC_Response%); ## ## opts: A Kerberos AP options data structure. ## -## .. bro:see:: krb_as_request krb_as_response krb_tgs_request krb_tgs_response +## .. zeek:see:: krb_as_request krb_as_response krb_tgs_request krb_tgs_response ## krb_ap_response krb_priv krb_safe krb_cred krb_error event krb_ap_request%(c: connection, ticket: KRB::Ticket, opts: KRB::AP_Options%); @@ -93,7 +93,7 @@ event krb_ap_request%(c: connection, ticket: KRB::Ticket, opts: KRB::AP_Options% ## ## c: The connection over which this Kerberos message was sent. ## -## .. bro:see:: krb_as_request krb_as_response krb_tgs_request krb_tgs_response +## .. zeek:see:: krb_as_request krb_as_response krb_tgs_request krb_tgs_response ## krb_ap_request krb_priv krb_safe krb_cred krb_error event krb_ap_response%(c: connection%); @@ -109,7 +109,7 @@ event krb_ap_response%(c: connection%); ## ## is_orig: Whether the originator of the connection sent this message. ## -## .. bro:see:: krb_as_request krb_as_response krb_tgs_request krb_tgs_response +## .. zeek:see:: krb_as_request krb_as_response krb_tgs_request krb_tgs_response ## krb_ap_request krb_ap_response krb_safe krb_cred krb_error event krb_priv%(c: connection, is_orig: bool%); @@ -125,7 +125,7 @@ event krb_priv%(c: connection, is_orig: bool%); ## ## msg: A Kerberos SAFE message data structure. ## -## .. bro:see:: krb_as_request krb_as_response krb_tgs_request krb_tgs_response +## .. zeek:see:: krb_as_request krb_as_response krb_tgs_request krb_tgs_response ## krb_ap_request krb_ap_response krb_priv krb_cred krb_error event krb_safe%(c: connection, is_orig: bool, msg: KRB::SAFE_Msg%); @@ -141,7 +141,7 @@ event krb_safe%(c: connection, is_orig: bool, msg: KRB::SAFE_Msg%); ## ## tickets: Tickets obtained from the KDC that are being forwarded. ## -## .. bro:see:: krb_as_request krb_as_response krb_tgs_request krb_tgs_response +## .. zeek:see:: krb_as_request krb_as_response krb_tgs_request krb_tgs_response ## krb_ap_request krb_ap_response krb_priv krb_safe krb_error event krb_cred%(c: connection, is_orig: bool, tickets: KRB::Ticket_Vector%); @@ -154,6 +154,6 @@ event krb_cred%(c: connection, is_orig: bool, tickets: KRB::Ticket_Vector%); ## ## msg: A Kerberos error message data structure. ## -## .. bro:see:: krb_as_request krb_as_response krb_tgs_request krb_tgs_response +## .. zeek:see:: krb_as_request krb_as_response krb_tgs_request krb_tgs_response ## krb_ap_request krb_ap_response krb_priv krb_safe krb_cred event krb_error%(c: connection, msg: KRB::Error_Msg%); diff --git a/src/analyzer/protocol/login/events.bif b/src/analyzer/protocol/login/events.bif index 91c58f21c4..39921b4c5e 100644 --- a/src/analyzer/protocol/login/events.bif +++ b/src/analyzer/protocol/login/events.bif @@ -14,7 +14,7 @@ ## ## new_session: True if this is the first command of the Rsh session. ## -## .. bro:see:: rsh_reply login_confused login_confused_text login_display +## .. zeek:see:: rsh_reply login_confused login_confused_text login_display ## login_failure login_input_line login_output_line login_prompt login_success ## login_terminal ## @@ -41,7 +41,7 @@ event rsh_request%(c: connection, client_user: string, server_user: string, line ## ## line: The command line sent in the request. ## -## .. bro:see:: rsh_request login_confused login_confused_text login_display +## .. zeek:see:: rsh_request login_confused login_confused_text login_display ## login_failure login_input_line login_output_line login_prompt login_success ## login_terminal ## @@ -72,7 +72,7 @@ event rsh_reply%(c: connection, client_user: string, server_user: string, line: ## line: The line of text that led the analyzer to conclude that the ## authentication had failed. ## -## .. bro:see:: login_confused login_confused_text login_display login_input_line +## .. zeek:see:: login_confused login_confused_text login_display login_input_line ## login_output_line login_prompt login_success login_terminal direct_login_prompts ## get_login_state login_failure_msgs login_non_failure_msgs login_prompts login_success_msgs ## login_timeouts set_login_state @@ -85,7 +85,7 @@ event rsh_reply%(c: connection, client_user: string, server_user: string, line: ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet ## been ported to Bro 2.x. To still enable this event, one needs to add a -## call to :bro:see:`Analyzer::register_for_ports` or a DPD payload +## call to :zeek:see:`Analyzer::register_for_ports` or a DPD payload ## signature. event login_failure%(c: connection, user: string, client_user: string, password: string, line: string%); @@ -107,7 +107,7 @@ event login_failure%(c: connection, user: string, client_user: string, password: ## line: The line of text that led the analyzer to conclude that the ## authentication had succeeded. ## -## .. bro:see:: login_confused login_confused_text login_display login_failure +## .. zeek:see:: login_confused login_confused_text login_display login_failure ## login_input_line login_output_line login_prompt login_terminal ## direct_login_prompts get_login_state login_failure_msgs login_non_failure_msgs ## login_prompts login_success_msgs login_timeouts set_login_state @@ -120,7 +120,7 @@ event login_failure%(c: connection, user: string, client_user: string, password: ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet ## been ported to Bro 2.x. To still enable this event, one needs to add a -## call to :bro:see:`Analyzer::register_for_ports` or a DPD payload +## call to :zeek:see:`Analyzer::register_for_ports` or a DPD payload ## signature. event login_success%(c: connection, user: string, client_user: string, password: string, line: string%); @@ -131,13 +131,13 @@ event login_success%(c: connection, user: string, client_user: string, password: ## ## line: The input line. ## -## .. bro:see:: login_confused login_confused_text login_display login_failure +## .. zeek:see:: login_confused login_confused_text login_display login_failure ## login_output_line login_prompt login_success login_terminal rsh_request ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet ## been ported to Bro 2.x. To still enable this event, one needs to add a -## call to :bro:see:`Analyzer::register_for_ports` or a DPD payload +## call to :zeek:see:`Analyzer::register_for_ports` or a DPD payload ## signature. event login_input_line%(c: connection, line: string%); @@ -148,13 +148,13 @@ event login_input_line%(c: connection, line: string%); ## ## line: The ouput line. ## -## .. bro:see:: login_confused login_confused_text login_display login_failure +## .. zeek:see:: login_confused login_confused_text login_display login_failure ## login_input_line login_prompt login_success login_terminal rsh_reply ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet ## been ported to Bro 2.x. To still enable this event, one needs to add a -## call to :bro:see:`Analyzer::register_for_ports` or a DPD payload +## call to :zeek:see:`Analyzer::register_for_ports` or a DPD payload ## signature. event login_output_line%(c: connection, line: string%); @@ -173,7 +173,7 @@ event login_output_line%(c: connection, line: string%); ## line: The line of text that caused the heuristics to conclude they were ## confused. ## -## .. bro:see:: login_confused_text login_display login_failure login_input_line login_output_line +## .. zeek:see:: login_confused_text login_display login_failure login_input_line login_output_line ## login_prompt login_success login_terminal direct_login_prompts get_login_state ## login_failure_msgs login_non_failure_msgs login_prompts login_success_msgs ## login_timeouts set_login_state @@ -181,20 +181,20 @@ event login_output_line%(c: connection, line: string%); ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet ## been ported to Bro 2.x. To still enable this event, one needs to add a -## call to :bro:see:`Analyzer::register_for_ports` or a DPD payload +## call to :zeek:see:`Analyzer::register_for_ports` or a DPD payload ## signature. event login_confused%(c: connection, msg: string, line: string%); ## Generated after getting confused while tracking a Telnet/Rlogin ## authentication dialog. The *login* analyzer generates this even for every -## line of user input after it has reported :bro:id:`login_confused` for a +## line of user input after it has reported :zeek:id:`login_confused` for a ## connection. ## ## c: The connection. ## ## line: The line the user typed. ## -## .. bro:see:: login_confused login_display login_failure login_input_line +## .. zeek:see:: login_confused login_display login_failure login_input_line ## login_output_line login_prompt login_success login_terminal direct_login_prompts ## get_login_state login_failure_msgs login_non_failure_msgs login_prompts ## login_success_msgs login_timeouts set_login_state @@ -202,7 +202,7 @@ event login_confused%(c: connection, msg: string, line: string%); ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet ## been ported to Bro 2.x. To still enable this event, one needs to add a -## call to :bro:see:`Analyzer::register_for_ports` or a DPD payload +## call to :zeek:see:`Analyzer::register_for_ports` or a DPD payload ## signature. event login_confused_text%(c: connection, line: string%); @@ -213,13 +213,13 @@ event login_confused_text%(c: connection, line: string%); ## ## terminal: The TERM value transmitted. ## -## .. bro:see:: login_confused login_confused_text login_display login_failure +## .. zeek:see:: login_confused login_confused_text login_display login_failure ## login_input_line login_output_line login_prompt login_success ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet ## been ported to Bro 2.x. To still enable this event, one needs to add a -## call to :bro:see:`Analyzer::register_for_ports` or a DPD payload +## call to :zeek:see:`Analyzer::register_for_ports` or a DPD payload ## signature. event login_terminal%(c: connection, terminal: string%); @@ -230,13 +230,13 @@ event login_terminal%(c: connection, terminal: string%); ## ## display: The DISPLAY transmitted. ## -## .. bro:see:: login_confused login_confused_text login_failure login_input_line +## .. zeek:see:: login_confused login_confused_text login_failure login_input_line ## login_output_line login_prompt login_success login_terminal ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet ## been ported to Bro 2.x. To still enable this event, one needs to add a -## call to :bro:see:`Analyzer::register_for_ports` or a DPD payload +## call to :zeek:see:`Analyzer::register_for_ports` or a DPD payload ## signature. event login_display%(c: connection, display: string%); @@ -252,16 +252,16 @@ event login_display%(c: connection, display: string%); ## ## c: The connection. ## -## .. bro:see:: authentication_rejected authentication_skipped login_success +## .. zeek:see:: authentication_rejected authentication_skipped login_success ## ## .. note:: This event inspects the corresponding Telnet option -## while :bro:id:`login_success` heuristically determines success by watching +## while :zeek:id:`login_success` heuristically determines success by watching ## session data. ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet ## been ported to Bro 2.x. To still enable this event, one needs to add a -## call to :bro:see:`Analyzer::register_for_ports` or a DPD payload +## call to :zeek:see:`Analyzer::register_for_ports` or a DPD payload ## signature. event authentication_accepted%(name: string, c: connection%); @@ -277,16 +277,16 @@ event authentication_accepted%(name: string, c: connection%); ## ## c: The connection. ## -## .. bro:see:: authentication_accepted authentication_skipped login_failure +## .. zeek:see:: authentication_accepted authentication_skipped login_failure ## ## .. note:: This event inspects the corresponding Telnet option -## while :bro:id:`login_success` heuristically determines failure by watching +## while :zeek:id:`login_success` heuristically determines failure by watching ## session data. ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet ## been ported to Bro 2.x. To still enable this event, one needs to add a -## call to :bro:see:`Analyzer::register_for_ports` or a DPD payload +## call to :zeek:see:`Analyzer::register_for_ports` or a DPD payload ## signature. event authentication_rejected%(name: string, c: connection%); @@ -298,7 +298,7 @@ event authentication_rejected%(name: string, c: connection%); ## ## c: The connection. ## -## .. bro:see:: authentication_accepted authentication_rejected direct_login_prompts +## .. zeek:see:: authentication_accepted authentication_rejected direct_login_prompts ## get_login_state login_failure_msgs login_non_failure_msgs login_prompts ## login_success_msgs login_timeouts set_login_state ## @@ -310,7 +310,7 @@ event authentication_rejected%(name: string, c: connection%); ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet ## been ported to Bro 2.x. To still enable this event, one needs to add a -## call to :bro:see:`Analyzer::register_for_ports` or a DPD payload +## call to :zeek:see:`Analyzer::register_for_ports` or a DPD payload ## signature. event authentication_skipped%(c: connection%); @@ -325,13 +325,13 @@ event authentication_skipped%(c: connection%); ## ## prompt: The TTYPROMPT transmitted. ## -## .. bro:see:: login_confused login_confused_text login_display login_failure +## .. zeek:see:: login_confused login_confused_text login_display login_failure ## login_input_line login_output_line login_success login_terminal ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet ## been ported to Bro 2.x. To still enable this event, one needs to add a -## call to :bro:see:`Analyzer::register_for_ports` or a DPD payload +## call to :zeek:see:`Analyzer::register_for_ports` or a DPD payload ## signature. event login_prompt%(c: connection, prompt: string%); @@ -344,7 +344,7 @@ event login_prompt%(c: connection, prompt: string%); ## ## c: The connection. ## -## .. bro:see:: authentication_accepted authentication_rejected authentication_skipped +## .. zeek:see:: authentication_accepted authentication_rejected authentication_skipped ## login_confused login_confused_text login_display login_failure login_input_line ## login_output_line login_prompt login_success login_terminal event activating_encryption%(c: connection%); @@ -362,7 +362,7 @@ event activating_encryption%(c: connection%); ## ## c: The connection. ## -## .. bro:see:: bad_option bad_option_termination authentication_accepted +## .. zeek:see:: bad_option bad_option_termination authentication_accepted ## authentication_rejected authentication_skipped login_confused ## login_confused_text login_display login_failure login_input_line ## login_output_line login_prompt login_success login_terminal @@ -375,7 +375,7 @@ event inconsistent_option%(c: connection%); ## ## c: The connection. ## -## .. bro:see:: inconsistent_option bad_option_termination authentication_accepted +## .. zeek:see:: inconsistent_option bad_option_termination authentication_accepted ## authentication_rejected authentication_skipped login_confused ## login_confused_text login_display login_failure login_input_line ## login_output_line login_prompt login_success login_terminal @@ -383,7 +383,7 @@ event inconsistent_option%(c: connection%); ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet ## been ported to Bro 2.x. To still enable this event, one needs to add a -## call to :bro:see:`Analyzer::register_for_ports` or a DPD payload +## call to :zeek:see:`Analyzer::register_for_ports` or a DPD payload ## signature. event bad_option%(c: connection%); @@ -394,7 +394,7 @@ event bad_option%(c: connection%); ## ## c: The connection. ## -## .. bro:see:: inconsistent_option bad_option authentication_accepted +## .. zeek:see:: inconsistent_option bad_option authentication_accepted ## authentication_rejected authentication_skipped login_confused ## login_confused_text login_display login_failure login_input_line ## login_output_line login_prompt login_success login_terminal @@ -402,6 +402,6 @@ event bad_option%(c: connection%); ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet ## been ported to Bro 2.x. To still enable this event, one needs to add a -## call to :bro:see:`Analyzer::register_for_ports` or a DPD payload +## call to :zeek:see:`Analyzer::register_for_ports` or a DPD payload ## signature. event bad_option_termination%(c: connection%); diff --git a/src/analyzer/protocol/login/functions.bif b/src/analyzer/protocol/login/functions.bif index bc4b2a7104..932020595c 100644 --- a/src/analyzer/protocol/login/functions.bif +++ b/src/analyzer/protocol/login/functions.bif @@ -21,7 +21,7 @@ ## does not correctly know the state of the connection, and/or ## the username associated with it. ## -## .. bro:see:: set_login_state +## .. zeek:see:: set_login_state function get_login_state%(cid: conn_id%): count %{ Connection* c = sessions->FindConnection(cid); @@ -40,12 +40,12 @@ function get_login_state%(cid: conn_id%): count ## cid: The connection ID. ## ## new_state: The new state of the login analyzer. See -## :bro:id:`get_login_state` for possible values. +## :zeek:id:`get_login_state` for possible values. ## ## Returns: Returns false if *cid* is not an active connection ## or is not tagged as a login analyzer, and true otherwise. ## -## .. bro:see:: get_login_state +## .. zeek:see:: get_login_state function set_login_state%(cid: conn_id, new_state: count%): bool %{ Connection* c = sessions->FindConnection(cid); diff --git a/src/analyzer/protocol/mime/events.bif b/src/analyzer/protocol/mime/events.bif index c0b2e66132..1c73e2e69b 100644 --- a/src/analyzer/protocol/mime/events.bif +++ b/src/analyzer/protocol/mime/events.bif @@ -9,12 +9,12 @@ ## ## c: The connection. ## -## .. bro:see:: mime_all_data mime_all_headers mime_content_hash mime_end_entity +## .. zeek:see:: mime_all_data mime_all_headers mime_content_hash mime_end_entity ## mime_entity_data mime_event mime_one_header mime_segment_data smtp_data ## http_begin_entity ## ## .. note:: Bro also extracts MIME entities from HTTP sessions. For those, -## however, it raises :bro:id:`http_begin_entity` instead. +## however, it raises :zeek:id:`http_begin_entity` instead. event mime_begin_entity%(c: connection%); ## Generated when finishing parsing an email MIME entity. MIME is a @@ -28,12 +28,12 @@ event mime_begin_entity%(c: connection%); ## ## c: The connection. ## -## .. bro:see:: mime_all_data mime_all_headers mime_begin_entity mime_content_hash +## .. zeek:see:: mime_all_data mime_all_headers mime_begin_entity mime_content_hash ## mime_entity_data mime_event mime_one_header mime_segment_data smtp_data ## http_end_entity ## ## .. note:: Bro also extracts MIME entities from HTTP sessions. For those, -## however, it raises :bro:id:`http_end_entity` instead. +## however, it raises :zeek:id:`http_end_entity` instead. event mime_end_entity%(c: connection%); ## Generated for individual MIME headers extracted from email MIME @@ -48,12 +48,12 @@ event mime_end_entity%(c: connection%); ## ## h: The parsed MIME header. ## -## .. bro:see:: mime_all_data mime_all_headers mime_begin_entity mime_content_hash +## .. zeek:see:: mime_all_data mime_all_headers mime_begin_entity mime_content_hash ## mime_end_entity mime_entity_data mime_event mime_segment_data ## http_header http_all_headers ## ## .. note:: Bro also extracts MIME headers from HTTP sessions. For those, -## however, it raises :bro:id:`http_header` instead. +## however, it raises :zeek:id:`http_header` instead. event mime_one_header%(c: connection, h: mime_header_rec%); ## Generated for MIME headers extracted from email MIME entities, passing all @@ -70,12 +70,12 @@ event mime_one_header%(c: connection, h: mime_header_rec%); ## The table is indexed by the position of the header (1 for the first, ## 2 for the second, etc.). ## -## .. bro:see:: mime_all_data mime_begin_entity mime_content_hash mime_end_entity +## .. zeek:see:: mime_all_data mime_begin_entity mime_content_hash mime_end_entity ## mime_entity_data mime_event mime_one_header mime_segment_data ## http_header http_all_headers ## ## .. note:: Bro also extracts MIME headers from HTTP sessions. For those, -## however, it raises :bro:id:`http_header` instead. +## however, it raises :zeek:id:`http_header` instead. event mime_all_headers%(c: connection, hlist: mime_header_list%); ## Generated for chunks of decoded MIME data from email MIME entities. MIME @@ -83,7 +83,7 @@ event mime_all_headers%(c: connection, hlist: mime_header_list%); ## corresponding metadata, for transmission. As Bro parses the data of an ## entity, it raises a sequence of these events, each coming as soon as a new ## chunk of data is available. In contrast, there is also -## :bro:id:`mime_entity_data`, which passes all of an entities data at once +## :zeek:id:`mime_entity_data`, which passes all of an entities data at once ## in a single block. While the latter is more convenient to handle, ## ``mime_segment_data`` is more efficient as Bro does not need to buffer ## the data. Thus, if possible, this event should be preferred. @@ -98,17 +98,17 @@ event mime_all_headers%(c: connection, hlist: mime_header_list%); ## ## data: The raw data of one segment of the current entity. ## -## .. bro:see:: mime_all_data mime_all_headers mime_begin_entity mime_content_hash +## .. zeek:see:: mime_all_data mime_all_headers mime_begin_entity mime_content_hash ## mime_end_entity mime_entity_data mime_event mime_one_header http_entity_data ## mime_segment_length mime_segment_overlap_length ## ## .. note:: Bro also extracts MIME data from HTTP sessions. For those, -## however, it raises :bro:id:`http_entity_data` (sic!) instead. +## however, it raises :zeek:id:`http_entity_data` (sic!) instead. event mime_segment_data%(c: connection, length: count, data: string%); ## Generated for data decoded from an email MIME entity. This event delivers ## the complete content of a single MIME entity with the quoted-printable and -## and base64 data decoded. In contrast, there is also :bro:id:`mime_segment_data`, +## and base64 data decoded. In contrast, there is also :zeek:id:`mime_segment_data`, ## which passes on a sequence of data chunks as they come in. While ## ``mime_entity_data`` is more convenient to handle, ``mime_segment_data`` is ## more efficient as Bro does not need to buffer the data. Thus, if possible, @@ -124,7 +124,7 @@ event mime_segment_data%(c: connection, length: count, data: string%); ## ## data: The raw data of the complete entity. ## -## .. bro:see:: mime_all_data mime_all_headers mime_begin_entity mime_content_hash +## .. zeek:see:: mime_all_data mime_all_headers mime_begin_entity mime_content_hash ## mime_end_entity mime_event mime_one_header mime_segment_data ## ## .. note:: While Bro also decodes MIME entities extracted from HTTP @@ -147,7 +147,7 @@ event mime_entity_data%(c: connection, length: count, data: string%); ## ## data: The raw data of all MIME entities concatenated. ## -## .. bro:see:: mime_all_headers mime_begin_entity mime_content_hash mime_end_entity +## .. zeek:see:: mime_all_headers mime_begin_entity mime_content_hash mime_end_entity ## mime_entity_data mime_event mime_one_header mime_segment_data ## ## .. note:: While Bro also decodes MIME entities extracted from HTTP @@ -167,11 +167,11 @@ event mime_all_data%(c: connection, length: count, data: string%); ## ## detail: Further more detailed description of the error. ## -## .. bro:see:: mime_all_data mime_all_headers mime_begin_entity mime_content_hash +## .. zeek:see:: mime_all_data mime_all_headers mime_begin_entity mime_content_hash ## mime_end_entity mime_entity_data mime_one_header mime_segment_data http_event ## ## .. note:: Bro also extracts MIME headers from HTTP sessions. For those, -## however, it raises :bro:id:`http_event` instead. +## however, it raises :zeek:id:`http_event` instead. event mime_event%(c: connection, event_type: string, detail: string%); ## Generated for decoded MIME entities extracted from email messages, passing on @@ -188,7 +188,7 @@ event mime_event%(c: connection, event_type: string, detail: string%); ## ## hash_value: The MD5 hash. ## -## .. bro:see:: mime_all_data mime_all_headers mime_begin_entity mime_end_entity +## .. zeek:see:: mime_all_data mime_all_headers mime_begin_entity mime_end_entity ## mime_entity_data mime_event mime_one_header mime_segment_data ## ## .. note:: While Bro also decodes MIME entities extracted from HTTP diff --git a/src/analyzer/protocol/mysql/events.bif b/src/analyzer/protocol/mysql/events.bif index 34cbc54b4b..7ce65276a6 100644 --- a/src/analyzer/protocol/mysql/events.bif +++ b/src/analyzer/protocol/mysql/events.bif @@ -9,7 +9,7 @@ ## ## arg: The argument for the command (empty string if not provided). ## -## .. bro:see:: mysql_error mysql_ok mysql_server_version mysql_handshake +## .. zeek:see:: mysql_error mysql_ok mysql_server_version mysql_handshake event mysql_command_request%(c: connection, command: count, arg: string%); ## Generated for an unsuccessful MySQL response. @@ -23,7 +23,7 @@ event mysql_command_request%(c: connection, command: count, arg: string%); ## ## msg: Any extra details about the error (empty string if not provided). ## -## .. bro:see:: mysql_command_request mysql_ok mysql_server_version mysql_handshake +## .. zeek:see:: mysql_command_request mysql_ok mysql_server_version mysql_handshake event mysql_error%(c: connection, code: count, msg: string%); ## Generated for a successful MySQL response. @@ -35,7 +35,7 @@ event mysql_error%(c: connection, code: count, msg: string%); ## ## affected_rows: The number of rows that were affected. ## -## .. bro:see:: mysql_command_request mysql_error mysql_server_version mysql_handshake +## .. zeek:see:: mysql_command_request mysql_error mysql_server_version mysql_handshake event mysql_ok%(c: connection, affected_rows: count%); ## Generated for each MySQL ResultsetRow response packet. @@ -47,7 +47,7 @@ event mysql_ok%(c: connection, affected_rows: count%); ## ## row: The result row data. ## -## .. bro:see:: mysql_command_request mysql_error mysql_server_version mysql_handshake mysql_ok +## .. zeek:see:: mysql_command_request mysql_error mysql_server_version mysql_handshake mysql_ok event mysql_result_row%(c: connection, row: string_vec%); ## Generated for the initial server handshake packet, which includes the MySQL server version. @@ -59,7 +59,7 @@ event mysql_result_row%(c: connection, row: string_vec%); ## ## ver: The server version string. ## -## .. bro:see:: mysql_command_request mysql_error mysql_ok mysql_handshake +## .. zeek:see:: mysql_command_request mysql_error mysql_ok mysql_handshake event mysql_server_version%(c: connection, ver: string%); ## Generated for a client handshake response packet, which includes the username the client is attempting @@ -72,6 +72,6 @@ event mysql_server_version%(c: connection, ver: string%); ## ## username: The username supplied by the client ## -## .. bro:see:: mysql_command_request mysql_error mysql_ok mysql_server_version +## .. zeek:see:: mysql_command_request mysql_error mysql_ok mysql_server_version event mysql_handshake%(c: connection, username: string%); diff --git a/src/analyzer/protocol/ncp/events.bif b/src/analyzer/protocol/ncp/events.bif index 9b5b7d77a7..05da060658 100644 --- a/src/analyzer/protocol/ncp/events.bif +++ b/src/analyzer/protocol/ncp/events.bif @@ -11,7 +11,7 @@ ## ## func: The requested function, as specified by the protocol. ## -## .. bro:see:: ncp_reply +## .. zeek:see:: ncp_reply ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet @@ -36,7 +36,7 @@ event ncp_request%(c: connection, frame_type: count, length: count, func: count% ## ## completion_code: The reply's completion code, as specified by the protocol. ## -## .. bro:see:: ncp_request +## .. zeek:see:: ncp_request ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet diff --git a/src/analyzer/protocol/netbios/events.bif b/src/analyzer/protocol/netbios/events.bif index 72933f1e49..ed51264e92 100644 --- a/src/analyzer/protocol/netbios/events.bif +++ b/src/analyzer/protocol/netbios/events.bif @@ -16,7 +16,7 @@ ## ## data_len: The length of the message's payload. ## -## .. bro:see:: netbios_session_accepted netbios_session_keepalive +## .. zeek:see:: netbios_session_accepted netbios_session_keepalive ## netbios_session_raw_message netbios_session_rejected netbios_session_request ## netbios_session_ret_arg_resp decode_netbios_name decode_netbios_name_type ## @@ -44,7 +44,7 @@ event netbios_session_message%(c: connection, is_orig: bool, msg_type: count, da ## msg: The raw payload of the message sent, excluding the common NetBIOS ## header. ## -## .. bro:see:: netbios_session_accepted netbios_session_keepalive +## .. zeek:see:: netbios_session_accepted netbios_session_keepalive ## netbios_session_message netbios_session_raw_message netbios_session_rejected ## netbios_session_ret_arg_resp decode_netbios_name decode_netbios_name_type ## @@ -72,7 +72,7 @@ event netbios_session_request%(c: connection, msg: string%); ## msg: The raw payload of the message sent, excluding the common NetBIOS ## header. ## -## .. bro:see:: netbios_session_keepalive netbios_session_message +## .. zeek:see:: netbios_session_keepalive netbios_session_message ## netbios_session_raw_message netbios_session_rejected netbios_session_request ## netbios_session_ret_arg_resp decode_netbios_name decode_netbios_name_type ## @@ -100,7 +100,7 @@ event netbios_session_accepted%(c: connection, msg: string%); ## msg: The raw payload of the message sent, excluding the common NetBIOS ## header. ## -## .. bro:see:: netbios_session_accepted netbios_session_keepalive +## .. zeek:see:: netbios_session_accepted netbios_session_keepalive ## netbios_session_message netbios_session_raw_message netbios_session_request ## netbios_session_ret_arg_resp decode_netbios_name decode_netbios_name_type ## @@ -132,7 +132,7 @@ event netbios_session_rejected%(c: connection, msg: string%); ## msg: The raw payload of the message sent, excluding the common NetBIOS ## header (i.e., the ``user_data``). ## -## .. bro:see:: netbios_session_accepted netbios_session_keepalive +## .. zeek:see:: netbios_session_accepted netbios_session_keepalive ## netbios_session_message netbios_session_rejected netbios_session_request ## netbios_session_ret_arg_resp decode_netbios_name decode_netbios_name_type ## @@ -163,7 +163,7 @@ event netbios_session_raw_message%(c: connection, is_orig: bool, msg: string%); ## msg: The raw payload of the message sent, excluding the common NetBIOS ## header. ## -## .. bro:see:: netbios_session_accepted netbios_session_keepalive +## .. zeek:see:: netbios_session_accepted netbios_session_keepalive ## netbios_session_message netbios_session_raw_message netbios_session_rejected ## netbios_session_request decode_netbios_name decode_netbios_name_type ## @@ -193,7 +193,7 @@ event netbios_session_ret_arg_resp%(c: connection, msg: string%); ## msg: The raw payload of the message sent, excluding the common NetBIOS ## header. ## -## .. bro:see:: netbios_session_accepted netbios_session_message +## .. zeek:see:: netbios_session_accepted netbios_session_message ## netbios_session_raw_message netbios_session_rejected netbios_session_request ## netbios_session_ret_arg_resp decode_netbios_name decode_netbios_name_type ## diff --git a/src/analyzer/protocol/netbios/functions.bif b/src/analyzer/protocol/netbios/functions.bif index f92402a3e8..c86156931f 100644 --- a/src/analyzer/protocol/netbios/functions.bif +++ b/src/analyzer/protocol/netbios/functions.bif @@ -5,7 +5,7 @@ ## ## Returns: The decoded NetBIOS name, e.g., ``"THE NETBIOS NAME"``. ## -## .. bro:see:: decode_netbios_name_type +## .. zeek:see:: decode_netbios_name_type function decode_netbios_name%(name: string%): string %{ char buf[16]; @@ -41,7 +41,7 @@ function decode_netbios_name%(name: string%): string ## ## Returns: The numeric value of *name*. ## -## .. bro:see:: decode_netbios_name +## .. zeek:see:: decode_netbios_name function decode_netbios_name_type%(name: string%): count %{ const u_char* s = name->Bytes(); diff --git a/src/analyzer/protocol/ntlm/events.bif b/src/analyzer/protocol/ntlm/events.bif index a36d653968..88def089fa 100644 --- a/src/analyzer/protocol/ntlm/events.bif +++ b/src/analyzer/protocol/ntlm/events.bif @@ -4,7 +4,7 @@ ## ## negotiate: The parsed data of the :abbr:`NTLM (NT LAN Manager)` message. See init-bare for more details. ## -## .. bro:see:: ntlm_challenge ntlm_authenticate +## .. zeek:see:: ntlm_challenge ntlm_authenticate event ntlm_negotiate%(c: connection, negotiate: NTLM::Negotiate%); ## Generated for :abbr:`NTLM (NT LAN Manager)` messages of type *challenge*. @@ -13,7 +13,7 @@ event ntlm_negotiate%(c: connection, negotiate: NTLM::Negotiate%); ## ## negotiate: The parsed data of the :abbr:`NTLM (NT LAN Manager)` message. See init-bare for more details. ## -## .. bro:see:: ntlm_negotiate ntlm_authenticate +## .. zeek:see:: ntlm_negotiate ntlm_authenticate event ntlm_challenge%(c: connection, challenge: NTLM::Challenge%); ## Generated for :abbr:`NTLM (NT LAN Manager)` messages of type *authenticate*. @@ -22,5 +22,5 @@ event ntlm_challenge%(c: connection, challenge: NTLM::Challenge%); ## ## request: The parsed data of the :abbr:`NTLM (NT LAN Manager)` message. See init-bare for more details. ## -## .. bro:see:: ntlm_negotiate ntlm_challenge +## .. zeek:see:: ntlm_negotiate ntlm_challenge event ntlm_authenticate%(c: connection, request: NTLM::Authenticate%); diff --git a/src/analyzer/protocol/ntp/events.bif b/src/analyzer/protocol/ntp/events.bif index bba2dfbbe5..d32d680799 100644 --- a/src/analyzer/protocol/ntp/events.bif +++ b/src/analyzer/protocol/ntp/events.bif @@ -11,7 +11,7 @@ ## excess: The raw bytes of any optional parts of the NTP packet. Bro does not ## further parse any optional fields. ## -## .. bro:see:: ntp_session_timeout +## .. zeek:see:: ntp_session_timeout ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet diff --git a/src/analyzer/protocol/pop3/events.bif b/src/analyzer/protocol/pop3/events.bif index 74cf1f6f68..c51632b6c2 100644 --- a/src/analyzer/protocol/pop3/events.bif +++ b/src/analyzer/protocol/pop3/events.bif @@ -12,7 +12,7 @@ ## ## arg: The argument to the command. ## -## .. bro:see:: pop3_data pop3_login_failure pop3_login_success pop3_reply +## .. zeek:see:: pop3_data pop3_login_failure pop3_login_success pop3_reply ## pop3_unexpected ## ## .. todo:: Bro's current default configuration does not activate the protocol @@ -37,7 +37,7 @@ event pop3_request%(c: connection, is_orig: bool, ## ## msg: The textual description the server sent along with *cmd*. ## -## .. bro:see:: pop3_data pop3_login_failure pop3_login_success pop3_request +## .. zeek:see:: pop3_data pop3_login_failure pop3_login_success pop3_request ## pop3_unexpected ## ## .. todo:: This event is receiving odd parameters, should unify. @@ -62,7 +62,7 @@ event pop3_reply%(c: connection, is_orig: bool, cmd: string, msg: string%); ## ## data: The data sent. ## -## .. bro:see:: pop3_login_failure pop3_login_success pop3_reply pop3_request +## .. zeek:see:: pop3_login_failure pop3_login_success pop3_reply pop3_request ## pop3_unexpected ## ## .. todo:: Bro's current default configuration does not activate the protocol @@ -86,7 +86,7 @@ event pop3_data%(c: connection, is_orig: bool, data: string%); ## ## detail: The input that triggered the event. ## -## .. bro:see:: pop3_data pop3_login_failure pop3_login_success pop3_reply pop3_request +## .. zeek:see:: pop3_data pop3_login_failure pop3_login_success pop3_reply pop3_request ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet @@ -105,7 +105,7 @@ event pop3_unexpected%(c: connection, is_orig: bool, ## ## c: The connection. ## -## .. bro:see:: pop3_data pop3_login_failure pop3_login_success pop3_reply +## .. zeek:see:: pop3_data pop3_login_failure pop3_login_success pop3_reply ## pop3_request pop3_unexpected ## ## .. todo:: Bro's current default configuration does not activate the protocol @@ -128,7 +128,7 @@ event pop3_starttls%(c: connection%); ## ## password: The password used for authentication. ## -## .. bro:see:: pop3_data pop3_login_failure pop3_reply pop3_request +## .. zeek:see:: pop3_data pop3_login_failure pop3_reply pop3_request ## pop3_unexpected ## ## .. todo:: Bro's current default configuration does not activate the protocol @@ -152,7 +152,7 @@ event pop3_login_success%(c: connection, is_orig: bool, ## ## password: The password attempted for authentication. ## -## .. bro:see:: pop3_data pop3_login_success pop3_reply pop3_request +## .. zeek:see:: pop3_data pop3_login_success pop3_reply pop3_request ## pop3_unexpected ## ## .. todo:: Bro's current default configuration does not activate the protocol diff --git a/src/analyzer/protocol/rpc/events.bif b/src/analyzer/protocol/rpc/events.bif index b811a60cda..fd6331360d 100644 --- a/src/analyzer/protocol/rpc/events.bif +++ b/src/analyzer/protocol/rpc/events.bif @@ -10,7 +10,7 @@ ## ## info: Reports the status of the dialogue, along with some meta information. ## -## .. bro:see:: nfs_proc_create nfs_proc_getattr nfs_proc_lookup nfs_proc_mkdir +## .. zeek:see:: nfs_proc_create nfs_proc_getattr nfs_proc_lookup nfs_proc_mkdir ## nfs_proc_not_implemented nfs_proc_read nfs_proc_readdir nfs_proc_readlink ## nfs_proc_remove nfs_proc_rmdir nfs_proc_write nfs_reply_status rpc_call ## rpc_dialogue rpc_reply @@ -38,7 +38,7 @@ event nfs_proc_null%(c: connection, info: NFS3::info_t%); ## attrs: The attributes returned in the reply. The values may not be valid if ## the request was unsuccessful. ## -## .. bro:see:: nfs_proc_create nfs_proc_lookup nfs_proc_mkdir +## .. zeek:see:: nfs_proc_create nfs_proc_lookup nfs_proc_mkdir ## nfs_proc_not_implemented nfs_proc_null nfs_proc_read nfs_proc_readdir ## nfs_proc_readlink nfs_proc_remove nfs_proc_rmdir nfs_proc_write nfs_reply_status ## rpc_call rpc_dialogue rpc_reply file_mode @@ -66,7 +66,7 @@ event nfs_proc_getattr%(c: connection, info: NFS3::info_t, fh: string, attrs: NF ## rep: The attributes returned in the reply. The values may not be ## valid if the request was unsuccessful. ## -## .. bro:see:: nfs_proc_create nfs_proc_lookup nfs_proc_mkdir +## .. zeek:see:: nfs_proc_create nfs_proc_lookup nfs_proc_mkdir ## nfs_proc_not_implemented nfs_proc_null nfs_proc_read nfs_proc_readdir ## nfs_proc_readlink nfs_proc_remove nfs_proc_rmdir nfs_proc_write nfs_reply_status ## rpc_call rpc_dialogue rpc_reply file_mode @@ -94,7 +94,7 @@ event nfs_proc_sattr%(c: connection, info: NFS3::info_t, req: NFS3::sattrargs_t, ## rep: The response returned in the reply. The values may not be valid if the ## request was unsuccessful. ## -## .. bro:see:: nfs_proc_create nfs_proc_getattr nfs_proc_mkdir +## .. zeek:see:: nfs_proc_create nfs_proc_getattr nfs_proc_mkdir ## nfs_proc_not_implemented nfs_proc_null nfs_proc_read nfs_proc_readdir ## nfs_proc_readlink nfs_proc_remove nfs_proc_rmdir nfs_proc_write nfs_reply_status ## rpc_call rpc_dialogue rpc_reply @@ -122,7 +122,7 @@ event nfs_proc_lookup%(c: connection, info: NFS3::info_t, req: NFS3::diropargs_t ## rep: The response returned in the reply. The values may not be valid if the ## request was unsuccessful. ## -## .. bro:see:: nfs_proc_create nfs_proc_getattr nfs_proc_lookup nfs_proc_mkdir +## .. zeek:see:: nfs_proc_create nfs_proc_getattr nfs_proc_lookup nfs_proc_mkdir ## nfs_proc_not_implemented nfs_proc_null nfs_proc_remove nfs_proc_rmdir ## nfs_proc_write nfs_reply_status rpc_call rpc_dialogue rpc_reply ## NFS3::return_data NFS3::return_data_first_only NFS3::return_data_max @@ -150,7 +150,7 @@ event nfs_proc_read%(c: connection, info: NFS3::info_t, req: NFS3::readargs_t, r ## rep: The response returned in the reply. The values may not be valid if the ## request was unsuccessful. ## -## .. bro:see:: nfs_proc_create nfs_proc_getattr nfs_proc_lookup nfs_proc_mkdir +## .. zeek:see:: nfs_proc_create nfs_proc_getattr nfs_proc_lookup nfs_proc_mkdir ## nfs_proc_not_implemented nfs_proc_null nfs_proc_read nfs_proc_readdir ## nfs_proc_remove nfs_proc_rmdir nfs_proc_write nfs_reply_status ## nfs_proc_symlink rpc_call rpc_dialogue rpc_reply @@ -178,7 +178,7 @@ event nfs_proc_readlink%(c: connection, info: NFS3::info_t, fh: string, rep: NFS ## rep: The attributes returned in the reply. The values may not be ## valid if the request was unsuccessful. ## -## .. bro:see:: nfs_proc_create nfs_proc_lookup nfs_proc_mkdir +## .. zeek:see:: nfs_proc_create nfs_proc_lookup nfs_proc_mkdir ## nfs_proc_not_implemented nfs_proc_null nfs_proc_read nfs_proc_readdir ## nfs_proc_readlink nfs_proc_remove nfs_proc_rmdir nfs_proc_write nfs_reply_status ## nfs_proc_link rpc_call rpc_dialogue rpc_reply file_mode @@ -206,7 +206,7 @@ event nfs_proc_symlink%(c: connection, info: NFS3::info_t, req: NFS3::symlinkarg ## rep: The response returned in the reply. The values may not be valid if the ## request was unsuccessful. ## -## .. bro:see:: nfs_proc_create nfs_proc_getattr nfs_proc_lookup nfs_proc_mkdir +## .. zeek:see:: nfs_proc_create nfs_proc_getattr nfs_proc_lookup nfs_proc_mkdir ## nfs_proc_not_implemented nfs_proc_null nfs_proc_read nfs_proc_readdir ## nfs_proc_remove nfs_proc_rmdir nfs_proc_write nfs_reply_status rpc_call ## nfs_proc_symlink rpc_dialogue rpc_reply @@ -234,7 +234,7 @@ event nfs_proc_link%(c: connection, info: NFS3::info_t, req: NFS3::linkargs_t, r ## rep: The response returned in the reply. The values may not be valid if the ## request was unsuccessful. ## -## .. bro:see:: nfs_proc_create nfs_proc_getattr nfs_proc_lookup nfs_proc_mkdir +## .. zeek:see:: nfs_proc_create nfs_proc_getattr nfs_proc_lookup nfs_proc_mkdir ## nfs_proc_not_implemented nfs_proc_null nfs_proc_read nfs_proc_readdir ## nfs_proc_readlink nfs_proc_remove nfs_proc_rmdir nfs_reply_status rpc_call ## rpc_dialogue rpc_reply NFS3::return_data NFS3::return_data_first_only @@ -263,7 +263,7 @@ event nfs_proc_write%(c: connection, info: NFS3::info_t, req: NFS3::writeargs_t, ## rep: The response returned in the reply. The values may not be valid if the ## request was unsuccessful. ## -## .. bro:see:: nfs_proc_getattr nfs_proc_lookup nfs_proc_mkdir +## .. zeek:see:: nfs_proc_getattr nfs_proc_lookup nfs_proc_mkdir ## nfs_proc_not_implemented nfs_proc_null nfs_proc_read nfs_proc_readdir ## nfs_proc_readlink nfs_proc_remove nfs_proc_rmdir nfs_proc_write nfs_reply_status ## rpc_call rpc_dialogue rpc_reply @@ -291,7 +291,7 @@ event nfs_proc_create%(c: connection, info: NFS3::info_t, req: NFS3::diropargs_t ## rep: The response returned in the reply. The values may not be valid if the ## request was unsuccessful. ## -## .. bro:see:: nfs_proc_create nfs_proc_getattr nfs_proc_lookup +## .. zeek:see:: nfs_proc_create nfs_proc_getattr nfs_proc_lookup ## nfs_proc_not_implemented nfs_proc_null nfs_proc_read nfs_proc_readdir ## nfs_proc_readlink nfs_proc_remove nfs_proc_rmdir nfs_proc_write nfs_reply_status ## rpc_call rpc_dialogue rpc_reply @@ -319,7 +319,7 @@ event nfs_proc_mkdir%(c: connection, info: NFS3::info_t, req: NFS3::diropargs_t, ## rep: The response returned in the reply. The values may not be valid if the ## request was unsuccessful. ## -## .. bro:see:: nfs_proc_create nfs_proc_getattr nfs_proc_lookup nfs_proc_mkdir +## .. zeek:see:: nfs_proc_create nfs_proc_getattr nfs_proc_lookup nfs_proc_mkdir ## nfs_proc_not_implemented nfs_proc_null nfs_proc_read nfs_proc_readdir ## nfs_proc_readlink nfs_proc_rmdir nfs_proc_write nfs_reply_status rpc_call ## rpc_dialogue rpc_reply @@ -347,7 +347,7 @@ event nfs_proc_remove%(c: connection, info: NFS3::info_t, req: NFS3::diropargs_t ## rep: The response returned in the reply. The values may not be valid if the ## request was unsuccessful. ## -## .. bro:see:: nfs_proc_create nfs_proc_getattr nfs_proc_lookup nfs_proc_mkdir +## .. zeek:see:: nfs_proc_create nfs_proc_getattr nfs_proc_lookup nfs_proc_mkdir ## nfs_proc_not_implemented nfs_proc_null nfs_proc_read nfs_proc_readdir ## nfs_proc_readlink nfs_proc_remove nfs_proc_write nfs_reply_status rpc_call ## rpc_dialogue rpc_reply @@ -375,7 +375,7 @@ event nfs_proc_rmdir%(c: connection, info: NFS3::info_t, req: NFS3::diropargs_t, ## rep: The response returned in the reply. The values may not be valid if the ## request was unsuccessful. ## -## .. bro:see:: nfs_proc_create nfs_proc_getattr nfs_proc_lookup nfs_proc_mkdir +## .. zeek:see:: nfs_proc_create nfs_proc_getattr nfs_proc_lookup nfs_proc_mkdir ## nfs_proc_not_implemented nfs_proc_null nfs_proc_read nfs_proc_readdir ## nfs_proc_readlink nfs_proc_remove nfs_proc_rename nfs_proc_write ## nfs_reply_status rpc_call rpc_dialogue rpc_reply @@ -403,7 +403,7 @@ event nfs_proc_rename%(c: connection, info: NFS3::info_t, req: NFS3::renameoparg ## rep: The response returned in the reply. The values may not be valid if the ## request was unsuccessful. ## -## .. bro:see:: nfs_proc_create nfs_proc_getattr nfs_proc_lookup nfs_proc_mkdir +## .. zeek:see:: nfs_proc_create nfs_proc_getattr nfs_proc_lookup nfs_proc_mkdir ## nfs_proc_not_implemented nfs_proc_null nfs_proc_read nfs_proc_readlink ## nfs_proc_remove nfs_proc_rmdir nfs_proc_write nfs_reply_status rpc_call ## rpc_dialogue rpc_reply @@ -427,7 +427,7 @@ event nfs_proc_readdir%(c: connection, info: NFS3::info_t, req: NFS3::readdirarg ## ## proc: The procedure called that Bro does not implement. ## -## .. bro:see:: nfs_proc_create nfs_proc_getattr nfs_proc_lookup nfs_proc_mkdir +## .. zeek:see:: nfs_proc_create nfs_proc_getattr nfs_proc_lookup nfs_proc_mkdir ## nfs_proc_null nfs_proc_read nfs_proc_readdir nfs_proc_readlink nfs_proc_remove ## nfs_proc_rmdir nfs_proc_write nfs_reply_status rpc_call rpc_dialogue rpc_reply ## @@ -444,7 +444,7 @@ event nfs_proc_not_implemented%(c: connection, info: NFS3::info_t, proc: NFS3::p ## ## info: Reports the status included in the reply. ## -## .. bro:see:: nfs_proc_create nfs_proc_getattr nfs_proc_lookup nfs_proc_mkdir +## .. zeek:see:: nfs_proc_create nfs_proc_getattr nfs_proc_lookup nfs_proc_mkdir ## nfs_proc_not_implemented nfs_proc_null nfs_proc_read nfs_proc_readdir ## nfs_proc_readlink nfs_proc_remove nfs_proc_rmdir nfs_proc_write rpc_call ## rpc_dialogue rpc_reply @@ -463,7 +463,7 @@ event nfs_reply_status%(n: connection, info: NFS3::info_t%); ## ## r: The RPC connection. ## -## .. bro:see:: pm_request_set pm_request_unset pm_request_getport +## .. zeek:see:: pm_request_set pm_request_unset pm_request_getport ## pm_request_dump pm_request_callit pm_attempt_null pm_attempt_set ## pm_attempt_unset pm_attempt_getport pm_attempt_dump ## pm_attempt_callit pm_bad_port rpc_call rpc_dialogue rpc_reply @@ -488,7 +488,7 @@ event pm_request_null%(r: connection%); ## reply. If no reply was seen, this will be false once the request ## times out. ## -## .. bro:see:: pm_request_null pm_request_unset pm_request_getport +## .. zeek:see:: pm_request_null pm_request_unset pm_request_getport ## pm_request_dump pm_request_callit pm_attempt_null pm_attempt_set ## pm_attempt_unset pm_attempt_getport pm_attempt_dump ## pm_attempt_callit pm_bad_port rpc_call rpc_dialogue rpc_reply @@ -513,7 +513,7 @@ event pm_request_set%(r: connection, m: pm_mapping, success: bool%); ## reply. If no reply was seen, this will be false once the request ## times out. ## -## .. bro:see:: pm_request_null pm_request_set pm_request_getport +## .. zeek:see:: pm_request_null pm_request_set pm_request_getport ## pm_request_dump pm_request_callit pm_attempt_null pm_attempt_set ## pm_attempt_unset pm_attempt_getport pm_attempt_dump ## pm_attempt_callit pm_bad_port rpc_call rpc_dialogue rpc_reply @@ -536,7 +536,7 @@ event pm_request_unset%(r: connection, m: pm_mapping, success: bool%); ## ## p: The port returned by the server. ## -## .. bro:see:: pm_request_null pm_request_set pm_request_unset +## .. zeek:see:: pm_request_null pm_request_set pm_request_unset ## pm_request_dump pm_request_callit pm_attempt_null pm_attempt_set ## pm_attempt_unset pm_attempt_getport pm_attempt_dump ## pm_attempt_callit pm_bad_port rpc_call rpc_dialogue rpc_reply @@ -557,7 +557,7 @@ event pm_request_getport%(r: connection, pr: pm_port_request, p: port%); ## ## m: The mappings returned by the server. ## -## .. bro:see:: pm_request_null pm_request_set pm_request_unset +## .. zeek:see:: pm_request_null pm_request_set pm_request_unset ## pm_request_getport pm_request_callit pm_attempt_null ## pm_attempt_set pm_attempt_unset pm_attempt_getport ## pm_attempt_dump pm_attempt_callit pm_bad_port rpc_call @@ -581,7 +581,7 @@ event pm_request_dump%(r: connection, m: pm_mappings%); ## ## p: The port value returned by the call. ## -## .. bro:see:: pm_request_null pm_request_set pm_request_unset +## .. zeek:see:: pm_request_null pm_request_set pm_request_unset ## pm_request_getport pm_request_dump pm_attempt_null ## pm_attempt_set pm_attempt_unset pm_attempt_getport ## pm_attempt_dump pm_attempt_callit pm_bad_port rpc_call @@ -602,9 +602,9 @@ event pm_request_callit%(r: connection, call: pm_callit_request, p: port%); ## r: The RPC connection. ## ## status: The status of the reply, which should be one of the index values of -## :bro:id:`RPC_status`. +## :zeek:id:`RPC_status`. ## -## .. bro:see:: pm_request_null pm_request_set pm_request_unset +## .. zeek:see:: pm_request_null pm_request_set pm_request_unset ## pm_request_getport pm_request_dump pm_request_callit ## pm_attempt_set pm_attempt_unset pm_attempt_getport ## pm_attempt_dump pm_attempt_callit pm_bad_port rpc_call @@ -625,11 +625,11 @@ event pm_attempt_null%(r: connection, status: rpc_status%); ## r: The RPC connection. ## ## status: The status of the reply, which should be one of the index values of -## :bro:id:`RPC_status`. +## :zeek:id:`RPC_status`. ## ## m: The argument to the original request. ## -## .. bro:see:: pm_request_null pm_request_set pm_request_unset +## .. zeek:see:: pm_request_null pm_request_set pm_request_unset ## pm_request_getport pm_request_dump pm_request_callit ## pm_attempt_null pm_attempt_unset pm_attempt_getport ## pm_attempt_dump pm_attempt_callit pm_bad_port rpc_call @@ -650,11 +650,11 @@ event pm_attempt_set%(r: connection, status: rpc_status, m: pm_mapping%); ## r: The RPC connection. ## ## status: The status of the reply, which should be one of the index values of -## :bro:id:`RPC_status`. +## :zeek:id:`RPC_status`. ## ## m: The argument to the original request. ## -## .. bro:see:: pm_request_null pm_request_set pm_request_unset +## .. zeek:see:: pm_request_null pm_request_set pm_request_unset ## pm_request_getport pm_request_dump pm_request_callit ## pm_attempt_null pm_attempt_set pm_attempt_getport ## pm_attempt_dump pm_attempt_callit pm_bad_port rpc_call @@ -675,11 +675,11 @@ event pm_attempt_unset%(r: connection, status: rpc_status, m: pm_mapping%); ## r: The RPC connection. ## ## status: The status of the reply, which should be one of the index values of -## :bro:id:`RPC_status`. +## :zeek:id:`RPC_status`. ## ## pr: The argument to the original request. ## -## .. bro:see:: pm_request_null pm_request_set pm_request_unset +## .. zeek:see:: pm_request_null pm_request_set pm_request_unset ## pm_request_getport pm_request_dump pm_request_callit ## pm_attempt_null pm_attempt_set pm_attempt_unset pm_attempt_dump ## pm_attempt_callit pm_bad_port rpc_call rpc_dialogue rpc_reply @@ -699,9 +699,9 @@ event pm_attempt_getport%(r: connection, status: rpc_status, pr: pm_port_request ## r: The RPC connection. ## ## status: The status of the reply, which should be one of the index values of -## :bro:id:`RPC_status`. +## :zeek:id:`RPC_status`. ## -## .. bro:see:: pm_request_null pm_request_set pm_request_unset +## .. zeek:see:: pm_request_null pm_request_set pm_request_unset ## pm_request_getport pm_request_dump pm_request_callit ## pm_attempt_null pm_attempt_set pm_attempt_unset ## pm_attempt_getport pm_attempt_callit pm_bad_port rpc_call @@ -722,11 +722,11 @@ event pm_attempt_dump%(r: connection, status: rpc_status%); ## r: The RPC connection. ## ## status: The status of the reply, which should be one of the index values of -## :bro:id:`RPC_status`. +## :zeek:id:`RPC_status`. ## ## call: The argument to the original request. ## -## .. bro:see:: pm_request_null pm_request_set pm_request_unset +## .. zeek:see:: pm_request_null pm_request_set pm_request_unset ## pm_request_getport pm_request_dump pm_request_callit ## pm_attempt_null pm_attempt_set pm_attempt_unset ## pm_attempt_getport pm_attempt_dump pm_bad_port rpc_call @@ -751,7 +751,7 @@ event pm_attempt_callit%(r: connection, status: rpc_status, call: pm_callit_requ ## ## bad_p: The invalid port value. ## -## .. bro:see:: pm_request_null pm_request_set pm_request_unset +## .. zeek:see:: pm_request_null pm_request_set pm_request_unset ## pm_request_getport pm_request_dump pm_request_callit ## pm_attempt_null pm_attempt_set pm_attempt_unset ## pm_attempt_getport pm_attempt_dump pm_attempt_callit rpc_call @@ -767,7 +767,7 @@ event pm_bad_port%(r: connection, bad_p: count%); ## and reply by their transaction identifiers and raises this event once both ## have been seen. If there's not a reply, this event will still be generated ## eventually on timeout. In that case, *status* will be set to -## :bro:enum:`RPC_TIMEOUT`. +## :zeek:enum:`RPC_TIMEOUT`. ## ## See `Wikipedia `__ for more information ## about the ONC RPC protocol. @@ -781,7 +781,7 @@ event pm_bad_port%(r: connection, bad_p: count%); ## proc: The procedure of the remote program to call. ## ## status: The status of the reply, which should be one of the index values of -## :bro:id:`RPC_status`. +## :zeek:id:`RPC_status`. ## ## start_time: The time when the *call* was seen. ## @@ -789,13 +789,13 @@ event pm_bad_port%(r: connection, bad_p: count%); ## ## reply_len: The size of the *reply_body* PDU. ## -## .. bro:see:: rpc_call rpc_reply dce_rpc_bind dce_rpc_message dce_rpc_request +## .. zeek:see:: rpc_call rpc_reply dce_rpc_bind dce_rpc_message dce_rpc_request ## dce_rpc_response rpc_timeout ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet ## been ported to Bro 2.x. To still enable this event, one needs to add a -## call to :bro:see:`Analyzer::register_for_ports` or a DPD payload +## call to :zeek:see:`Analyzer::register_for_ports` or a DPD payload ## signature. event rpc_dialogue%(c: connection, prog: count, ver: count, proc: count, status: rpc_status, start_time: time, call_len: count, reply_len: count%); @@ -816,13 +816,13 @@ event rpc_dialogue%(c: connection, prog: count, ver: count, proc: count, status: ## ## call_len: The size of the *call_body* PDU. ## -## .. bro:see:: rpc_dialogue rpc_reply dce_rpc_bind dce_rpc_message dce_rpc_request +## .. zeek:see:: rpc_dialogue rpc_reply dce_rpc_bind dce_rpc_message dce_rpc_request ## dce_rpc_response rpc_timeout ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet ## been ported to Bro 2.x. To still enable this event, one needs to add a -## call to :bro:see:`Analyzer::register_for_ports` or a DPD payload +## call to :zeek:see:`Analyzer::register_for_ports` or a DPD payload ## signature. event rpc_call%(c: connection, xid: count, prog: count, ver: count, proc: count, call_len: count%); @@ -836,17 +836,17 @@ event rpc_call%(c: connection, xid: count, prog: count, ver: count, proc: count, ## xid: The transaction identifier allowing to match requests with replies. ## ## status: The status of the reply, which should be one of the index values of -## :bro:id:`RPC_status`. +## :zeek:id:`RPC_status`. ## ## reply_len: The size of the *reply_body* PDU. ## -## .. bro:see:: rpc_call rpc_dialogue dce_rpc_bind dce_rpc_message dce_rpc_request +## .. zeek:see:: rpc_call rpc_dialogue dce_rpc_bind dce_rpc_message dce_rpc_request ## dce_rpc_response rpc_timeout ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet ## been ported to Bro 2.x. To still enable this event, one needs to add a -## call to :bro:see:`Analyzer::register_for_ports` or a DPD payload +## call to :zeek:see:`Analyzer::register_for_ports` or a DPD payload ## signature. event rpc_reply%(c: connection, xid: count, status: rpc_status, reply_len: count%); @@ -859,7 +859,7 @@ event rpc_reply%(c: connection, xid: count, status: rpc_status, reply_len: count ## ## info: Reports the status of the dialogue, along with some meta information. ## -## .. bro:see:: mount_proc_mnt mount_proc_umnt +## .. zeek:see:: mount_proc_mnt mount_proc_umnt ## mount_proc_umnt_all mount_proc_not_implemented ## ## .. todo:: Bro's current default configuration does not activate the protocol @@ -882,7 +882,7 @@ event mount_proc_null%(c: connection, info: MOUNT3::info_t%); ## rep: The response returned in the reply. The values may not be valid if the ## request was unsuccessful. ## -## .. bro:see:: mount_proc_mnt mount_proc_umnt +## .. zeek:see:: mount_proc_mnt mount_proc_umnt ## mount_proc_umnt_all mount_proc_not_implemented ## ## .. todo:: Bro's current default configuration does not activate the protocol @@ -902,7 +902,7 @@ event mount_proc_mnt%(c: connection, info: MOUNT3::info_t, req: MOUNT3::dirmntar ## ## req: The arguments passed in the request. ## -## .. bro:see:: mount_proc_mnt mount_proc_umnt +## .. zeek:see:: mount_proc_mnt mount_proc_umnt ## mount_proc_umnt_all mount_proc_not_implemented ## ## .. todo:: Bro's current default configuration does not activate the protocol @@ -922,7 +922,7 @@ event mount_proc_umnt%(c: connection, info: MOUNT3::info_t, req: MOUNT3::dirmnta ## ## req: The arguments passed in the request. ## -## .. bro:see:: mount_proc_mnt mount_proc_umnt +## .. zeek:see:: mount_proc_mnt mount_proc_umnt ## mount_proc_umnt_all mount_proc_not_implemented ## ## .. todo:: Bro's current default configuration does not activate the protocol @@ -940,7 +940,7 @@ event mount_proc_umnt_all%(c: connection, info: MOUNT3::info_t, req: MOUNT3::dir ## ## proc: The procedure called that Bro does not implement. ## -## .. bro:see:: mount_proc_mnt mount_proc_umnt +## .. zeek:see:: mount_proc_mnt mount_proc_umnt ## mount_proc_umnt_all mount_proc_not_implemented ## ## .. todo:: Bro's current default configuration does not activate the protocol @@ -956,7 +956,7 @@ event mount_proc_not_implemented%(c: connection, info: MOUNT3::info_t, proc: MOU ## ## info: Reports the status included in the reply. ## -## .. bro:see:: mount_proc_mnt mount_proc_umnt +## .. zeek:see:: mount_proc_mnt mount_proc_umnt ## mount_proc_umnt_all mount_proc_not_implemented ## ## .. todo:: Bro's current default configuration does not activate the protocol diff --git a/src/analyzer/protocol/sip/events.bif b/src/analyzer/protocol/sip/events.bif index f8ab6f4f37..fb8f9b77d1 100644 --- a/src/analyzer/protocol/sip/events.bif +++ b/src/analyzer/protocol/sip/events.bif @@ -13,7 +13,7 @@ ## ## version: The version number specified in the request (e.g., ``2.0``). ## -## .. bro:see:: sip_reply sip_header sip_all_headers sip_begin_entity sip_end_entity +## .. zeek:see:: sip_reply sip_header sip_all_headers sip_begin_entity sip_end_entity event sip_request%(c: connection, method: string, original_URI: string, version: string%); ## Generated for :abbr:`SIP (Session Initiation Protocol)` replies, used in Voice over IP (VoIP). @@ -31,7 +31,7 @@ event sip_request%(c: connection, method: string, original_URI: string, version: ## ## reason: Textual details for the response code. ## -## .. bro:see:: sip_request sip_header sip_all_headers sip_begin_entity sip_end_entity +## .. zeek:see:: sip_request sip_header sip_all_headers sip_begin_entity sip_end_entity event sip_reply%(c: connection, version: string, code: count, reason: string%); ## Generated for each :abbr:`SIP (Session Initiation Protocol)` header. @@ -47,7 +47,7 @@ event sip_reply%(c: connection, version: string, code: count, reason: string%); ## ## value: Header value. ## -## .. bro:see:: sip_request sip_reply sip_all_headers sip_begin_entity sip_end_entity +## .. zeek:see:: sip_request sip_reply sip_all_headers sip_begin_entity sip_end_entity event sip_header%(c: connection, is_orig: bool, name: string, value: string%); ## Generated once for all :abbr:`SIP (Session Initiation Protocol)` headers from the originator or responder. @@ -61,7 +61,7 @@ event sip_header%(c: connection, is_orig: bool, name: string, value: string%); ## ## hlist: All the headers, and their values ## -## .. bro:see:: sip_request sip_reply sip_header sip_begin_entity sip_end_entity +## .. zeek:see:: sip_request sip_reply sip_header sip_begin_entity sip_end_entity event sip_all_headers%(c: connection, is_orig: bool, hlist: mime_header_list%); ## Generated at the beginning of a :abbr:`SIP (Session Initiation Protocol)` message. @@ -75,7 +75,7 @@ event sip_all_headers%(c: connection, is_orig: bool, hlist: mime_header_list%); ## ## is_orig: Whether the message came from the originator. ## -## .. bro:see:: sip_request sip_reply sip_header sip_all_headers sip_end_entity +## .. zeek:see:: sip_request sip_reply sip_header sip_all_headers sip_end_entity event sip_begin_entity%(c: connection, is_orig: bool%); ## Generated at the end of a :abbr:`SIP (Session Initiation Protocol)` message. @@ -87,5 +87,5 @@ event sip_begin_entity%(c: connection, is_orig: bool%); ## ## is_orig: Whether the message came from the originator. ## -## .. bro:see:: sip_request sip_reply sip_header sip_all_headers sip_begin_entity +## .. zeek:see:: sip_request sip_reply sip_header sip_all_headers sip_begin_entity event sip_end_entity%(c: connection, is_orig: bool%); diff --git a/src/analyzer/protocol/smb/events.bif b/src/analyzer/protocol/smb/events.bif index d0091589fe..77746c2a09 100644 --- a/src/analyzer/protocol/smb/events.bif +++ b/src/analyzer/protocol/smb/events.bif @@ -3,7 +3,7 @@ ## up is when the drive mapping isn't seen so the analyzer is not able ## to determine whether to send the data to the files framework or to ## the DCE_RPC analyzer. This heuristic can be tuned by adding or -## removing "named pipe" names from the :bro:see:`SMB::pipe_filenames` +## removing "named pipe" names from the :zeek:see:`SMB::pipe_filenames` ## const. ## ## c: The connection. diff --git a/src/analyzer/protocol/smb/smb1_com_check_directory.bif b/src/analyzer/protocol/smb/smb1_com_check_directory.bif index 15feb3ad59..26f83210ff 100644 --- a/src/analyzer/protocol/smb/smb1_com_check_directory.bif +++ b/src/analyzer/protocol/smb/smb1_com_check_directory.bif @@ -10,7 +10,7 @@ ## ## directory_name: The directory name to check for existence. ## -## .. bro:see:: smb1_message smb1_check_directory_response +## .. zeek:see:: smb1_message smb1_check_directory_response event smb1_check_directory_request%(c: connection, hdr: SMB1::Header, directory_name: string%); ## Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)` @@ -23,5 +23,5 @@ event smb1_check_directory_request%(c: connection, hdr: SMB1::Header, directory_ ## ## hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 1 message. ## -## .. bro:see:: smb1_message smb1_check_directory_request +## .. zeek:see:: smb1_message smb1_check_directory_request event smb1_check_directory_response%(c: connection, hdr: SMB1::Header%); \ No newline at end of file diff --git a/src/analyzer/protocol/smb/smb1_com_close.bif b/src/analyzer/protocol/smb/smb1_com_close.bif index 37958e1d19..8d2d8f0747 100644 --- a/src/analyzer/protocol/smb/smb1_com_close.bif +++ b/src/analyzer/protocol/smb/smb1_com_close.bif @@ -10,6 +10,6 @@ ## ## file_id: The file identifier being closed. ## -## .. bro:see:: smb1_message +## .. zeek:see:: smb1_message event smb1_close_request%(c: connection, hdr: SMB1::Header, file_id: count%); diff --git a/src/analyzer/protocol/smb/smb1_com_create_directory.bif b/src/analyzer/protocol/smb/smb1_com_create_directory.bif index f5e29b467b..40ddf44c8d 100644 --- a/src/analyzer/protocol/smb/smb1_com_create_directory.bif +++ b/src/analyzer/protocol/smb/smb1_com_create_directory.bif @@ -11,7 +11,7 @@ ## ## directory_name: The name of the directory to create. ## -## .. bro:see:: smb1_message smb1_create_directory_response smb1_transaction2_request +## .. zeek:see:: smb1_message smb1_create_directory_response smb1_transaction2_request event smb1_create_directory_request%(c: connection, hdr: SMB1::Header, directory_name: string%); ## Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)` @@ -25,5 +25,5 @@ event smb1_create_directory_request%(c: connection, hdr: SMB1::Header, directory ## ## hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 1 message. ## -## .. bro:see:: smb1_message smb1_create_directory_request smb1_transaction2_request +## .. zeek:see:: smb1_message smb1_create_directory_request smb1_transaction2_request event smb1_create_directory_response%(c: connection, hdr: SMB1::Header%); \ No newline at end of file diff --git a/src/analyzer/protocol/smb/smb1_com_echo.bif b/src/analyzer/protocol/smb/smb1_com_echo.bif index 5b255af371..f95261ca3c 100644 --- a/src/analyzer/protocol/smb/smb1_com_echo.bif +++ b/src/analyzer/protocol/smb/smb1_com_echo.bif @@ -12,7 +12,7 @@ ## ## data: The data for the server to echo. ## -## .. bro:see:: smb1_message smb1_echo_response +## .. zeek:see:: smb1_message smb1_echo_response event smb1_echo_request%(c: connection, echo_count: count, data: string%); ## Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)` @@ -28,5 +28,5 @@ event smb1_echo_request%(c: connection, echo_count: count, data: string%); ## ## data: The data echoed back from the client. ## -## .. bro:see:: smb1_message smb1_echo_request +## .. zeek:see:: smb1_message smb1_echo_request event smb1_echo_response%(c: connection, seq_num: count, data: string%); \ No newline at end of file diff --git a/src/analyzer/protocol/smb/smb1_com_logoff_andx.bif b/src/analyzer/protocol/smb/smb1_com_logoff_andx.bif index 88b5016328..ff5168e4dd 100644 --- a/src/analyzer/protocol/smb/smb1_com_logoff_andx.bif +++ b/src/analyzer/protocol/smb/smb1_com_logoff_andx.bif @@ -10,6 +10,6 @@ ## ## is_orig: Indicates which host sent the logoff message. ## -## .. bro:see:: smb1_message +## .. zeek:see:: smb1_message event smb1_logoff_andx%(c: connection, is_orig: bool%); diff --git a/src/analyzer/protocol/smb/smb1_com_negotiate.bif b/src/analyzer/protocol/smb/smb1_com_negotiate.bif index fdb2201c1f..7dfe02cb68 100644 --- a/src/analyzer/protocol/smb/smb1_com_negotiate.bif +++ b/src/analyzer/protocol/smb/smb1_com_negotiate.bif @@ -11,7 +11,7 @@ ## ## dialects: The SMB dialects supported by the client. ## -## .. bro:see:: smb1_message smb1_negotiate_response +## .. zeek:see:: smb1_message smb1_negotiate_response event smb1_negotiate_request%(c: connection, hdr: SMB1::Header, dialects: string_vec%); ## Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)` @@ -26,7 +26,7 @@ event smb1_negotiate_request%(c: connection, hdr: SMB1::Header, dialects: string ## ## response: A record structure containing more information from the response. ## -## .. bro:see:: smb1_message smb1_negotiate_request +## .. zeek:see:: smb1_message smb1_negotiate_request event smb1_negotiate_response%(c: connection, hdr: SMB1::Header, response: SMB1::NegotiateResponse%); #### Types diff --git a/src/analyzer/protocol/smb/smb1_com_nt_cancel.bif b/src/analyzer/protocol/smb/smb1_com_nt_cancel.bif index f04fc839ec..66bbbc5fb9 100644 --- a/src/analyzer/protocol/smb/smb1_com_nt_cancel.bif +++ b/src/analyzer/protocol/smb/smb1_com_nt_cancel.bif @@ -8,5 +8,5 @@ ## ## hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 1 message. ## -## .. bro:see:: smb1_message +## .. zeek:see:: smb1_message event smb1_nt_cancel_request%(c: connection, hdr: SMB1::Header%); \ No newline at end of file diff --git a/src/analyzer/protocol/smb/smb1_com_nt_create_andx.bif b/src/analyzer/protocol/smb/smb1_com_nt_create_andx.bif index f8008e878b..d19d59fd50 100644 --- a/src/analyzer/protocol/smb/smb1_com_nt_create_andx.bif +++ b/src/analyzer/protocol/smb/smb1_com_nt_create_andx.bif @@ -11,7 +11,7 @@ ## ## name: The ``name`` attribute specified in the message. ## -## .. bro:see:: smb1_message smb1_nt_create_andx_response +## .. zeek:see:: smb1_message smb1_nt_create_andx_response event smb1_nt_create_andx_request%(c: connection, hdr: SMB1::Header, file_name: string%); ## Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)` @@ -30,7 +30,7 @@ event smb1_nt_create_andx_request%(c: connection, hdr: SMB1::Header, file_name: ## ## times: Timestamps associated with the file in question. ## -## .. bro:see:: smb1_message smb1_nt_create_andx_request +## .. zeek:see:: smb1_message smb1_nt_create_andx_request event smb1_nt_create_andx_response%(c: connection, hdr: SMB1::Header, file_id: count, file_size: count, times: SMB::MACTimes%); diff --git a/src/analyzer/protocol/smb/smb1_com_query_information.bif b/src/analyzer/protocol/smb/smb1_com_query_information.bif index 64a5150dc9..e2f1ded6bd 100644 --- a/src/analyzer/protocol/smb/smb1_com_query_information.bif +++ b/src/analyzer/protocol/smb/smb1_com_query_information.bif @@ -11,6 +11,6 @@ ## ## filename: The filename that the client is querying. ## -## .. bro:see:: smb1_message smb1_transaction2_request +## .. zeek:see:: smb1_message smb1_transaction2_request event smb1_query_information_request%(c: connection, hdr: SMB1::Header, filename: string%); diff --git a/src/analyzer/protocol/smb/smb1_com_read_andx.bif b/src/analyzer/protocol/smb/smb1_com_read_andx.bif index 73cacf0a65..a7c04bffca 100644 --- a/src/analyzer/protocol/smb/smb1_com_read_andx.bif +++ b/src/analyzer/protocol/smb/smb1_com_read_andx.bif @@ -15,7 +15,7 @@ ## ## length: The number of bytes being requested. ## -## .. bro:see:: smb1_message smb1_read_andx_response +## .. zeek:see:: smb1_message smb1_read_andx_response event smb1_read_andx_request%(c: connection, hdr: SMB1::Header, file_id: count, offset: count, length: count%); ## Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)` @@ -29,6 +29,6 @@ event smb1_read_andx_request%(c: connection, hdr: SMB1::Header, file_id: count, ## ## data_len: The length of data from the requested file. ## -## .. bro:see:: smb1_message smb1_read_andx_request +## .. zeek:see:: smb1_message smb1_read_andx_request event smb1_read_andx_response%(c: connection, hdr: SMB1::Header, data_len: count%); diff --git a/src/analyzer/protocol/smb/smb1_com_session_setup_andx.bif b/src/analyzer/protocol/smb/smb1_com_session_setup_andx.bif index 7971a4977c..b50fa5d875 100644 --- a/src/analyzer/protocol/smb/smb1_com_session_setup_andx.bif +++ b/src/analyzer/protocol/smb/smb1_com_session_setup_andx.bif @@ -9,7 +9,7 @@ ## ## request: The parsed request data of the SMB message. See init-bare for more details. ## -## .. bro:see:: smb1_message smb1_session_setup_andx_response +## .. zeek:see:: smb1_message smb1_session_setup_andx_response event smb1_session_setup_andx_request%(c: connection, hdr: SMB1::Header, request: SMB1::SessionSetupAndXRequest%); ## Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)` @@ -23,7 +23,7 @@ event smb1_session_setup_andx_request%(c: connection, hdr: SMB1::Header, request ## ## response: The parsed response data of the SMB message. See init-bare for more details. ## -## .. bro:see:: smb1_message smb1_session_setup_andx_request +## .. zeek:see:: smb1_message smb1_session_setup_andx_request event smb1_session_setup_andx_response%(c: connection, hdr: SMB1::Header, response: SMB1::SessionSetupAndXResponse%); #### Types diff --git a/src/analyzer/protocol/smb/smb1_com_transaction.bif b/src/analyzer/protocol/smb/smb1_com_transaction.bif index 0c411b55c3..cd80a668dc 100644 --- a/src/analyzer/protocol/smb/smb1_com_transaction.bif +++ b/src/analyzer/protocol/smb/smb1_com_transaction.bif @@ -18,7 +18,7 @@ ## ## data: content of the SMB_Data.Trans_Data field ## -## .. bro:see:: smb1_message smb1_transaction2_request +## .. zeek:see:: smb1_message smb1_transaction2_request event smb1_transaction_request%(c: connection, hdr: SMB1::Header, name: string, sub_cmd: count, parameters: string, data: string%); ## Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)` diff --git a/src/analyzer/protocol/smb/smb1_com_transaction2.bif b/src/analyzer/protocol/smb/smb1_com_transaction2.bif index aa30aeebe1..48e2f7cdd6 100644 --- a/src/analyzer/protocol/smb/smb1_com_transaction2.bif +++ b/src/analyzer/protocol/smb/smb1_com_transaction2.bif @@ -15,7 +15,7 @@ ## ## sub_cmd: The sub command, some are parsed and have their own events. ## -## .. bro:see:: smb1_message smb1_trans2_find_first2_request smb1_trans2_query_path_info_request +## .. zeek:see:: smb1_message smb1_trans2_find_first2_request smb1_trans2_query_path_info_request ## smb1_trans2_get_dfs_referral_request smb1_transaction_request event smb1_transaction2_request%(c: connection, hdr: SMB1::Header, args: SMB1::Trans2_Args, sub_cmd: count%); @@ -31,7 +31,7 @@ event smb1_transaction2_request%(c: connection, hdr: SMB1::Header, args: SMB1::T ## ## args: A record data structure with arguments given to the command. ## -## .. bro:see:: smb1_message smb1_transaction2_request smb1_trans2_query_path_info_request +## .. zeek:see:: smb1_message smb1_transaction2_request smb1_trans2_query_path_info_request ## smb1_trans2_get_dfs_referral_request event smb1_trans2_find_first2_request%(c: connection, hdr: SMB1::Header, args: SMB1::Find_First2_Request_Args%); @@ -47,7 +47,7 @@ event smb1_trans2_find_first2_request%(c: connection, hdr: SMB1::Header, args: S ## ## file_name: File name the request is in reference to. ## -## .. bro:see:: smb1_message smb1_transaction2_request smb1_trans2_find_first2_request +## .. zeek:see:: smb1_message smb1_transaction2_request smb1_trans2_find_first2_request ## smb1_trans2_get_dfs_referral_request event smb1_trans2_query_path_info_request%(c: connection, hdr: SMB1::Header, file_name: string%); @@ -63,7 +63,7 @@ event smb1_trans2_query_path_info_request%(c: connection, hdr: SMB1::Header, fil ## ## file_name: File name the request is in reference to. ## -## .. bro:see:: smb1_message smb1_transaction2_request smb1_trans2_find_first2_request +## .. zeek:see:: smb1_message smb1_transaction2_request smb1_trans2_find_first2_request ## smb1_trans2_query_path_info_request event smb1_trans2_get_dfs_referral_request%(c: connection, hdr: SMB1::Header, file_name: string%); diff --git a/src/analyzer/protocol/smb/smb1_com_tree_connect_andx.bif b/src/analyzer/protocol/smb/smb1_com_tree_connect_andx.bif index 16aeb2bbb6..95274af115 100644 --- a/src/analyzer/protocol/smb/smb1_com_tree_connect_andx.bif +++ b/src/analyzer/protocol/smb/smb1_com_tree_connect_andx.bif @@ -12,7 +12,7 @@ ## ## service: The ``service`` attribute specified in the message. ## -## .. bro:see:: smb1_message smb1_tree_connect_andx_response +## .. zeek:see:: smb1_message smb1_tree_connect_andx_response event smb1_tree_connect_andx_request%(c: connection, hdr: SMB1::Header, path: string, service: string%); ## Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)` @@ -29,6 +29,6 @@ event smb1_tree_connect_andx_request%(c: connection, hdr: SMB1::Header, path: st ## ## native_file_system: The file system of the remote server as indicate by the server. ## -## .. bro:see:: smb1_message smb1_tree_connect_andx_request +## .. zeek:see:: smb1_message smb1_tree_connect_andx_request event smb1_tree_connect_andx_response%(c: connection, hdr: SMB1::Header, service: string, native_file_system: string%); diff --git a/src/analyzer/protocol/smb/smb1_com_tree_disconnect.bif b/src/analyzer/protocol/smb/smb1_com_tree_disconnect.bif index 493ee66238..db94e1ff2a 100644 --- a/src/analyzer/protocol/smb/smb1_com_tree_disconnect.bif +++ b/src/analyzer/protocol/smb/smb1_com_tree_disconnect.bif @@ -10,6 +10,6 @@ ## ## is_orig: True if the message was from the originator. ## -## .. bro:see:: smb1_message +## .. zeek:see:: smb1_message event smb1_tree_disconnect%(c: connection, hdr: SMB1::Header, is_orig: bool%); diff --git a/src/analyzer/protocol/smb/smb1_com_write_andx.bif b/src/analyzer/protocol/smb/smb1_com_write_andx.bif index d30c8af2ba..6bf086e978 100644 --- a/src/analyzer/protocol/smb/smb1_com_write_andx.bif +++ b/src/analyzer/protocol/smb/smb1_com_write_andx.bif @@ -13,7 +13,7 @@ ## ## data: The data being written. ## -## .. bro:see:: smb1_message smb1_write_andx_response +## .. zeek:see:: smb1_message smb1_write_andx_response event smb1_write_andx_request%(c: connection, hdr: SMB1::Header, file_id: count, offset: count, data_len: count%); ## Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)` @@ -28,5 +28,5 @@ event smb1_write_andx_request%(c: connection, hdr: SMB1::Header, file_id: count, ## ## written_bytes: The number of bytes the server reported having actually written. ## -## .. bro:see:: smb1_message smb1_write_andx_request +## .. zeek:see:: smb1_message smb1_write_andx_request event smb1_write_andx_response%(c: connection, hdr: SMB1::Header, written_bytes: count%); diff --git a/src/analyzer/protocol/smb/smb1_events.bif b/src/analyzer/protocol/smb/smb1_events.bif index 4746af34a4..e5134b8bd0 100644 --- a/src/analyzer/protocol/smb/smb1_events.bif +++ b/src/analyzer/protocol/smb/smb1_events.bif @@ -14,7 +14,7 @@ ## is_orig: True if the message was sent by the originator of the underlying ## transport-level connection. ## -## .. bro:see:: smb2_message +## .. zeek:see:: smb2_message event smb1_message%(c: connection, hdr: SMB1::Header, is_orig: bool%); ## Generated when there is an :abbr:`SMB (Server Message Block)` version 1 response with no message body. @@ -23,7 +23,7 @@ event smb1_message%(c: connection, hdr: SMB1::Header, is_orig: bool%); ## ## hdr: The parsed header of the :abbr:`SMB (Server Message Block)` message. ## -## .. bro:see:: smb1_message +## .. zeek:see:: smb1_message event smb1_empty_response%(c: connection, hdr: SMB1::Header%); ## Generated for :abbr:`SMB (Server Message Block)` version 1 messages @@ -37,6 +37,6 @@ event smb1_empty_response%(c: connection, hdr: SMB1::Header%); ## is_orig: True if the message was sent by the originator of the underlying ## transport-level connection. ## -## .. bro:see:: smb1_message +## .. zeek:see:: smb1_message event smb1_error%(c: connection, hdr: SMB1::Header, is_orig: bool%); diff --git a/src/analyzer/protocol/smb/smb2_com_close.bif b/src/analyzer/protocol/smb/smb2_com_close.bif index 5ac4afa1db..4f8d802c63 100644 --- a/src/analyzer/protocol/smb/smb2_com_close.bif +++ b/src/analyzer/protocol/smb/smb2_com_close.bif @@ -10,7 +10,7 @@ ## ## file_name: The SMB2 GUID of the file being closed. ## -## .. bro:see:: smb2_message smb2_close_response +## .. zeek:see:: smb2_message smb2_close_response event smb2_close_request%(c: connection, hdr: SMB2::Header, file_id: SMB2::GUID%); ## Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)` @@ -25,7 +25,7 @@ event smb2_close_request%(c: connection, hdr: SMB2::Header, file_id: SMB2::GUID% ## ## response: A record of attributes returned from the server from the close. ## -## .. bro:see:: smb2_message smb2_close_request +## .. zeek:see:: smb2_message smb2_close_request event smb2_close_response%(c: connection, hdr: SMB2::Header, response: SMB2::CloseResponse%); diff --git a/src/analyzer/protocol/smb/smb2_com_create.bif b/src/analyzer/protocol/smb/smb2_com_create.bif index 9a77878e9f..7d9c4e4895 100644 --- a/src/analyzer/protocol/smb/smb2_com_create.bif +++ b/src/analyzer/protocol/smb/smb2_com_create.bif @@ -10,7 +10,7 @@ ## ## request: A record with more information related to the request. ## -## .. bro:see:: smb2_message smb2_create_response +## .. zeek:see:: smb2_message smb2_create_response event smb2_create_request%(c: connection, hdr: SMB2::Header, request: SMB2::CreateRequest%); ## Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)` @@ -25,7 +25,7 @@ event smb2_create_request%(c: connection, hdr: SMB2::Header, request: SMB2::Crea ## ## response: A record with more information related to the response. ## -## .. bro:see:: smb2_message smb2_create_request +## .. zeek:see:: smb2_message smb2_create_request event smb2_create_response%(c: connection, hdr: SMB2::Header, response: SMB2::CreateResponse%); #### Types diff --git a/src/analyzer/protocol/smb/smb2_com_negotiate.bif b/src/analyzer/protocol/smb/smb2_com_negotiate.bif index 80c7c1aea5..2202064933 100644 --- a/src/analyzer/protocol/smb/smb2_com_negotiate.bif +++ b/src/analyzer/protocol/smb/smb2_com_negotiate.bif @@ -10,7 +10,7 @@ ## ## dialects: A vector of the client's supported dialects. ## -## .. bro:see:: smb2_message smb2_negotiate_response +## .. zeek:see:: smb2_message smb2_negotiate_response event smb2_negotiate_request%(c: connection, hdr: SMB2::Header, dialects: index_vec%); ## Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)` @@ -25,7 +25,7 @@ event smb2_negotiate_request%(c: connection, hdr: SMB2::Header, dialects: index_ ## ## response: The negotiate response data structure. ## -## .. bro:see:: smb2_message smb2_negotiate_request +## .. zeek:see:: smb2_message smb2_negotiate_request event smb2_negotiate_response%(c: connection, hdr: SMB2::Header, response: SMB2::NegotiateResponse%); #### Types diff --git a/src/analyzer/protocol/smb/smb2_com_read.bif b/src/analyzer/protocol/smb/smb2_com_read.bif index 4ccc8d7788..b14874b38b 100644 --- a/src/analyzer/protocol/smb/smb2_com_read.bif +++ b/src/analyzer/protocol/smb/smb2_com_read.bif @@ -14,5 +14,5 @@ ## ## length: The number of bytes of the file being read. ## -## .. bro:see:: smb2_message +## .. zeek:see:: smb2_message event smb2_read_request%(c: connection, hdr: SMB2::Header, file_id: SMB2::GUID, offset: count, length: count%); diff --git a/src/analyzer/protocol/smb/smb2_com_session_setup.bif b/src/analyzer/protocol/smb/smb2_com_session_setup.bif index 99430d5ac9..b3dbe6cc57 100644 --- a/src/analyzer/protocol/smb/smb2_com_session_setup.bif +++ b/src/analyzer/protocol/smb/smb2_com_session_setup.bif @@ -11,7 +11,7 @@ ## ## request: A record containing more information related to the request. ## -## .. bro:see:: smb2_message smb2_session_setup_response +## .. zeek:see:: smb2_message smb2_session_setup_response event smb2_session_setup_request%(c: connection, hdr: SMB2::Header, request: SMB2::SessionSetupRequest%); ## Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)` @@ -26,7 +26,7 @@ event smb2_session_setup_request%(c: connection, hdr: SMB2::Header, request: SMB ## ## response: A record containing more information related to the response. ## -## .. bro:see:: smb2_message smb2_session_setup_request +## .. zeek:see:: smb2_message smb2_session_setup_request event smb2_session_setup_response%(c: connection, hdr: SMB2::Header, response: SMB2::SessionSetupResponse%); #### Types diff --git a/src/analyzer/protocol/smb/smb2_com_set_info.bif b/src/analyzer/protocol/smb/smb2_com_set_info.bif index 1f6d9386f8..37a0b8900f 100644 --- a/src/analyzer/protocol/smb/smb2_com_set_info.bif +++ b/src/analyzer/protocol/smb/smb2_com_set_info.bif @@ -11,7 +11,7 @@ ## ## dst_filename: The filename to rename the file into. ## -## .. bro:see:: smb2_message smb2_file_delete smb2_file_sattr +## .. zeek:see:: smb2_message smb2_file_delete smb2_file_sattr event smb2_file_rename%(c: connection, hdr: SMB2::Header, file_id: SMB2::GUID, dst_filename: string%); ## Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)` @@ -28,7 +28,7 @@ event smb2_file_rename%(c: connection, hdr: SMB2::Header, file_id: SMB2::GUID, d ## delete_pending: A boolean value to indicate that a file should be deleted ## when it's closed if set to T. ## -## .. bro:see:: smb2_message smb2_file_rename smb2_file_sattr +## .. zeek:see:: smb2_message smb2_file_rename smb2_file_sattr event smb2_file_delete%(c: connection, hdr: SMB2::Header, file_id: SMB2::GUID, delete_pending: bool%); ## Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)` @@ -46,7 +46,7 @@ event smb2_file_delete%(c: connection, hdr: SMB2::Header, file_id: SMB2::GUID, d ## ## attrs: File attributes. ## -## .. bro:see:: smb2_message smb2_file_rename smb2_file_delete +## .. zeek:see:: smb2_message smb2_file_rename smb2_file_delete event smb2_file_sattr%(c: connection, hdr: SMB2::Header, file_id: SMB2::GUID, times: SMB::MACTimes, attrs: SMB2::FileAttrs%); # TODO - Not implemented @@ -60,7 +60,7 @@ event smb2_file_sattr%(c: connection, hdr: SMB2::Header, file_id: SMB2::GUID, ti # # request: A record containing more information related to the request. # -# .. bro:see:: smb2_message smb2_file_rename smb2_file_delete +# .. zeek:see:: smb2_message smb2_file_rename smb2_file_delete # event smb2_set_info_request%(c: connection, hdr: SMB2::Header, request: SMB2::SetInfoRequest%); # # type SMB2::SetInfoRequest: record; diff --git a/src/analyzer/protocol/smb/smb2_com_transform_header.bif b/src/analyzer/protocol/smb/smb2_com_transform_header.bif index 1506fe3222..629ae27841 100644 --- a/src/analyzer/protocol/smb/smb2_com_transform_header.bif +++ b/src/analyzer/protocol/smb/smb2_com_transform_header.bif @@ -8,7 +8,7 @@ ## ## hdr: The parsed transformed header message, which is starting with \xfdSMB and different from SMB1 and SMB2 headers. ## -## .. bro:see:: smb2_message +## .. zeek:see:: smb2_message event smb2_transform_header%(c: connection, hdr: SMB2::Transform_header%); type SMB2::Transform_header: record; diff --git a/src/analyzer/protocol/smb/smb2_com_tree_connect.bif b/src/analyzer/protocol/smb/smb2_com_tree_connect.bif index 78978f3971..877f5b2c4c 100644 --- a/src/analyzer/protocol/smb/smb2_com_tree_connect.bif +++ b/src/analyzer/protocol/smb/smb2_com_tree_connect.bif @@ -10,7 +10,7 @@ ## ## path: Path of the requested tree. ## -## .. bro:see:: smb2_message smb2_tree_connect_response +## .. zeek:see:: smb2_message smb2_tree_connect_response event smb2_tree_connect_request%(c: connection, hdr: SMB2::Header, path: string%); ## Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)` @@ -25,7 +25,7 @@ event smb2_tree_connect_request%(c: connection, hdr: SMB2::Header, path: string% ## ## response: A record with more information related to the response. ## -## .. bro:see:: smb2_message smb2_tree_connect_request +## .. zeek:see:: smb2_message smb2_tree_connect_request event smb2_tree_connect_response%(c: connection, hdr: SMB2::Header, response: SMB2::TreeConnectResponse%); type SMB2::TreeConnectResponse: record; diff --git a/src/analyzer/protocol/smb/smb2_com_tree_disconnect.bif b/src/analyzer/protocol/smb/smb2_com_tree_disconnect.bif index fdcd5d9d8b..6c7f3b7c2d 100644 --- a/src/analyzer/protocol/smb/smb2_com_tree_disconnect.bif +++ b/src/analyzer/protocol/smb/smb2_com_tree_disconnect.bif @@ -6,7 +6,7 @@ ## ## hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 2 message. ## -## .. bro:see:: smb2_message +## .. zeek:see:: smb2_message event smb2_tree_disconnect_request%(c: connection, hdr: SMB2::Header%); @@ -18,5 +18,5 @@ event smb2_tree_disconnect_request%(c: connection, hdr: SMB2::Header%); ## ## hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 2 message. ## -## .. bro:see:: smb2_message +## .. zeek:see:: smb2_message event smb2_tree_disconnect_response%(c: connection, hdr: SMB2::Header%); diff --git a/src/analyzer/protocol/smb/smb2_com_write.bif b/src/analyzer/protocol/smb/smb2_com_write.bif index 66dab9b077..71df322090 100644 --- a/src/analyzer/protocol/smb/smb2_com_write.bif +++ b/src/analyzer/protocol/smb/smb2_com_write.bif @@ -14,7 +14,7 @@ ## ## length: The number of bytes of the file being written. ## -## .. bro:see:: smb2_message +## .. zeek:see:: smb2_message event smb2_write_request%(c: connection, hdr: SMB2::Header, file_id: SMB2::GUID, offset: count, length: count%); ## Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)` @@ -29,5 +29,5 @@ event smb2_write_request%(c: connection, hdr: SMB2::Header, file_id: SMB2::GUID, ## ## length: The number of bytes of the file being written. ## -## .. bro:see:: smb2_message +## .. zeek:see:: smb2_message event smb2_write_response%(c: connection, hdr: SMB2::Header, length: count%); diff --git a/src/analyzer/protocol/smb/smb2_events.bif b/src/analyzer/protocol/smb/smb2_events.bif index a8a2c439fc..7f7d6ab9db 100644 --- a/src/analyzer/protocol/smb/smb2_events.bif +++ b/src/analyzer/protocol/smb/smb2_events.bif @@ -13,5 +13,5 @@ ## ## is_orig: True if the message came from the originator side. ## -## .. bro:see:: smb1_message +## .. zeek:see:: smb1_message event smb2_message%(c: connection, hdr: SMB2::Header, is_orig: bool%); diff --git a/src/analyzer/protocol/smtp/events.bif b/src/analyzer/protocol/smtp/events.bif index 898e98e0d1..9bc9190b31 100644 --- a/src/analyzer/protocol/smtp/events.bif +++ b/src/analyzer/protocol/smtp/events.bif @@ -16,7 +16,7 @@ ## ## arg: The request command's arguments. ## -## .. bro:see:: mime_all_data mime_all_headers mime_begin_entity mime_content_hash +## .. zeek:see:: mime_all_data mime_all_headers mime_begin_entity mime_content_hash ## mime_end_entity mime_entity_data mime_event mime_one_header mime_segment_data ## smtp_data smtp_reply ## @@ -47,7 +47,7 @@ event smtp_request%(c: connection, is_orig: bool, command: string, arg: string%) ## line. If so, further events will be raised and a handler may want to ## reassemble the pieces before processing the response any further. ## -## .. bro:see:: mime_all_data mime_all_headers mime_begin_entity mime_content_hash +## .. zeek:see:: mime_all_data mime_all_headers mime_begin_entity mime_content_hash ## mime_end_entity mime_entity_data mime_event mime_one_header mime_segment_data ## smtp_data smtp_request ## @@ -70,7 +70,7 @@ event smtp_reply%(c: connection, is_orig: bool, code: count, cmd: string, msg: s ## data: The raw data. Note that the size of each chunk is undefined and ## depends on specifics of the underlying TCP connection. ## -## .. bro:see:: mime_all_data mime_all_headers mime_begin_entity mime_content_hash +## .. zeek:see:: mime_all_data mime_all_headers mime_begin_entity mime_content_hash ## mime_end_entity mime_entity_data mime_event mime_one_header mime_segment_data ## smtp_reply smtp_request skip_smtp_data ## @@ -96,7 +96,7 @@ event smtp_data%(c: connection, is_orig: bool, data: string%); ## ## detail: The actual SMTP line triggering the event. ## -## .. bro:see:: smtp_data smtp_request smtp_reply +## .. zeek:see:: smtp_data smtp_request smtp_reply event smtp_unexpected%(c: connection, is_orig: bool, msg: string, detail: string%); ## Generated if a connection switched to using TLS using STARTTLS or X-ANONYMOUSTLS. diff --git a/src/analyzer/protocol/smtp/functions.bif b/src/analyzer/protocol/smtp/functions.bif index 8630685096..a5670c7d64 100644 --- a/src/analyzer/protocol/smtp/functions.bif +++ b/src/analyzer/protocol/smtp/functions.bif @@ -7,7 +7,7 @@ ## ## c: The SMTP connection. ## -## .. bro:see:: skip_http_entity_data +## .. zeek:see:: skip_http_entity_data function skip_smtp_data%(c: connection%): any %{ analyzer::Analyzer* sa = c->FindAnalyzer("SMTP"); diff --git a/src/analyzer/protocol/ssh/events.bif b/src/analyzer/protocol/ssh/events.bif index cb6c5e248e..6ff62e501d 100644 --- a/src/analyzer/protocol/ssh/events.bif +++ b/src/analyzer/protocol/ssh/events.bif @@ -7,7 +7,7 @@ ## ## version: The identification string ## -## .. bro:see:: ssh_client_version ssh_auth_successful ssh_auth_failed +## .. zeek:see:: ssh_client_version ssh_auth_successful ssh_auth_failed ## ssh_auth_result ssh_auth_attempted ssh_capabilities ## ssh2_server_host_key ssh1_server_host_key ssh_server_host_key ## ssh_encrypted_packet ssh2_dh_server_params ssh2_gss_error @@ -23,7 +23,7 @@ event ssh_server_version%(c: connection, version: string%); ## ## version: The identification string ## -## .. bro:see:: ssh_server_version ssh_auth_successful ssh_auth_failed +## .. zeek:see:: ssh_server_version ssh_auth_successful ssh_auth_failed ## ssh_auth_result ssh_auth_attempted ssh_capabilities ## ssh2_server_host_key ssh1_server_host_key ssh_server_host_key ## ssh_encrypted_packet ssh2_dh_server_params ssh2_gss_error @@ -44,7 +44,7 @@ event ssh_client_version%(c: connection, version: string%); ## :abbr:`SSH (Secure Shell)` protocol provides a mechanism for ## unauthenticated access, which some servers support. ## -## .. bro:see:: ssh_server_version ssh_client_version ssh_auth_failed +## .. zeek:see:: ssh_server_version ssh_client_version ssh_auth_failed ## ssh_auth_result ssh_auth_attempted ssh_capabilities ## ssh2_server_host_key ssh1_server_host_key ssh_server_host_key ## ssh_encrypted_packet ssh2_dh_server_params ssh2_gss_error @@ -74,7 +74,7 @@ event ssh_auth_successful%(c: connection, auth_method_none: bool%); ## authenticated: This is true if the analyzer detected a ## successful connection from the authentication attempt. ## -## .. bro:see:: ssh_server_version ssh_client_version +## .. zeek:see:: ssh_server_version ssh_client_version ## ssh_auth_successful ssh_auth_failed ssh_auth_result ## ssh_capabilities ssh2_server_host_key ssh1_server_host_key ## ssh_server_host_key ssh_encrypted_packet ssh2_dh_server_params @@ -96,7 +96,7 @@ event ssh_auth_attempted%(c: connection, authenticated: bool%); ## capabilities: The list of algorithms and languages that the sender ## advertises support for, in order of preference. ## -## .. bro:see:: ssh_server_version ssh_client_version +## .. zeek:see:: ssh_server_version ssh_client_version ## ssh_auth_successful ssh_auth_failed ssh_auth_result ## ssh_auth_attempted ssh2_server_host_key ssh1_server_host_key ## ssh_server_host_key ssh_encrypted_packet ssh2_dh_server_params @@ -113,7 +113,7 @@ event ssh_capabilities%(c: connection, cookie: string, capabilities: SSH::Capabi ## key: The server's public host key. Note that this is the public key ## itself, and not just the fingerprint or hash. ## -## .. bro:see:: ssh_server_version ssh_client_version +## .. zeek:see:: ssh_server_version ssh_client_version ## ssh_auth_successful ssh_auth_failed ssh_auth_result ## ssh_auth_attempted ssh_capabilities ssh1_server_host_key ## ssh_server_host_key ssh_encrypted_packet ssh2_dh_server_params @@ -131,7 +131,7 @@ event ssh2_server_host_key%(c: connection, key: string%); ## ## e: The exponent for the serer's public host key. ## -## .. bro:see:: ssh_server_version ssh_client_version +## .. zeek:see:: ssh_server_version ssh_client_version ## ssh_auth_successful ssh_auth_failed ssh_auth_result ## ssh_auth_attempted ssh_capabilities ssh2_server_host_key ## ssh_server_host_key ssh_encrypted_packet ssh2_dh_server_params @@ -141,7 +141,7 @@ event ssh1_server_host_key%(c: connection, p: string, e: string%); ## This event is generated when an :abbr:`SSH (Secure Shell)` ## encrypted packet is seen. This event is not handled by default, but ## is provided for heuristic analysis scripts. Note that you have to set -## :bro:id:`SSH::disable_analyzer_after_detection` to false to use this +## :zeek:id:`SSH::disable_analyzer_after_detection` to false to use this ## event. This carries a performance penalty. ## ## c: The connection over which the :abbr:`SSH (Secure Shell)` @@ -153,7 +153,7 @@ event ssh1_server_host_key%(c: connection, p: string, e: string%); ## len: The length of the :abbr:`SSH (Secure Shell)` payload, in ## bytes. Note that this ignores reassembly, as this is unknown. ## -## .. bro:see:: ssh_server_version ssh_client_version +## .. zeek:see:: ssh_server_version ssh_client_version ## ssh_auth_successful ssh_auth_failed ssh_auth_result ## ssh_auth_attempted ssh_capabilities ssh2_server_host_key ## ssh1_server_host_key ssh_server_host_key ssh2_dh_server_params @@ -171,7 +171,7 @@ event ssh_encrypted_packet%(c: connection, orig: bool, len: count%); ## ## q: The DH generator. ## -## .. bro:see:: ssh_server_version ssh_client_version +## .. zeek:see:: ssh_server_version ssh_client_version ## ssh_auth_successful ssh_auth_failed ssh_auth_result ## ssh_auth_attempted ssh_capabilities ssh2_server_host_key ## ssh1_server_host_key ssh_server_host_key ssh_encrypted_packet @@ -191,7 +191,7 @@ event ssh2_dh_server_params%(c: connection, p: string, q: string%); ## ## err_msg: Detailed human-readable error message ## -## .. bro:see:: ssh_server_version ssh_client_version +## .. zeek:see:: ssh_server_version ssh_client_version ## ssh_auth_successful ssh_auth_failed ssh_auth_result ## ssh_auth_attempted ssh_capabilities ssh2_server_host_key ## ssh1_server_host_key ssh_server_host_key ssh_encrypted_packet @@ -211,7 +211,7 @@ event ssh2_gss_error%(c: connection, major_status: count, minor_status: count, e ## ## q: The ephemeral public key ## -## .. bro:see:: ssh_server_version ssh_client_version +## .. zeek:see:: ssh_server_version ssh_client_version ## ssh_auth_successful ssh_auth_failed ssh_auth_result ## ssh_auth_attempted ssh_capabilities ssh2_server_host_key ## ssh1_server_host_key ssh_server_host_key ssh_encrypted_packet diff --git a/src/analyzer/protocol/ssl/events.bif b/src/analyzer/protocol/ssl/events.bif index 2ef675554f..03a2a93868 100644 --- a/src/analyzer/protocol/ssl/events.bif +++ b/src/analyzer/protocol/ssl/events.bif @@ -10,7 +10,7 @@ ## ## version: The protocol version as extracted from the client's message. The ## values are standardized as part of the SSL/TLS protocol. The -## :bro:id:`SSL::version_strings` table maps them to descriptive names. +## :zeek:id:`SSL::version_strings` table maps them to descriptive names. ## ## record_version: TLS version given in the record layer of the message. ## Set to 0 for SSLv2. @@ -25,12 +25,12 @@ ## ## ciphers: The list of ciphers the client offered to use. The values are ## standardized as part of the SSL/TLS protocol. The -## :bro:id:`SSL::cipher_desc` table maps them to descriptive names. +## :zeek:id:`SSL::cipher_desc` table maps them to descriptive names. ## ## comp_methods: The list of compression methods that the client offered to use. ## This value is not sent in TLSv1.3 or SSLv2. ## -## .. bro:see:: ssl_alert ssl_established ssl_extension ssl_server_hello +## .. zeek:see:: ssl_alert ssl_established ssl_extension ssl_server_hello ## ssl_session_ticket_handshake x509_certificate ssl_handshake_message ## ssl_change_cipher_spec ## ssl_dh_client_params ssl_ecdh_server_params ssl_ecdh_client_params @@ -49,7 +49,7 @@ event ssl_client_hello%(c: connection, version: count, record_version: count, po ## ## version: The protocol version as extracted from the server's message. ## The values are standardized as part of the SSL/TLS protocol. The -## :bro:id:`SSL::version_strings` table maps them to descriptive names. +## :zeek:id:`SSL::version_strings` table maps them to descriptive names. ## ## record_version: TLS version given in the record layer of the message. ## Set to 0 for SSLv2. @@ -65,14 +65,14 @@ event ssl_client_hello%(c: connection, version: count, record_version: count, po ## the connection-id is returned. ## ## cipher: The cipher chosen by the server. The values are standardized as part -## of the SSL/TLS protocol. The :bro:id:`SSL::cipher_desc` table maps +## of the SSL/TLS protocol. The :zeek:id:`SSL::cipher_desc` table maps ## them to descriptive names. ## ## comp_method: The compression method chosen by the client. The values are ## standardized as part of the SSL/TLS protocol. This value is not ## sent in TLSv1.3 or SSLv2. ## -## .. bro:see:: ssl_alert ssl_client_hello ssl_established ssl_extension +## .. zeek:see:: ssl_alert ssl_client_hello ssl_established ssl_extension ## ssl_session_ticket_handshake x509_certificate ssl_server_curve ## ssl_dh_server_params ssl_handshake_message ssl_change_cipher_spec ## ssl_dh_client_params ssl_ecdh_server_params ssl_ecdh_client_params @@ -91,12 +91,12 @@ event ssl_server_hello%(c: connection, version: count, record_version: count, po ## is_orig: True if event is raised for originator side of the connection. ## ## code: The numerical code of the extension. The values are standardized as -## part of the SSL/TLS protocol. The :bro:id:`SSL::extensions` table maps +## part of the SSL/TLS protocol. The :zeek:id:`SSL::extensions` table maps ## them to descriptive names. ## ## val: The raw extension value that was sent in the message. ## -## .. bro:see:: ssl_alert ssl_client_hello ssl_established ssl_server_hello +## .. zeek:see:: ssl_alert ssl_client_hello ssl_established ssl_server_hello ## ssl_session_ticket_handshake ssl_extension_ec_point_formats ## ssl_extension_elliptic_curves ssl_extension_application_layer_protocol_negotiation ## ssl_extension_server_name ssl_extension_signature_algorithm ssl_extension_key_share @@ -113,7 +113,7 @@ event ssl_extension%(c: connection, is_orig: bool, code: count, val: string%); ## ## curves: List of supported elliptic curves. ## -## .. bro:see:: ssl_alert ssl_client_hello ssl_established ssl_server_hello +## .. zeek:see:: ssl_alert ssl_client_hello ssl_established ssl_server_hello ## ssl_session_ticket_handshake ssl_extension ## ssl_extension_ec_point_formats ssl_extension_application_layer_protocol_negotiation ## ssl_extension_server_name ssl_server_curve ssl_extension_signature_algorithm @@ -133,7 +133,7 @@ event ssl_extension_elliptic_curves%(c: connection, is_orig: bool, curves: index ## ## point_formats: List of supported point formats. ## -## .. bro:see:: ssl_alert ssl_client_hello ssl_established ssl_server_hello +## .. zeek:see:: ssl_alert ssl_client_hello ssl_established ssl_server_hello ## ssl_session_ticket_handshake ssl_extension ## ssl_extension_elliptic_curves ssl_extension_application_layer_protocol_negotiation ## ssl_extension_server_name ssl_server_curve ssl_extension_signature_algorithm @@ -154,7 +154,7 @@ event ssl_extension_ec_point_formats%(c: connection, is_orig: bool, point_format ## ## signature_algorithms: List of supported signature and hash algorithm pairs. ## -## .. bro:see:: ssl_alert ssl_client_hello ssl_established ssl_server_hello +## .. zeek:see:: ssl_alert ssl_client_hello ssl_established ssl_server_hello ## ssl_session_ticket_handshake ssl_extension ## ssl_extension_elliptic_curves ssl_extension_application_layer_protocol_negotiation ## ssl_extension_server_name ssl_server_curve ssl_extension_key_share @@ -173,7 +173,7 @@ event ssl_extension_signature_algorithm%(c: connection, is_orig: bool, signature ## ## curves: List of supported/chosen named groups. ## -## .. bro:see:: ssl_alert ssl_client_hello ssl_established ssl_server_hello +## .. zeek:see:: ssl_alert ssl_client_hello ssl_established ssl_server_hello ## ssl_session_ticket_handshake ssl_extension ## ssl_extension_elliptic_curves ssl_extension_application_layer_protocol_negotiation ## ssl_extension_server_name ssl_server_curve @@ -193,7 +193,7 @@ event ssl_extension_key_share%(c: connection, is_orig: bool, curves: index_vec%) ## .. note:: This event is deprecated and superseded by the ssl_ecdh_server_params ## event. This event will be removed in a future version of Bro. ## -## .. bro:see:: ssl_alert ssl_client_hello ssl_established ssl_server_hello +## .. zeek:see:: ssl_alert ssl_client_hello ssl_established ssl_server_hello ## ssl_session_ticket_handshake ssl_extension ## ssl_extension_elliptic_curves ssl_extension_application_layer_protocol_negotiation ## ssl_extension_server_name ssl_extension_key_share @@ -212,7 +212,7 @@ event ssl_server_curve%(c: connection, curve: count%) &deprecated; ## ## point: The server's ECDH public key. ## -## .. bro:see:: ssl_alert ssl_client_hello ssl_established ssl_server_hello +## .. zeek:see:: ssl_alert ssl_client_hello ssl_established ssl_server_hello ## ssl_session_ticket_handshake ssl_server_curve ssl_server_signature ## ssl_dh_client_params ssl_ecdh_client_params ssl_rsa_client_pms event ssl_ecdh_server_params%(c: connection, curve: count, point: string%); @@ -229,7 +229,7 @@ event ssl_ecdh_server_params%(c: connection, curve: count, point: string%); ## ## Ys: The server's DH public key. ## -## .. bro:see:: ssl_alert ssl_client_hello ssl_established ssl_server_hello +## .. zeek:see:: ssl_alert ssl_client_hello ssl_established ssl_server_hello ## ssl_session_ticket_handshake ssl_server_curve ssl_server_signature ## ssl_dh_client_params ssl_ecdh_server_params ssl_ecdh_client_params ## ssl_rsa_client_pms @@ -252,7 +252,7 @@ event ssl_dh_server_params%(c: connection, p: string, q: string, Ys: string%); ## corresponding to the certified public key in the server's certificate ## message is used for signing. ## -## .. bro:see:: ssl_alert ssl_client_hello ssl_established ssl_server_hello +## .. zeek:see:: ssl_alert ssl_client_hello ssl_established ssl_server_hello ## ssl_session_ticket_handshake ssl_server_curve ssl_rsa_client_pms ## ssl_dh_client_params ssl_ecdh_server_params ssl_ecdh_client_params event ssl_server_signature%(c: connection, signature_and_hashalgorithm: SSL::SignatureAndHashAlgorithm, signature: string%); @@ -265,7 +265,7 @@ event ssl_server_signature%(c: connection, signature_and_hashalgorithm: SSL::Sig ## ## point: The client's ECDH public key. ## -## .. bro:see:: ssl_alert ssl_client_hello ssl_established ssl_server_hello +## .. zeek:see:: ssl_alert ssl_client_hello ssl_established ssl_server_hello ## ssl_session_ticket_handshake ssl_server_curve ssl_server_signature ## ssl_dh_client_params ssl_ecdh_server_params ssl_rsa_client_pms event ssl_ecdh_client_params%(c: connection, point: string%); @@ -278,7 +278,7 @@ event ssl_ecdh_client_params%(c: connection, point: string%); ## ## Yc: The client's DH public key. ## -## .. bro:see:: ssl_alert ssl_client_hello ssl_established ssl_server_hello +## .. zeek:see:: ssl_alert ssl_client_hello ssl_established ssl_server_hello ## ssl_session_ticket_handshake ssl_server_curve ssl_server_signature ## ssl_ecdh_server_params ssl_ecdh_client_params ssl_rsa_client_pms event ssl_dh_client_params%(c: connection, Yc: string%); @@ -291,7 +291,7 @@ event ssl_dh_client_params%(c: connection, Yc: string%); ## ## pms: The encrypted pre-master secret. ## -## .. bro:see:: ssl_alert ssl_client_hello ssl_established ssl_server_hello +## .. zeek:see:: ssl_alert ssl_client_hello ssl_established ssl_server_hello ## ssl_session_ticket_handshake ssl_server_curve ssl_server_signature ## ssl_dh_client_params ssl_ecdh_server_params ssl_ecdh_client_params event ssl_rsa_client_pms%(c: connection, pms: string%); @@ -309,7 +309,7 @@ event ssl_rsa_client_pms%(c: connection, pms: string%); ## ## protocols: List of supported application layer protocols. ## -## .. bro:see:: ssl_alert ssl_client_hello ssl_established ssl_server_hello +## .. zeek:see:: ssl_alert ssl_client_hello ssl_established ssl_server_hello ## ssl_session_ticket_handshake ssl_extension ## ssl_extension_elliptic_curves ssl_extension_ec_point_formats ## ssl_extension_server_name ssl_extension_key_share @@ -329,7 +329,7 @@ event ssl_extension_application_layer_protocol_negotiation%(c: connection, is_or ## ## names: A list of server names (DNS hostnames). ## -## .. bro:see:: ssl_alert ssl_client_hello ssl_established ssl_server_hello +## .. zeek:see:: ssl_alert ssl_client_hello ssl_established ssl_server_hello ## ssl_session_ticket_handshake ssl_extension ## ssl_extension_elliptic_curves ssl_extension_ec_point_formats ## ssl_extension_application_layer_protocol_negotiation @@ -359,7 +359,7 @@ event ssl_extension_server_name%(c: connection, is_orig: bool, names: string_vec ## ## signature: signature part of the digitally_signed struct ## -## .. bro:see:: ssl_alert ssl_client_hello ssl_established ssl_server_hello +## .. zeek:see:: ssl_alert ssl_client_hello ssl_established ssl_server_hello ## ssl_session_ticket_handshake ssl_extension ## ssl_extension_elliptic_curves ssl_extension_ec_point_formats ## ssl_extension_server_name ssl_extension_key_share @@ -379,7 +379,7 @@ event ssl_extension_signed_certificate_timestamp%(c: connection, is_orig: bool, ## ## versions: List of supported TLS versions. ## -## .. bro:see:: ssl_alert ssl_client_hello ssl_established ssl_server_hello +## .. zeek:see:: ssl_alert ssl_client_hello ssl_established ssl_server_hello ## ssl_session_ticket_handshake ssl_extension ## ssl_extension_elliptic_curves ssl_extension_ec_point_formats ## ssl_extension_application_layer_protocol_negotiation @@ -396,7 +396,7 @@ event ssl_extension_supported_versions%(c: connection, is_orig: bool, versions: ## ## versions: List of supported Pre-Shared Key Exchange Modes. ## -## .. bro:see:: ssl_alert ssl_client_hello ssl_established ssl_server_hello +## .. zeek:see:: ssl_alert ssl_client_hello ssl_established ssl_server_hello ## ssl_session_ticket_handshake ssl_extension ## ssl_extension_elliptic_curves ssl_extension_ec_point_formats ## ssl_extension_application_layer_protocol_negotiation @@ -415,7 +415,7 @@ event ssl_extension_psk_key_exchange_modes%(c: connection, is_orig: bool, modes: ## ## c: The connection. ## -## .. bro:see:: ssl_alert ssl_client_hello ssl_extension ssl_server_hello +## .. zeek:see:: ssl_alert ssl_client_hello ssl_extension ssl_server_hello ## ssl_session_ticket_handshake x509_certificate event ssl_established%(c: connection%); @@ -438,7 +438,7 @@ event ssl_established%(c: connection%); ## desc: A numerical value identifying the cause of the *alert*. The values are ## defined as part of the SSL/TLS protocol. ## -## .. bro:see:: ssl_client_hello ssl_established ssl_extension ssl_server_hello +## .. zeek:see:: ssl_client_hello ssl_established ssl_extension ssl_server_hello ## ssl_session_ticket_handshake event ssl_alert%(c: connection, is_orig: bool, level: count, desc: count%); @@ -459,7 +459,7 @@ event ssl_alert%(c: connection, is_orig: bool, level: count, desc: count%); ## ## ticket: The raw ticket data. ## -## .. bro:see:: ssl_client_hello ssl_established ssl_extension ssl_server_hello +## .. zeek:see:: ssl_client_hello ssl_established ssl_extension ssl_server_hello ## ssl_alert event ssl_session_ticket_handshake%(c: connection, ticket_lifetime_hint: count, ticket: string%); @@ -481,7 +481,7 @@ event ssl_session_ticket_handshake%(c: connection, ticket_lifetime_hint: count, ## payload: payload contained in the heartbeat message. Size can differ from ## payload_length, if payload_length and actual packet length disagree. ## -## .. bro:see:: ssl_client_hello ssl_established ssl_extension ssl_server_hello +## .. zeek:see:: ssl_client_hello ssl_established ssl_extension ssl_server_hello ## ssl_alert ssl_encrypted_data event ssl_heartbeat%(c: connection, is_orig: bool, length: count, heartbeat_type: count, payload_length: count, payload: string%); @@ -504,14 +504,14 @@ event ssl_heartbeat%(c: connection, is_orig: bool, length: count, heartbeat_type ## ## length: length of the entire message. ## -## .. bro:see:: ssl_client_hello ssl_established ssl_extension ssl_server_hello +## .. zeek:see:: ssl_client_hello ssl_established ssl_extension ssl_server_hello ## ssl_alert ssl_heartbeat event ssl_plaintext_data%(c: connection, is_orig: bool, record_version: count, content_type: count, length: count%); ## Generated for SSL/TLS messages that are sent after session encryption ## started. ## -## Note that :bro:id:`SSL::disable_analyzer_after_detection` has to be changed +## Note that :zeek:id:`SSL::disable_analyzer_after_detection` has to be changed ## from its default to false for this event to be generated. ## ## c: The connection. @@ -526,7 +526,7 @@ event ssl_plaintext_data%(c: connection, is_orig: bool, record_version: count, c ## ## length: length of the entire message. ## -## .. bro:see:: ssl_client_hello ssl_established ssl_extension ssl_server_hello +## .. zeek:see:: ssl_client_hello ssl_established ssl_extension ssl_server_hello ## ssl_alert ssl_heartbeat event ssl_encrypted_data%(c: connection, is_orig: bool, record_version: count, content_type: count, length: count%); @@ -551,7 +551,7 @@ event ssl_stapled_ocsp%(c: connection, is_orig: bool, response: string%); ## ## length: Length of the handshake message that was seen. ## -## .. bro:see:: ssl_alert ssl_established ssl_extension ssl_server_hello +## .. zeek:see:: ssl_alert ssl_established ssl_extension ssl_server_hello ## ssl_session_ticket_handshake x509_certificate ssl_client_hello ## ssl_change_cipher_spec event ssl_handshake_message%(c: connection, is_orig: bool, msg_type: count, length: count%); @@ -563,7 +563,7 @@ event ssl_handshake_message%(c: connection, is_orig: bool, msg_type: count, leng ## ## is_orig: True if event is raised for originator side of the connection. ## -## .. bro:see:: ssl_alert ssl_established ssl_extension ssl_server_hello +## .. zeek:see:: ssl_alert ssl_established ssl_extension ssl_server_hello ## ssl_session_ticket_handshake x509_certificate ssl_client_hello ## ssl_handshake_message event ssl_change_cipher_spec%(c: connection, is_orig: bool%); diff --git a/src/analyzer/protocol/tcp/events.bif b/src/analyzer/protocol/tcp/events.bif index 5e862317b1..72cf44c243 100644 --- a/src/analyzer/protocol/tcp/events.bif +++ b/src/analyzer/protocol/tcp/events.bif @@ -5,7 +5,7 @@ ## ## c: The connection. ## -## .. bro:see:: connection_EOF connection_SYN_packet connection_attempt +## .. zeek:see:: connection_EOF connection_SYN_packet connection_attempt ## connection_established connection_external connection_finished ## connection_first_ACK connection_half_finished connection_partial_close ## connection_pending connection_rejected connection_reset connection_reused @@ -15,13 +15,13 @@ event new_connection_contents%(c: connection%); ## Generated for an unsuccessful connection attempt. This event is raised when ## an originator unsuccessfully attempted to establish a connection. -## "Unsuccessful" is defined as at least :bro:id:`tcp_attempt_delay` seconds +## "Unsuccessful" is defined as at least :zeek:id:`tcp_attempt_delay` seconds ## having elapsed since the originator first sent a connection establishment ## packet to the destination without seeing a reply. ## ## c: The connection. ## -## .. bro:see:: connection_EOF connection_SYN_packet connection_established +## .. zeek:see:: connection_EOF connection_SYN_packet connection_established ## connection_external connection_finished connection_first_ACK ## connection_half_finished connection_partial_close connection_pending ## connection_rejected connection_reset connection_reused connection_state_remove @@ -31,15 +31,15 @@ event connection_attempt%(c: connection%); ## Generated when seeing a SYN-ACK packet from the responder in a TCP ## handshake. An associated SYN packet was not seen from the originator -## side if its state is not set to :bro:see:`TCP_ESTABLISHED`. +## side if its state is not set to :zeek:see:`TCP_ESTABLISHED`. ## The final ACK of the handshake in response to SYN-ACK may ## or may not occur later, one way to tell is to check the *history* field of -## :bro:type:`connection` to see if the originator sent an ACK, indicated by +## :zeek:type:`connection` to see if the originator sent an ACK, indicated by ## 'A' in the history string. ## ## c: The connection. ## -## .. bro:see:: connection_EOF connection_SYN_packet connection_attempt +## .. zeek:see:: connection_EOF connection_SYN_packet connection_attempt ## connection_external connection_finished connection_first_ACK ## connection_half_finished connection_partial_close connection_pending ## connection_rejected connection_reset connection_reused connection_state_remove @@ -54,7 +54,7 @@ event connection_established%(c: connection%); ## ## c: The connection. ## -## .. bro:see:: connection_EOF connection_SYN_packet connection_attempt +## .. zeek:see:: connection_EOF connection_SYN_packet connection_attempt ## connection_established connection_external connection_finished ## connection_first_ACK connection_half_finished connection_partial_close ## connection_pending connection_rejected connection_reset connection_reused @@ -66,12 +66,12 @@ event partial_connection%(c: connection%); ## Generated when a previously inactive endpoint attempts to close a TCP ## connection via a normal FIN handshake or an abort RST sequence. When the ## endpoint sent one of these packets, Bro waits -## :bro:id:`tcp_partial_close_delay` prior to generating the event, to give +## :zeek:id:`tcp_partial_close_delay` prior to generating the event, to give ## the other endpoint a chance to close the connection normally. ## ## c: The connection. ## -## .. bro:see:: connection_EOF connection_SYN_packet connection_attempt +## .. zeek:see:: connection_EOF connection_SYN_packet connection_attempt ## connection_established connection_external connection_finished ## connection_first_ACK connection_half_finished connection_pending ## connection_rejected connection_reset connection_reused connection_state_remove @@ -84,7 +84,7 @@ event connection_partial_close%(c: connection%); ## ## c: The connection. ## -## .. bro:see:: connection_EOF connection_SYN_packet connection_attempt +## .. zeek:see:: connection_EOF connection_SYN_packet connection_attempt ## connection_established connection_external connection_first_ACK ## connection_half_finished connection_partial_close connection_pending ## connection_rejected connection_reset connection_reused connection_state_remove @@ -98,7 +98,7 @@ event connection_finished%(c: connection%); ## ## c: The connection. ## -## .. bro:see:: connection_EOF connection_SYN_packet connection_attempt +## .. zeek:see:: connection_EOF connection_SYN_packet connection_attempt ## connection_established connection_external connection_finished ## connection_first_ACK connection_partial_close connection_pending ## connection_rejected connection_reset connection_reused connection_state_remove @@ -112,7 +112,7 @@ event connection_half_finished%(c: connection%); ## ## c: The connection. ## -## .. bro:see:: connection_EOF connection_SYN_packet connection_attempt +## .. zeek:see:: connection_EOF connection_SYN_packet connection_attempt ## connection_established connection_external connection_finished ## connection_first_ACK connection_half_finished connection_partial_close ## connection_pending connection_reset connection_reused connection_state_remove @@ -121,10 +121,10 @@ event connection_half_finished%(c: connection%); ## ## .. note:: ## -## If the responder does not respond at all, :bro:id:`connection_attempt` is +## If the responder does not respond at all, :zeek:id:`connection_attempt` is ## raised instead. If the responder initially accepts the connection but -## aborts it later, Bro first generates :bro:id:`connection_established` -## and then :bro:id:`connection_reset`. +## aborts it later, Bro first generates :zeek:id:`connection_established` +## and then :zeek:id:`connection_reset`. event connection_rejected%(c: connection%); ## Generated when an endpoint aborted a TCP connection. The event is raised @@ -133,7 +133,7 @@ event connection_rejected%(c: connection%); ## ## c: The connection. ## -## .. bro:see:: connection_EOF connection_SYN_packet connection_attempt +## .. zeek:see:: connection_EOF connection_SYN_packet connection_attempt ## connection_established connection_external connection_finished ## connection_first_ACK connection_half_finished connection_partial_close ## connection_pending connection_rejected connection_reused @@ -146,7 +146,7 @@ event connection_reset%(c: connection%); ## ## c: The connection. ## -## .. bro:see:: connection_EOF connection_SYN_packet connection_attempt +## .. zeek:see:: connection_EOF connection_SYN_packet connection_attempt ## connection_established connection_external connection_finished ## connection_first_ACK connection_half_finished connection_partial_close ## connection_rejected connection_reset connection_reused connection_state_remove @@ -161,7 +161,7 @@ event connection_pending%(c: connection%); ## ## pkt: Information extracted from the SYN packet. ## -## .. bro:see:: connection_EOF connection_attempt connection_established +## .. zeek:see:: connection_EOF connection_attempt connection_established ## connection_external connection_finished connection_first_ACK ## connection_half_finished connection_partial_close connection_pending ## connection_rejected connection_reset connection_reused connection_state_remove @@ -182,7 +182,7 @@ event connection_SYN_packet%(c: connection, pkt: SYN_packet%); ## ## c: The connection. ## -## .. bro:see:: connection_EOF connection_SYN_packet connection_attempt +## .. zeek:see:: connection_EOF connection_SYN_packet connection_attempt ## connection_established connection_external connection_finished ## connection_half_finished connection_partial_close connection_pending ## connection_rejected connection_reset connection_reused connection_state_remove @@ -202,7 +202,7 @@ event connection_first_ACK%(c: connection%); ## ## is_orig: True if the event is raised for the originator side. ## -## .. bro:see:: connection_SYN_packet connection_attempt connection_established +## .. zeek:see:: connection_SYN_packet connection_attempt connection_established ## connection_external connection_finished connection_first_ACK ## connection_half_finished connection_partial_close connection_pending ## connection_rejected connection_reset connection_reused connection_state_remove @@ -213,7 +213,7 @@ event connection_EOF%(c: connection, is_orig: bool%); ## Generated for every TCP packet. This is a very low-level and expensive event ## that should be avoided when at all possible. It's usually infeasible to ## handle when processing even medium volumes of traffic in real-time. It's -## slightly better than :bro:id:`new_packet` because it affects only TCP, but +## slightly better than :zeek:id:`new_packet` because it affects only TCP, but ## not much. That said, if you work from a trace and want to do some ## packet-level analysis, it may come in handy. ## @@ -235,7 +235,7 @@ event connection_EOF%(c: connection, is_orig: bool%); ## payload: The raw TCP payload. Note that this may be shorter than *len* if ## the packet was not fully captured. ## -## .. bro:see:: new_packet packet_contents tcp_option tcp_contents tcp_rexmit +## .. zeek:see:: new_packet packet_contents tcp_option tcp_contents tcp_rexmit event tcp_packet%(c: connection, is_orig: bool, flags: string, seq: count, ack: count, len: count, payload: string%); ## Generated for each option found in a TCP header. Like many of the ``tcp_*`` @@ -250,16 +250,16 @@ event tcp_packet%(c: connection, is_orig: bool, flags: string, seq: count, ack: ## ## optlen: The length of the options value. ## -## .. bro:see:: tcp_packet tcp_contents tcp_rexmit +## .. zeek:see:: tcp_packet tcp_contents tcp_rexmit ## ## .. note:: There is currently no way to get the actual option value, if any. event tcp_option%(c: connection, is_orig: bool, opt: count, optlen: count%); ## Generated for each chunk of reassembled TCP payload. When content delivery is -## enabled for a TCP connection (via :bro:id:`tcp_content_delivery_ports_orig`, -## :bro:id:`tcp_content_delivery_ports_resp`, -## :bro:id:`tcp_content_deliver_all_orig`, -## :bro:id:`tcp_content_deliver_all_resp`), this event is raised for each chunk +## enabled for a TCP connection (via :zeek:id:`tcp_content_delivery_ports_orig`, +## :zeek:id:`tcp_content_delivery_ports_resp`, +## :zeek:id:`tcp_content_deliver_all_orig`, +## :zeek:id:`tcp_content_deliver_all_resp`), this event is raised for each chunk ## of in-order payload reconstructed from the packet stream. Note that this ## event is potentially expensive if many connections carry significant amounts ## of data as then all that data needs to be passed on to the scripting layer. @@ -273,7 +273,7 @@ event tcp_option%(c: connection, is_orig: bool, opt: count, optlen: count%); ## ## contents: The raw payload, which will be non-empty. ## -## .. bro:see:: tcp_packet tcp_option tcp_rexmit +## .. zeek:see:: tcp_packet tcp_option tcp_rexmit ## tcp_content_delivery_ports_orig tcp_content_delivery_ports_resp ## tcp_content_deliver_all_resp tcp_content_deliver_all_orig ## @@ -299,7 +299,7 @@ event tcp_rexmit%(c: connection, is_orig: bool, seq: count, len: count, data_in_ ## ## threshold: the threshold that was crossed ## -## .. bro:see:: udp_multiple_checksum_errors +## .. zeek:see:: udp_multiple_checksum_errors ## tcp_multiple_zero_windows tcp_multiple_retransmissions tcp_multiple_gap event tcp_multiple_checksum_errors%(c: connection, is_orig: bool, threshold: count%); @@ -312,7 +312,7 @@ event tcp_multiple_checksum_errors%(c: connection, is_orig: bool, threshold: cou ## ## threshold: the threshold that was crossed ## -## .. bro:see:: tcp_multiple_checksum_errors tcp_multiple_retransmissions tcp_multiple_gap +## .. zeek:see:: tcp_multiple_checksum_errors tcp_multiple_retransmissions tcp_multiple_gap event tcp_multiple_zero_windows%(c: connection, is_orig: bool, threshold: count%); ## Generated if a TCP flow crosses a retransmission threshold, per @@ -324,7 +324,7 @@ event tcp_multiple_zero_windows%(c: connection, is_orig: bool, threshold: count% ## ## threshold: the threshold that was crossed ## -## .. bro:see:: tcp_multiple_checksum_errors tcp_multiple_zero_windows tcp_multiple_gap +## .. zeek:see:: tcp_multiple_checksum_errors tcp_multiple_zero_windows tcp_multiple_gap event tcp_multiple_retransmissions%(c: connection, is_orig: bool, threshold: count%); ## Generated if a TCP flow crosses a gap threshold, per 'G'/'g' history @@ -336,7 +336,7 @@ event tcp_multiple_retransmissions%(c: connection, is_orig: bool, threshold: cou ## ## threshold: the threshold that was crossed ## -## .. bro:see:: tcp_multiple_checksum_errors tcp_multiple_zero_windows tcp_multiple_retransmissions +## .. zeek:see:: tcp_multiple_checksum_errors tcp_multiple_zero_windows tcp_multiple_retransmissions event tcp_multiple_gap%(c: connection, is_orig: bool, threshold: count%); ## Generated when failing to write contents of a TCP stream to a file. @@ -347,5 +347,5 @@ event tcp_multiple_gap%(c: connection, is_orig: bool, threshold: count%); ## ## msg: A reason or description for the failure. ## -## .. bro:see:: set_contents_file get_contents_file +## .. zeek:see:: set_contents_file get_contents_file event contents_file_write_failure%(c: connection, is_orig: bool, msg: string%); diff --git a/src/analyzer/protocol/tcp/functions.bif b/src/analyzer/protocol/tcp/functions.bif index 90c3e5ae2a..4aa218991e 100644 --- a/src/analyzer/protocol/tcp/functions.bif +++ b/src/analyzer/protocol/tcp/functions.bif @@ -12,7 +12,7 @@ ## Returns: The highest sequence number sent by a connection's originator, or 0 ## if *cid* does not point to an active TCP connection. ## -## .. bro:see:: get_resp_seq +## .. zeek:see:: get_resp_seq function get_orig_seq%(cid: conn_id%): count %{ Connection* c = sessions->FindConnection(cid); @@ -41,7 +41,7 @@ function get_orig_seq%(cid: conn_id%): count ## Returns: The highest sequence number sent by a connection's responder, or 0 ## if *cid* does not point to an active TCP connection. ## -## .. bro:see:: get_orig_seq +## .. zeek:see:: get_orig_seq function get_resp_seq%(cid: conn_id%): count %{ Connection* c = sessions->FindConnection(cid); @@ -89,9 +89,9 @@ function get_resp_seq%(cid: conn_id%): count ## contents of individual packets. Reordering and duplicates are ## removed. If any data is missing, the recording stops at the ## missing data; this can happen, e.g., due to an -## :bro:id:`content_gap` event. +## :zeek:id:`content_gap` event. ## -## .. bro:see:: get_contents_file set_record_packets contents_file_write_failure +## .. zeek:see:: get_contents_file set_record_packets contents_file_write_failure function set_contents_file%(cid: conn_id, direction: count, f: file%): bool %{ Connection* c = sessions->FindConnection(cid); @@ -107,14 +107,14 @@ function set_contents_file%(cid: conn_id, direction: count, f: file%): bool ## cid: The connection ID. ## ## direction: Controls what sides of the connection to record. See -## :bro:id:`set_contents_file` for possible values. +## :zeek:id:`set_contents_file` for possible values. ## -## Returns: The :bro:type:`file` handle for the contents file of the +## Returns: The :zeek:type:`file` handle for the contents file of the ## connection identified by *cid*. If the connection exists ## but there is no contents file for *direction*, then the function ## generates an error and returns a file handle to ``stderr``. ## -## .. bro:see:: set_contents_file set_record_packets contents_file_write_failure +## .. zeek:see:: set_contents_file set_record_packets contents_file_write_failure function get_contents_file%(cid: conn_id, direction: count%): file %{ Connection* c = sessions->FindConnection(cid); diff --git a/src/analyzer/protocol/teredo/events.bif b/src/analyzer/protocol/teredo/events.bif index 62bc7d06cd..080eb1bf6e 100644 --- a/src/analyzer/protocol/teredo/events.bif +++ b/src/analyzer/protocol/teredo/events.bif @@ -5,7 +5,7 @@ ## ## inner: The Teredo-encapsulated IPv6 packet header and transport header. ## -## .. bro:see:: teredo_authentication teredo_origin_indication teredo_bubble +## .. zeek:see:: teredo_authentication teredo_origin_indication teredo_bubble ## ## .. note:: Since this event may be raised on a per-packet basis, handling ## it may become particularly expensive for real-time analysis. @@ -19,7 +19,7 @@ event teredo_packet%(outer: connection, inner: teredo_hdr%); ## ## inner: The Teredo-encapsulated IPv6 packet header and transport header. ## -## .. bro:see:: teredo_packet teredo_origin_indication teredo_bubble +## .. zeek:see:: teredo_packet teredo_origin_indication teredo_bubble ## ## .. note:: Since this event may be raised on a per-packet basis, handling ## it may become particularly expensive for real-time analysis. @@ -33,21 +33,21 @@ event teredo_authentication%(outer: connection, inner: teredo_hdr%); ## ## inner: The Teredo-encapsulated IPv6 packet header and transport header. ## -## .. bro:see:: teredo_packet teredo_authentication teredo_bubble +## .. zeek:see:: teredo_packet teredo_authentication teredo_bubble ## ## .. note:: Since this event may be raised on a per-packet basis, handling ## it may become particularly expensive for real-time analysis. event teredo_origin_indication%(outer: connection, inner: teredo_hdr%); ## Generated for Teredo bubble packets. That is, IPv6 packets encapsulated -## in a Teredo tunnel that have a Next Header value of :bro:id:`IPPROTO_NONE`. +## in a Teredo tunnel that have a Next Header value of :zeek:id:`IPPROTO_NONE`. ## See :rfc:`4380` for more information about the Teredo protocol. ## ## outer: The Teredo tunnel connection. ## ## inner: The Teredo-encapsulated IPv6 packet header and transport header. ## -## .. bro:see:: teredo_packet teredo_authentication teredo_origin_indication +## .. zeek:see:: teredo_packet teredo_authentication teredo_origin_indication ## ## .. note:: Since this event may be raised on a per-packet basis, handling ## it may become particularly expensive for real-time analysis. diff --git a/src/analyzer/protocol/udp/events.bif b/src/analyzer/protocol/udp/events.bif index afcace330b..60326bf601 100644 --- a/src/analyzer/protocol/udp/events.bif +++ b/src/analyzer/protocol/udp/events.bif @@ -4,7 +4,7 @@ ## ## u: The connection record for the corresponding UDP flow. ## -## .. bro:see:: udp_contents udp_reply udp_session_done +## .. zeek:see:: udp_contents udp_reply udp_session_done event udp_request%(u: connection%); ## Generated for each packet sent by a UDP flow's responder. This a potentially @@ -13,17 +13,17 @@ event udp_request%(u: connection%); ## ## u: The connection record for the corresponding UDP flow. ## -## .. bro:see:: udp_contents udp_request udp_session_done +## .. zeek:see:: udp_contents udp_request udp_session_done event udp_reply%(u: connection%); ## Generated for UDP packets to pass on their payload. As the number of UDP ## packets can be very large, this event is normally raised only for those on -## ports configured in :bro:id:`udp_content_delivery_ports_orig` (for packets -## sent by the flow's originator) or :bro:id:`udp_content_delivery_ports_resp` +## ports configured in :zeek:id:`udp_content_delivery_ports_orig` (for packets +## sent by the flow's originator) or :zeek:id:`udp_content_delivery_ports_resp` ## (for packets sent by the flow's responder). However, delivery can be enabled ## for all UDP request and reply packets by setting -## :bro:id:`udp_content_deliver_all_orig` or -## :bro:id:`udp_content_deliver_all_resp`, respectively. Note that this +## :zeek:id:`udp_content_deliver_all_orig` or +## :zeek:id:`udp_content_deliver_all_resp`, respectively. Note that this ## event is also raised for all matching UDP packets, including empty ones. ## ## u: The connection record for the corresponding UDP flow. @@ -32,7 +32,7 @@ event udp_reply%(u: connection%); ## ## contents: TODO. ## -## .. bro:see:: udp_reply udp_request udp_session_done +## .. zeek:see:: udp_reply udp_request udp_session_done ## udp_content_deliver_all_orig udp_content_deliver_all_resp ## udp_content_delivery_ports_orig udp_content_delivery_ports_resp event udp_contents%(u: connection, is_orig: bool, contents: string%); @@ -46,6 +46,6 @@ event udp_contents%(u: connection, is_orig: bool, contents: string%); ## ## threshold: the threshold that was crossed ## -## .. bro:see:: udp_reply udp_request udp_session_done +## .. zeek:see:: udp_reply udp_request udp_session_done ## tcp_multiple_checksum_errors event udp_multiple_checksum_errors%(u: connection, is_orig: bool, threshold: count%); diff --git a/src/bro.bif b/src/bro.bif index 4440f823c7..7493d5618b 100644 --- a/src/bro.bif +++ b/src/bro.bif @@ -303,7 +303,7 @@ static int next_fmt(const char*& fmt, val_list* args, ODesc* d, int& n) ## Returns the current wall-clock time. ## -## In general, you should use :bro:id:`network_time` instead +## In general, you should use :zeek:id:`network_time` instead ## unless you are using Bro for non-networking uses (such as general ## scripting; not particularly recommended), because otherwise your script ## may behave very differently on live traffic versus played-back traffic @@ -311,7 +311,7 @@ static int next_fmt(const char*& fmt, val_list* args, ODesc* d, int& n) ## ## Returns: The wall-clock time. ## -## .. bro:see:: network_time +## .. zeek:see:: network_time function current_time%(%): time %{ return new Val(current_time(), TYPE_TIME); @@ -323,7 +323,7 @@ function current_time%(%): time ## ## Returns: The timestamp of the packet processed. ## -## .. bro:see:: current_time +## .. zeek:see:: current_time function network_time%(%): time %{ return new Val(network_time, TYPE_TIME); @@ -336,7 +336,7 @@ function network_time%(%): time ## Returns: The system environment variable identified by *var*, or an empty ## string if it is not defined. ## -## .. bro:see:: setenv +## .. zeek:see:: setenv function getenv%(var: string%): string %{ const char* env_val = getenv(var->CheckString()); @@ -353,7 +353,7 @@ function getenv%(var: string%): string ## ## Returns: True on success. ## -## .. bro:see:: getenv +## .. zeek:see:: getenv function setenv%(var: string, val: string%): bool %{ int result = setenv(var->AsString()->CheckString(), @@ -368,7 +368,7 @@ function setenv%(var: string, val: string%): bool ## ## code: The exit code to return with. ## -## .. bro:see:: terminate +## .. zeek:see:: terminate function exit%(code: int%): any %{ exit(code); @@ -380,7 +380,7 @@ function exit%(code: int%): any ## Returns: True after successful termination and false when Bro is still in ## the process of shutting down. ## -## .. bro:see:: exit bro_is_terminating +## .. zeek:see:: exit bro_is_terminating function terminate%(%): bool %{ if ( terminating ) @@ -446,7 +446,7 @@ static int do_system(const char* s) ## ## Returns: The return value from the OS ``system`` function. ## -## .. bro:see:: system_env safe_shell_quote piped_exec +## .. zeek:see:: system_env safe_shell_quote piped_exec ## ## .. note:: ## @@ -461,18 +461,18 @@ function system%(str: string%): int %} ## Invokes a command via the ``system`` function of the OS with a prepared -## environment. The function is essentially the same as :bro:id:`system`, +## environment. The function is essentially the same as :zeek:id:`system`, ## but changes the environment before invoking the command. ## ## str: The command to execute. ## -## env: A :bro:type:`table` with the environment variables in the form +## env: A :zeek:type:`table` with the environment variables in the form ## of key-value pairs. Each specified environment variable name ## will be automatically prepended with ``BRO_ARG_``. ## ## Returns: The return value from the OS ``system`` function. ## -## .. bro:see:: system safe_shell_quote piped_exec +## .. zeek:see:: system safe_shell_quote piped_exec function system_env%(str: string, env: table_string_of_string%): int %{ if ( env->Type()->Tag() != TYPE_TABLE ) @@ -500,7 +500,7 @@ function system_env%(str: string, env: table_string_of_string%): int ## ## Returns: True on success. ## -## .. bro:see:: system system_env +## .. zeek:see:: system system_env function piped_exec%(program: string, to_write: string%): bool %{ const char* prog = program->CheckString(); @@ -536,14 +536,14 @@ function piped_exec%(program: string, to_write: string%): bool ## ## Returns: The MD5 hash value of the concatenated arguments. ## -## .. bro:see:: md5_hmac md5_hash_init md5_hash_update md5_hash_finish +## .. zeek:see:: md5_hmac md5_hash_init md5_hash_update md5_hash_finish ## sha1_hash sha1_hash_init sha1_hash_update sha1_hash_finish ## sha256_hash sha256_hash_init sha256_hash_update sha256_hash_finish ## ## .. note:: ## ## This function performs a one-shot computation of its arguments. -## For incremental hash computation, see :bro:id:`md5_hash_init` and +## For incremental hash computation, see :zeek:id:`md5_hash_init` and ## friends. function md5_hash%(...%): string %{ @@ -556,14 +556,14 @@ function md5_hash%(...%): string ## ## Returns: The SHA1 hash value of the concatenated arguments. ## -## .. bro:see:: md5_hash md5_hmac md5_hash_init md5_hash_update md5_hash_finish +## .. zeek:see:: md5_hash md5_hmac md5_hash_init md5_hash_update md5_hash_finish ## sha1_hash_init sha1_hash_update sha1_hash_finish ## sha256_hash sha256_hash_init sha256_hash_update sha256_hash_finish ## ## .. note:: ## ## This function performs a one-shot computation of its arguments. -## For incremental hash computation, see :bro:id:`sha1_hash_init` and +## For incremental hash computation, see :zeek:id:`sha1_hash_init` and ## friends. function sha1_hash%(...%): string %{ @@ -576,14 +576,14 @@ function sha1_hash%(...%): string ## ## Returns: The SHA256 hash value of the concatenated arguments. ## -## .. bro:see:: md5_hash md5_hmac md5_hash_init md5_hash_update md5_hash_finish +## .. zeek:see:: md5_hash md5_hmac md5_hash_init md5_hash_update md5_hash_finish ## sha1_hash sha1_hash_init sha1_hash_update sha1_hash_finish ## sha256_hash_init sha256_hash_update sha256_hash_finish ## ## .. note:: ## ## This function performs a one-shot computation of its arguments. -## For incremental hash computation, see :bro:id:`sha256_hash_init` and +## For incremental hash computation, see :zeek:id:`sha256_hash_init` and ## friends. function sha256_hash%(...%): string %{ @@ -598,7 +598,7 @@ function sha256_hash%(...%): string ## ## Returns: The HMAC-MD5 hash value of the concatenated arguments. ## -## .. bro:see:: md5_hash md5_hash_init md5_hash_update md5_hash_finish +## .. zeek:see:: md5_hash md5_hash_init md5_hash_update md5_hash_finish ## sha1_hash sha1_hash_init sha1_hash_update sha1_hash_finish ## sha256_hash sha256_hash_init sha256_hash_update sha256_hash_finish function md5_hmac%(...%): string @@ -609,8 +609,8 @@ function md5_hmac%(...%): string %} ## Constructs an MD5 handle to enable incremental hash computation. You can -## feed data to the returned opaque value with :bro:id:`md5_hash_update` and -## eventually need to call :bro:id:`md5_hash_finish` to finish the computation +## feed data to the returned opaque value with :zeek:id:`md5_hash_update` and +## eventually need to call :zeek:id:`md5_hash_finish` to finish the computation ## and get the hash digest. ## ## For example, when computing incremental MD5 values of transferred files in @@ -618,12 +618,12 @@ function md5_hmac%(...%): string ## HTTP session record. Then, one would call ## ``c$http$md5_handle = md5_hash_init()`` once before invoking ## ``md5_hash_update(c$http$md5_handle, some_more_data)`` in the -## :bro:id:`http_entity_data` event handler. When all data has arrived, a call -## to :bro:id:`md5_hash_finish` returns the final hash value. +## :zeek:id:`http_entity_data` event handler. When all data has arrived, a call +## to :zeek:id:`md5_hash_finish` returns the final hash value. ## ## Returns: The opaque handle associated with this hash computation. ## -## .. bro:see:: md5_hmac md5_hash md5_hash_update md5_hash_finish +## .. zeek:see:: md5_hmac md5_hash md5_hash_update md5_hash_finish ## sha1_hash sha1_hash_init sha1_hash_update sha1_hash_finish ## sha256_hash sha256_hash_init sha256_hash_update sha256_hash_finish function md5_hash_init%(%): opaque of md5 @@ -634,8 +634,8 @@ function md5_hash_init%(%): opaque of md5 %} ## Constructs an SHA1 handle to enable incremental hash computation. You can -## feed data to the returned opaque value with :bro:id:`sha1_hash_update` and -## finally need to call :bro:id:`sha1_hash_finish` to finish the computation +## feed data to the returned opaque value with :zeek:id:`sha1_hash_update` and +## finally need to call :zeek:id:`sha1_hash_finish` to finish the computation ## and get the hash digest. ## ## For example, when computing incremental SHA1 values of transferred files in @@ -643,12 +643,12 @@ function md5_hash_init%(%): opaque of md5 ## HTTP session record. Then, one would call ## ``c$http$sha1_handle = sha1_hash_init()`` once before invoking ## ``sha1_hash_update(c$http$sha1_handle, some_more_data)`` in the -## :bro:id:`http_entity_data` event handler. When all data has arrived, a call -## to :bro:id:`sha1_hash_finish` returns the final hash value. +## :zeek:id:`http_entity_data` event handler. When all data has arrived, a call +## to :zeek:id:`sha1_hash_finish` returns the final hash value. ## ## Returns: The opaque handle associated with this hash computation. ## -## .. bro:see:: md5_hmac md5_hash md5_hash_init md5_hash_update md5_hash_finish +## .. zeek:see:: md5_hmac md5_hash md5_hash_init md5_hash_update md5_hash_finish ## sha1_hash sha1_hash_update sha1_hash_finish ## sha256_hash sha256_hash_init sha256_hash_update sha256_hash_finish function sha1_hash_init%(%): opaque of sha1 @@ -659,8 +659,8 @@ function sha1_hash_init%(%): opaque of sha1 %} ## Constructs an SHA256 handle to enable incremental hash computation. You can -## feed data to the returned opaque value with :bro:id:`sha256_hash_update` and -## finally need to call :bro:id:`sha256_hash_finish` to finish the computation +## feed data to the returned opaque value with :zeek:id:`sha256_hash_update` and +## finally need to call :zeek:id:`sha256_hash_finish` to finish the computation ## and get the hash digest. ## ## For example, when computing incremental SHA256 values of transferred files in @@ -668,12 +668,12 @@ function sha1_hash_init%(%): opaque of sha1 ## HTTP session record. Then, one would call ## ``c$http$sha256_handle = sha256_hash_init()`` once before invoking ## ``sha256_hash_update(c$http$sha256_handle, some_more_data)`` in the -## :bro:id:`http_entity_data` event handler. When all data has arrived, a call -## to :bro:id:`sha256_hash_finish` returns the final hash value. +## :zeek:id:`http_entity_data` event handler. When all data has arrived, a call +## to :zeek:id:`sha256_hash_finish` returns the final hash value. ## ## Returns: The opaque handle associated with this hash computation. ## -## .. bro:see:: md5_hmac md5_hash md5_hash_init md5_hash_update md5_hash_finish +## .. zeek:see:: md5_hmac md5_hash md5_hash_init md5_hash_update md5_hash_finish ## sha1_hash sha1_hash_init sha1_hash_update sha1_hash_finish ## sha256_hash sha256_hash_update sha256_hash_finish function sha256_hash_init%(%): opaque of sha256 @@ -684,7 +684,7 @@ function sha256_hash_init%(%): opaque of sha256 %} ## Updates the MD5 value associated with a given index. It is required to -## call :bro:id:`md5_hash_init` once before calling this +## call :zeek:id:`md5_hash_init` once before calling this ## function. ## ## handle: The opaque handle associated with this hash computation. @@ -693,7 +693,7 @@ function sha256_hash_init%(%): opaque of sha256 ## ## Returns: True on success. ## -## .. bro:see:: md5_hmac md5_hash md5_hash_init md5_hash_finish +## .. zeek:see:: md5_hmac md5_hash md5_hash_init md5_hash_finish ## sha1_hash sha1_hash_init sha1_hash_update sha1_hash_finish ## sha256_hash sha256_hash_init sha256_hash_update sha256_hash_finish function md5_hash_update%(handle: opaque of md5, data: string%): bool @@ -703,7 +703,7 @@ function md5_hash_update%(handle: opaque of md5, data: string%): bool %} ## Updates the SHA1 value associated with a given index. It is required to -## call :bro:id:`sha1_hash_init` once before calling this +## call :zeek:id:`sha1_hash_init` once before calling this ## function. ## ## handle: The opaque handle associated with this hash computation. @@ -712,7 +712,7 @@ function md5_hash_update%(handle: opaque of md5, data: string%): bool ## ## Returns: True on success. ## -## .. bro:see:: md5_hmac md5_hash md5_hash_init md5_hash_update md5_hash_finish +## .. zeek:see:: md5_hmac md5_hash md5_hash_init md5_hash_update md5_hash_finish ## sha1_hash sha1_hash_init sha1_hash_finish ## sha256_hash sha256_hash_init sha256_hash_update sha256_hash_finish function sha1_hash_update%(handle: opaque of sha1, data: string%): bool @@ -722,7 +722,7 @@ function sha1_hash_update%(handle: opaque of sha1, data: string%): bool %} ## Updates the SHA256 value associated with a given index. It is required to -## call :bro:id:`sha256_hash_init` once before calling this +## call :zeek:id:`sha256_hash_init` once before calling this ## function. ## ## handle: The opaque handle associated with this hash computation. @@ -731,7 +731,7 @@ function sha1_hash_update%(handle: opaque of sha1, data: string%): bool ## ## Returns: True on success. ## -## .. bro:see:: md5_hmac md5_hash md5_hash_init md5_hash_update md5_hash_finish +## .. zeek:see:: md5_hmac md5_hash md5_hash_init md5_hash_update md5_hash_finish ## sha1_hash sha1_hash_init sha1_hash_update sha1_hash_finish ## sha256_hash sha256_hash_init sha256_hash_finish function sha256_hash_update%(handle: opaque of sha256, data: string%): bool @@ -746,7 +746,7 @@ function sha256_hash_update%(handle: opaque of sha256, data: string%): bool ## ## Returns: The hash value associated with the computation of *handle*. ## -## .. bro:see:: md5_hmac md5_hash md5_hash_init md5_hash_update +## .. zeek:see:: md5_hmac md5_hash md5_hash_init md5_hash_update ## sha1_hash sha1_hash_init sha1_hash_update sha1_hash_finish ## sha256_hash sha256_hash_init sha256_hash_update sha256_hash_finish function md5_hash_finish%(handle: opaque of md5%): string @@ -760,7 +760,7 @@ function md5_hash_finish%(handle: opaque of md5%): string ## ## Returns: The hash value associated with the computation of *handle*. ## -## .. bro:see:: md5_hmac md5_hash md5_hash_init md5_hash_update md5_hash_finish +## .. zeek:see:: md5_hmac md5_hash md5_hash_init md5_hash_update md5_hash_finish ## sha1_hash sha1_hash_init sha1_hash_update ## sha256_hash sha256_hash_init sha256_hash_update sha256_hash_finish function sha1_hash_finish%(handle: opaque of sha1%): string @@ -774,7 +774,7 @@ function sha1_hash_finish%(handle: opaque of sha1%): string ## ## Returns: The hash value associated with the computation of *handle*. ## -## .. bro:see:: md5_hmac md5_hash md5_hash_init md5_hash_update md5_hash_finish +## .. zeek:see:: md5_hmac md5_hash md5_hash_init md5_hash_update md5_hash_finish ## sha1_hash sha1_hash_init sha1_hash_update sha1_hash_finish ## sha256_hash sha256_hash_init sha256_hash_update function sha256_hash_finish%(handle: opaque of sha256%): string @@ -789,7 +789,7 @@ function sha256_hash_finish%(handle: opaque of sha256%): string ## ## Returns: The hashed value. ## -## .. bro:see:: hrw_weight +## .. zeek:see:: hrw_weight function fnv1a32%(input: any%): count %{ ODesc desc(DESC_BINARY); @@ -814,14 +814,14 @@ function fnv1a32%(input: any%): count ## The weight function used is the one recommended in the original ## paper: ``_. ## -## key_digest: A 32-bit digest of a key. E.g. use :bro:see:`fnv1a32` to +## key_digest: A 32-bit digest of a key. E.g. use :zeek:see:`fnv1a32` to ## produce this. ## ## site_id: A 32-bit site/node identifier. ## ## Returns: The weight value for the key/site pair. ## -## .. bro:see:: fnv1a32 +## .. zeek:see:: fnv1a32 function hrw_weight%(key_digest: count, site_id: count%): count %{ uint32 d = key_digest; @@ -845,7 +845,7 @@ function hrw_weight%(key_digest: count, site_id: count%): count ## ## Returns: a random positive integer in the interval *[0, max)*. ## -## .. bro:see:: srand +## .. zeek:see:: srand ## ## .. note:: ## @@ -857,11 +857,11 @@ function rand%(max: count%): count return val_mgr->GetCount(result); %} -## Sets the seed for subsequent :bro:id:`rand` calls. +## Sets the seed for subsequent :zeek:id:`rand` calls. ## ## seed: The seed for the PRNG. ## -## .. bro:see:: rand +## .. zeek:see:: rand ## ## .. note:: ## @@ -897,7 +897,7 @@ function syslog%(s: string%): any ## Returns: The MIME type of *data*, or "" if there was an error ## or no match. This is the strongest signature match. ## -## .. bro:see:: file_magic +## .. zeek:see:: file_magic function identify_data%(data: string, return_mime: bool &default=T%): string %{ if ( ! return_mime ) @@ -918,7 +918,7 @@ function identify_data%(data: string, return_mime: bool &default=T%): string ## ## Returns: All matching signatures, in order of strength. ## -## .. bro:see:: identify_data +## .. zeek:see:: identify_data function file_magic%(data: string%): mime_matches %{ RuleMatcher::MIME_Matches matches; @@ -965,7 +965,7 @@ function file_magic%(data: string%): mime_matches ## which each byte in the file depends upon the previous byte. ## For random sequences this value will be close to zero. ## -## .. bro:see:: entropy_test_init entropy_test_add entropy_test_finish +## .. zeek:see:: entropy_test_init entropy_test_add entropy_test_finish function find_entropy%(data: string%): entropy_test_result %{ double montepi, scc, ent, mean, chisq; @@ -987,7 +987,7 @@ function find_entropy%(data: string%): entropy_test_result ## ## Returns: An opaque handle to be used in subsequent operations. ## -## .. bro:see:: find_entropy entropy_test_add entropy_test_finish +## .. zeek:see:: find_entropy entropy_test_add entropy_test_finish function entropy_test_init%(%): opaque of entropy %{ return new EntropyVal(); @@ -1001,7 +1001,7 @@ function entropy_test_init%(%): opaque of entropy ## ## Returns: True on success. ## -## .. bro:see:: find_entropy entropy_test_add entropy_test_finish +## .. zeek:see:: find_entropy entropy_test_add entropy_test_finish function entropy_test_add%(handle: opaque of entropy, data: string%): bool %{ bool status = static_cast(handle)->Feed(data->Bytes(), @@ -1010,15 +1010,15 @@ function entropy_test_add%(handle: opaque of entropy, data: string%): bool %} ## Finishes an incremental entropy calculation. Before using this function, -## one needs to obtain an opaque handle with :bro:id:`entropy_test_init` and -## add data to it via :bro:id:`entropy_test_add`. +## one needs to obtain an opaque handle with :zeek:id:`entropy_test_init` and +## add data to it via :zeek:id:`entropy_test_add`. ## ## handle: The opaque handle representing the entropy calculation state. ## -## Returns: The result of the entropy test. See :bro:id:`find_entropy` for a +## Returns: The result of the entropy test. See :zeek:id:`find_entropy` for a ## description of the individual components. ## -## .. bro:see:: find_entropy entropy_test_init entropy_test_add +## .. zeek:see:: find_entropy entropy_test_init entropy_test_add function entropy_test_finish%(handle: opaque of entropy%): entropy_test_result %{ double montepi, scc, ent, mean, chisq; @@ -1040,7 +1040,7 @@ function entropy_test_finish%(handle: opaque of entropy%): entropy_test_result ## ## Returns: A string identifier that is unique. ## -## .. bro:see:: unique_id_from +## .. zeek:see:: unique_id_from function unique_id%(prefix: string%) : string %{ char tmp[20]; @@ -1056,7 +1056,7 @@ function unique_id%(prefix: string%) : string ## ## Returns: A string identifier that is unique. ## -## .. bro:see:: unique_id +## .. zeek:see:: unique_id function unique_id_from%(pool: int, prefix: string%) : string %{ pool += UID_POOL_CUSTOM_SCRIPT; // Make sure we don't conflict with internal pool. @@ -1181,7 +1181,7 @@ function val_size%(v: any%): count ## ## newsize: The new size of *aggr*. ## -## Returns: The old size of *aggr*, or 0 if *aggr* is not a :bro:type:`vector`. +## Returns: The old size of *aggr*, or 0 if *aggr* is not a :zeek:type:`vector`. function resize%(aggr: any, newsize: count%) : count %{ if ( aggr->Type()->Tag() != TYPE_VECTOR ) @@ -1200,7 +1200,7 @@ function resize%(aggr: any, newsize: count%) : count ## ## Returns: True if any element in *v* is true. ## -## .. bro:see:: all_set +## .. zeek:see:: all_set function any_set%(v: any%) : bool %{ if ( v->Type()->Tag() != TYPE_VECTOR || @@ -1225,7 +1225,7 @@ function any_set%(v: any%) : bool ## ## Returns: True iff all elements in *v* are true or there are no elements. ## -## .. bro:see:: any_set +## .. zeek:see:: any_set ## ## .. note:: ## @@ -1324,7 +1324,7 @@ bool indirect_unsigned_sort_function(size_t a, size_t b) ## Returns: The vector, sorted from minimum to maximum value. If the vector ## could not be sorted, then the original vector is returned instead. ## -## .. bro:see:: order +## .. zeek:see:: order function sort%(v: any, ...%) : any %{ v->Ref(); // we always return v @@ -1384,7 +1384,7 @@ function sort%(v: any, ...%) : any %} ## Returns the order of the elements in a vector according to some -## comparison function. See :bro:id:`sort` for details about the comparison +## comparison function. See :zeek:id:`sort` for details about the comparison ## function. ## ## v: The vector whose order to compute. @@ -1393,7 +1393,7 @@ function sort%(v: any, ...%) : any ## For example, the elements of *v* in order are (assuming ``o`` ## is the vector returned by ``order``): v[o[0]], v[o[1]], etc. ## -## .. bro:see:: sort +## .. zeek:see:: sort function order%(v: any, ...%) : index_vec %{ VectorVal* result_v = new VectorVal( @@ -1501,7 +1501,7 @@ function cat%(...%): string %} ## Concatenates all arguments, with a separator placed between each one. This -## function is similar to :bro:id:`cat`, but places a separator between each +## function is similar to :zeek:id:`cat`, but places a separator between each ## given argument. If any of the variable arguments is an empty string it is ## replaced by a given default string instead. ## @@ -1512,7 +1512,7 @@ function cat%(...%): string ## Returns: A concatenation of all arguments with *sep* between each one and ## empty strings replaced with *def*. ## -## .. bro:see:: cat string_cat cat_string_array cat_string_array_n +## .. zeek:see:: cat string_cat cat_string_array cat_string_array_n function cat_sep%(sep: string, def: string, ...%): string %{ ODesc d; @@ -1574,12 +1574,12 @@ function cat_sep%(sep: string, def: string, ...%): string ## ## - ``[efg]``: Double ## -## Returns: Returns the formatted string. Given no arguments, :bro:id:`fmt` +## Returns: Returns the formatted string. Given no arguments, :zeek:id:`fmt` ## returns an empty string. Given no format string or the wrong ## number of additional arguments for the given format specifier, -## :bro:id:`fmt` generates a run-time error. +## :zeek:id:`fmt` generates a run-time error. ## -## .. bro:see:: cat cat_sep string_cat cat_string_array cat_string_array_n +## .. zeek:see:: cat cat_sep string_cat cat_string_array cat_string_array_n function fmt%(...%): string %{ if ( @ARGC@ == 0 ) @@ -1623,27 +1623,27 @@ function fmt%(...%): string # # =========================================================================== -## Computes the greatest integer less than the given :bro:type:`double` value. +## Computes the greatest integer less than the given :zeek:type:`double` value. ## For example, ``floor(3.14)`` returns ``3.0``, and ``floor(-3.14)`` ## returns ``-4.0``. ## -## d: The :bro:type:`double` to manipulate. +## d: The :zeek:type:`double` to manipulate. ## -## Returns: The next lowest integer of *d* as :bro:type:`double`. +## Returns: The next lowest integer of *d* as :zeek:type:`double`. ## -## .. bro:see:: sqrt exp ln log10 +## .. zeek:see:: sqrt exp ln log10 function floor%(d: double%): double %{ return new Val(floor(d), TYPE_DOUBLE); %} -## Computes the square root of a :bro:type:`double`. +## Computes the square root of a :zeek:type:`double`. ## ## x: The number to compute the square root of. ## ## Returns: The square root of *x*. ## -## .. bro:see:: floor exp ln log10 +## .. zeek:see:: floor exp ln log10 function sqrt%(x: double%): double %{ if ( x < 0 ) @@ -1661,7 +1661,7 @@ function sqrt%(x: double%): double ## ## Returns: *e* to the power of *d*. ## -## .. bro:see:: floor sqrt ln log10 +## .. zeek:see:: floor sqrt ln log10 function exp%(d: double%): double %{ return new Val(exp(d), TYPE_DOUBLE); @@ -1673,7 +1673,7 @@ function exp%(d: double%): double ## ## Returns: The natural logarithm of *d*. ## -## .. bro:see:: exp floor sqrt log10 +## .. zeek:see:: exp floor sqrt log10 function ln%(d: double%): double %{ return new Val(log(d), TYPE_DOUBLE); @@ -1685,7 +1685,7 @@ function ln%(d: double%): double ## ## Returns: The common logarithm of *d*. ## -## .. bro:see:: exp floor sqrt ln +## .. zeek:see:: exp floor sqrt ln function log10%(d: double%): double %{ return new Val(log10(d), TYPE_DOUBLE); @@ -1787,7 +1787,7 @@ function type_name%(t: any%): string ## ## Returns: True if reading traffic from a network interface. ## -## .. bro:see:: reading_traces +## .. zeek:see:: reading_traces function reading_live_traffic%(%): bool %{ return val_mgr->GetBool(reading_live); @@ -1798,7 +1798,7 @@ function reading_live_traffic%(%): bool ## ## Returns: True if reading traffic from a network trace. ## -## .. bro:see:: reading_live_traffic +## .. zeek:see:: reading_live_traffic function reading_traces%(%): bool %{ return val_mgr->GetBool(reading_traces); @@ -1810,7 +1810,7 @@ function reading_traces%(%): bool ## ## Returns: A table that maps variable names to their sizes. ## -## .. bro:see:: global_ids +## .. zeek:see:: global_ids function global_sizes%(%): var_sizes %{ TableVal* sizes = new TableVal(var_sizes); @@ -1837,7 +1837,7 @@ function global_sizes%(%): var_sizes ## ## Returns: A table that maps identifier names to information about them. ## -## .. bro:see:: global_sizes +## .. zeek:see:: global_sizes function global_ids%(%): id_table %{ TableVal* ids = new TableVal(id_table); @@ -1977,10 +1977,10 @@ function record_fields%(rec: any%): record_field_table ## Enables detailed collection of profiling statistics. Statistics include ## CPU/memory usage, connections, TCP states/reassembler, DNS lookups, -## timers, and script-level state. The script variable :bro:id:`profiling_file` +## timers, and script-level state. The script variable :zeek:id:`profiling_file` ## holds the name of the file. ## -## .. bro:see:: get_conn_stats +## .. zeek:see:: get_conn_stats ## get_dns_stats ## get_event_stats ## get_file_analysis_stats @@ -2052,7 +2052,7 @@ function is_local_interface%(ip: addr%) : bool ## ## Returns: True (unconditionally). ## -## .. bro:see:: get_matcher_stats +## .. zeek:see:: get_matcher_stats function dump_rule_stats%(f: file%): bool %{ if ( rule_matcher ) @@ -2065,7 +2065,7 @@ function dump_rule_stats%(f: file%): bool ## ## Returns: True if Bro is in the process of shutting down. ## -## .. bro:see:: terminate +## .. zeek:see:: terminate function bro_is_terminating%(%): bool %{ return val_mgr->GetBool(terminating); @@ -2143,10 +2143,10 @@ function is_v6_subnet%(s: subnet%): bool # # =========================================================================== -## Converts the *data* field of :bro:type:`ip6_routing` records that have +## Converts the *data* field of :zeek:type:`ip6_routing` records that have ## *rtype* of 0 into a vector of addresses. ## -## s: The *data* field of an :bro:type:`ip6_routing` record that has +## s: The *data* field of an :zeek:type:`ip6_routing` record that has ## an *rtype* of 0. ## ## Returns: The vector of addresses contained in the routing header data. @@ -2173,14 +2173,14 @@ function routing0_data_to_addrs%(s: string%): addr_vec return rval; %} -## Converts an :bro:type:`addr` to an :bro:type:`index_vec`. +## Converts an :zeek:type:`addr` to an :zeek:type:`index_vec`. ## ## a: The address to convert into a vector of counts. ## ## Returns: A vector containing the host-order address representation, ## four elements in size for IPv6 addresses, or one element for IPv4. ## -## .. bro:see:: counts_to_addr +## .. zeek:see:: counts_to_addr function addr_to_counts%(a: addr%): index_vec %{ VectorVal* rval = new VectorVal(internal_type("index_vec")->AsVectorType()); @@ -2193,14 +2193,14 @@ function addr_to_counts%(a: addr%): index_vec return rval; %} -## Converts an :bro:type:`index_vec` to an :bro:type:`addr`. +## Converts an :zeek:type:`index_vec` to an :zeek:type:`addr`. ## ## v: The vector containing host-order IP address representation, ## one element for IPv4 addresses, four elements for IPv6 addresses. ## ## Returns: An IP address. ## -## .. bro:see:: addr_to_counts +## .. zeek:see:: addr_to_counts function counts_to_addr%(v: index_vec%): addr %{ if ( v->AsVector()->size() == 1 ) @@ -2223,11 +2223,11 @@ function counts_to_addr%(v: index_vec%): addr } %} -## Converts an :bro:type:`enum` to an :bro:type:`int`. +## Converts an :zeek:type:`enum` to an :zeek:type:`int`. ## -## e: The :bro:type:`enum` to convert. +## e: The :zeek:type:`enum` to convert. ## -## Returns: The :bro:type:`int` value that corresponds to the :bro:type:`enum`. +## Returns: The :zeek:type:`int` value that corresponds to the :zeek:type:`enum`. function enum_to_int%(e: any%): int %{ if ( e->Type()->Tag() != TYPE_ENUM ) @@ -2239,13 +2239,13 @@ function enum_to_int%(e: any%): int return val_mgr->GetInt(e->AsEnum()); %} -## Converts a :bro:type:`string` to an :bro:type:`int`. +## Converts a :zeek:type:`string` to an :zeek:type:`int`. ## -## str: The :bro:type:`string` to convert. +## str: The :zeek:type:`string` to convert. ## -## Returns: The :bro:type:`string` *str* as :bro:type:`int`. +## Returns: The :zeek:type:`string` *str* as :zeek:type:`int`. ## -## .. bro:see:: to_addr to_port to_subnet +## .. zeek:see:: to_addr to_port to_subnet function to_int%(str: string%): int %{ const char* s = str->CheckString(); @@ -2264,11 +2264,11 @@ function to_int%(str: string%): int %} -## Converts a (positive) :bro:type:`int` to a :bro:type:`count`. +## Converts a (positive) :zeek:type:`int` to a :zeek:type:`count`. ## -## n: The :bro:type:`int` to convert. +## n: The :zeek:type:`int` to convert. ## -## Returns: The :bro:type:`int` *n* as unsigned integer, or 0 if *n* < 0. +## Returns: The :zeek:type:`int` *n* as unsigned integer, or 0 if *n* < 0. function int_to_count%(n: int%): count %{ if ( n < 0 ) @@ -2279,13 +2279,13 @@ function int_to_count%(n: int%): count return val_mgr->GetCount(n); %} -## Converts a :bro:type:`double` to a :bro:type:`count`. +## Converts a :zeek:type:`double` to a :zeek:type:`count`. ## -## d: The :bro:type:`double` to convert. +## d: The :zeek:type:`double` to convert. ## -## Returns: The :bro:type:`double` *d* as unsigned integer, or 0 if *d* < 0.0. +## Returns: The :zeek:type:`double` *d* as unsigned integer, or 0 if *d* < 0.0. ## -## .. bro:see:: double_to_time +## .. zeek:see:: double_to_time function double_to_count%(d: double%): count %{ if ( d < 0.0 ) @@ -2294,14 +2294,14 @@ function double_to_count%(d: double%): count return val_mgr->GetCount(bro_uint_t(rint(d))); %} -## Converts a :bro:type:`string` to a :bro:type:`count`. +## Converts a :zeek:type:`string` to a :zeek:type:`count`. ## -## str: The :bro:type:`string` to convert. +## str: The :zeek:type:`string` to convert. ## -## Returns: The :bro:type:`string` *str* as unsigned integer, or 0 if *str* has +## Returns: The :zeek:type:`string` *str* as unsigned integer, or 0 if *str* has ## an invalid format. ## -## .. bro:see:: to_addr to_int to_port to_subnet +## .. zeek:see:: to_addr to_int to_port to_subnet function to_count%(str: string%): count %{ const char* s = str->CheckString(); @@ -2318,88 +2318,88 @@ function to_count%(str: string%): count return val_mgr->GetCount(u); %} -## Converts an :bro:type:`interval` to a :bro:type:`double`. +## Converts an :zeek:type:`interval` to a :zeek:type:`double`. ## -## i: The :bro:type:`interval` to convert. +## i: The :zeek:type:`interval` to convert. ## -## Returns: The :bro:type:`interval` *i* as :bro:type:`double`. +## Returns: The :zeek:type:`interval` *i* as :zeek:type:`double`. ## -## .. bro:see:: double_to_interval +## .. zeek:see:: double_to_interval function interval_to_double%(i: interval%): double %{ return new Val(i, TYPE_DOUBLE); %} -## Converts a :bro:type:`time` value to a :bro:type:`double`. +## Converts a :zeek:type:`time` value to a :zeek:type:`double`. ## -## t: The :bro:type:`time` to convert. +## t: The :zeek:type:`time` to convert. ## -## Returns: The :bro:type:`time` value *t* as :bro:type:`double`. +## Returns: The :zeek:type:`time` value *t* as :zeek:type:`double`. ## -## .. bro:see:: double_to_time +## .. zeek:see:: double_to_time function time_to_double%(t: time%): double %{ return new Val(t, TYPE_DOUBLE); %} -## Converts a :bro:type:`double` value to a :bro:type:`time`. +## Converts a :zeek:type:`double` value to a :zeek:type:`time`. ## -## d: The :bro:type:`double` to convert. +## d: The :zeek:type:`double` to convert. ## -## Returns: The :bro:type:`double` value *d* as :bro:type:`time`. +## Returns: The :zeek:type:`double` value *d* as :zeek:type:`time`. ## -## .. bro:see:: time_to_double double_to_count +## .. zeek:see:: time_to_double double_to_count function double_to_time%(d: double%): time %{ return new Val(d, TYPE_TIME); %} -## Converts a :bro:type:`double` to an :bro:type:`interval`. +## Converts a :zeek:type:`double` to an :zeek:type:`interval`. ## -## d: The :bro:type:`double` to convert. +## d: The :zeek:type:`double` to convert. ## -## Returns: The :bro:type:`double` *d* as :bro:type:`interval`. +## Returns: The :zeek:type:`double` *d* as :zeek:type:`interval`. ## -## .. bro:see:: interval_to_double +## .. zeek:see:: interval_to_double function double_to_interval%(d: double%): interval %{ return new Val(d, TYPE_INTERVAL); %} -## Converts a :bro:type:`port` to a :bro:type:`count`. +## Converts a :zeek:type:`port` to a :zeek:type:`count`. ## -## p: The :bro:type:`port` to convert. +## p: The :zeek:type:`port` to convert. ## -## Returns: The :bro:type:`port` *p* as :bro:type:`count`. +## Returns: The :zeek:type:`port` *p* as :zeek:type:`count`. ## -## .. bro:see:: count_to_port +## .. zeek:see:: count_to_port function port_to_count%(p: port%): count %{ return val_mgr->GetCount(p->Port()); %} -## Converts a :bro:type:`count` and ``transport_proto`` to a :bro:type:`port`. +## Converts a :zeek:type:`count` and ``transport_proto`` to a :zeek:type:`port`. ## -## num: The :bro:type:`port` number. +## num: The :zeek:type:`port` number. ## ## proto: The transport protocol. ## -## Returns: The :bro:type:`count` *num* as :bro:type:`port`. +## Returns: The :zeek:type:`count` *num* as :zeek:type:`port`. ## -## .. bro:see:: port_to_count +## .. zeek:see:: port_to_count function count_to_port%(num: count, proto: transport_proto%): port %{ return val_mgr->GetPort(num, (TransportProto)proto->AsEnum()); %} -## Converts a :bro:type:`string` to an :bro:type:`addr`. +## Converts a :zeek:type:`string` to an :zeek:type:`addr`. ## -## ip: The :bro:type:`string` to convert. +## ip: The :zeek:type:`string` to convert. ## -## Returns: The :bro:type:`string` *ip* as :bro:type:`addr`, or the unspecified +## Returns: The :zeek:type:`string` *ip* as :zeek:type:`addr`, or the unspecified ## address ``::`` if the input string does not parse correctly. ## -## .. bro:see:: to_count to_int to_port count_to_v4_addr raw_bytes_to_v4_addr +## .. zeek:see:: to_count to_int to_port count_to_v4_addr raw_bytes_to_v4_addr ## to_subnet function to_addr%(ip: string%): addr %{ @@ -2409,14 +2409,14 @@ function to_addr%(ip: string%): addr return ret; %} -## Converts a :bro:type:`string` to a :bro:type:`subnet`. +## Converts a :zeek:type:`string` to a :zeek:type:`subnet`. ## ## sn: The subnet to convert. ## -## Returns: The *sn* string as a :bro:type:`subnet`, or the unspecified subnet +## Returns: The *sn* string as a :zeek:type:`subnet`, or the unspecified subnet ## ``::/0`` if the input string does not parse correctly. ## -## .. bro:see:: to_count to_int to_port count_to_v4_addr raw_bytes_to_v4_addr +## .. zeek:see:: to_count to_int to_port count_to_v4_addr raw_bytes_to_v4_addr ## to_addr function to_subnet%(sn: string%): subnet %{ @@ -2426,49 +2426,49 @@ function to_subnet%(sn: string%): subnet return ret; %} -## Converts a :bro:type:`addr` to a :bro:type:`subnet`. +## Converts a :zeek:type:`addr` to a :zeek:type:`subnet`. ## ## a: The address to convert. ## -## Returns: The address as a :bro:type:`subnet`. +## Returns: The address as a :zeek:type:`subnet`. ## -## .. bro:see:: to_subnet +## .. zeek:see:: to_subnet function addr_to_subnet%(a: addr%): subnet %{ int width = (a->AsAddr().GetFamily() == IPv4 ? 32 : 128); return new SubNetVal(a->AsAddr(), width); %} -## Converts a :bro:type:`subnet` to an :bro:type:`addr` by +## Converts a :zeek:type:`subnet` to an :zeek:type:`addr` by ## extracting the prefix. ## ## sn: The subnet to convert. ## -## Returns: The subnet as an :bro:type:`addr`. +## Returns: The subnet as an :zeek:type:`addr`. ## -## .. bro:see:: to_subnet +## .. zeek:see:: to_subnet function subnet_to_addr%(sn: subnet%): addr %{ return new AddrVal(sn->Prefix()); %} -## Returns the width of a :bro:type:`subnet`. +## Returns the width of a :zeek:type:`subnet`. ## ## sn: The subnet. ## ## Returns: The width of the subnet. ## -## .. bro:see:: to_subnet +## .. zeek:see:: to_subnet function subnet_width%(sn: subnet%): count %{ return val_mgr->GetCount(sn->Width()); %} -## Converts a :bro:type:`string` to a :bro:type:`double`. +## Converts a :zeek:type:`string` to a :zeek:type:`double`. ## -## str: The :bro:type:`string` to convert. +## str: The :zeek:type:`string` to convert. ## -## Returns: The :bro:type:`string` *str* as double, or 0 if *str* has +## Returns: The :zeek:type:`string` *str* as double, or 0 if *str* has ## an invalid format. ## function to_double%(str: string%): double @@ -2487,13 +2487,13 @@ function to_double%(str: string%): double return new Val(d, TYPE_DOUBLE); %} -## Converts a :bro:type:`count` to an :bro:type:`addr`. +## Converts a :zeek:type:`count` to an :zeek:type:`addr`. ## -## ip: The :bro:type:`count` to convert. +## ip: The :zeek:type:`count` to convert. ## -## Returns: The :bro:type:`count` *ip* as :bro:type:`addr`. +## Returns: The :zeek:type:`count` *ip* as :zeek:type:`addr`. ## -## .. bro:see:: raw_bytes_to_v4_addr to_addr to_subnet +## .. zeek:see:: raw_bytes_to_v4_addr to_addr to_subnet function count_to_v4_addr%(ip: count%): addr %{ if ( ip > 4294967295LU ) @@ -2505,15 +2505,15 @@ function count_to_v4_addr%(ip: count%): addr return new AddrVal(htonl(uint32(ip))); %} -## Converts a :bro:type:`string` of bytes into an IPv4 address. In particular, +## Converts a :zeek:type:`string` of bytes into an IPv4 address. In particular, ## this function interprets the first 4 bytes of the string as an IPv4 address ## in network order. ## -## b: The raw bytes (:bro:type:`string`) to convert. +## b: The raw bytes (:zeek:type:`string`) to convert. ## -## Returns: The byte :bro:type:`string` *b* as :bro:type:`addr`. +## Returns: The byte :zeek:type:`string` *b* as :zeek:type:`addr`. ## -## .. bro:see:: raw_bytes_to_v4_addr to_addr to_subnet +## .. zeek:see:: raw_bytes_to_v4_addr to_addr to_subnet function raw_bytes_to_v4_addr%(b: string%): addr %{ uint32 a = 0; @@ -2530,13 +2530,13 @@ function raw_bytes_to_v4_addr%(b: string%): addr return new AddrVal(htonl(a)); %} -## Converts a :bro:type:`string` to a :bro:type:`port`. +## Converts a :zeek:type:`string` to a :zeek:type:`port`. ## -## s: The :bro:type:`string` to convert. +## s: The :zeek:type:`string` to convert. ## -## Returns: A :bro:type:`port` converted from *s*. +## Returns: A :zeek:type:`port` converted from *s*. ## -## .. bro:see:: to_addr to_count to_int to_subnet +## .. zeek:see:: to_addr to_count to_int to_subnet function to_port%(s: string%): port %{ int port = 0; @@ -2561,7 +2561,7 @@ function to_port%(s: string%): port return val_mgr->GetPort(port, TRANSPORT_UNKNOWN); %} -## Converts a string of bytes (in network byte order) to a :bro:type:`double`. +## Converts a string of bytes (in network byte order) to a :zeek:type:`double`. ## ## s: A string of bytes containing the binary representation of a double value. ## @@ -2582,7 +2582,7 @@ function bytestring_to_double%(s: string%): double return new Val(ntohd(d), TYPE_DOUBLE); %} -## Converts a string of bytes to a :bro:type:`count`. +## Converts a string of bytes to a :zeek:type:`count`. ## ## s: A string of bytes containing the binary representation of the value. ## @@ -2680,7 +2680,7 @@ function bytestring_to_count%(s: string, is_le: bool &default=F%): count ## ## Returns: The IP address corresponding to *s*. ## -## .. bro:see:: addr_to_ptr_name to_addr +## .. zeek:see:: addr_to_ptr_name to_addr function ptr_name_to_addr%(s: string%): addr %{ if ( s->Len() != 72 ) @@ -2744,7 +2744,7 @@ function ptr_name_to_addr%(s: string%): addr ## ## Returns: The reverse pointer representation of *a*. ## -## .. bro:see:: ptr_name_to_addr to_addr +## .. zeek:see:: ptr_name_to_addr to_addr function addr_to_ptr_name%(a: addr%): string %{ return new StringVal(a->AsAddr().PtrName().c_str()); @@ -2757,7 +2757,7 @@ function addr_to_ptr_name%(a: addr%): string ## ## Returns: The hexadecimal representation of *bytestring*. ## -## .. bro:see:: hexdump hexstr_to_bytestring +## .. zeek:see:: hexdump hexstr_to_bytestring function bytestring_to_hexstr%(bytestring: string%): string %{ bro_uint_t len = bytestring->AsString()->Len(); @@ -2781,7 +2781,7 @@ function bytestring_to_hexstr%(bytestring: string%): string ## ## Returns: The binary representation of *hexstr*. ## -## .. bro:see:: hexdump bytestring_to_hexstr +## .. zeek:see:: hexdump bytestring_to_hexstr function hexstr_to_bytestring%(hexstr: string%): string %{ bro_uint_t len = hexstr->AsString()->Len(); @@ -2826,7 +2826,7 @@ function hexstr_to_bytestring%(hexstr: string%): string ## ## Returns: The encoded version of *s*. ## -## .. bro:see:: decode_base64 +## .. zeek:see:: decode_base64 function encode_base64%(s: string, a: string &default=""%): string %{ BroString* t = encode_base64(s->AsString(), a->AsString()); @@ -2849,7 +2849,7 @@ function encode_base64%(s: string, a: string &default=""%): string ## ## Returns: The encoded version of *s*. ## -## .. bro:see:: encode_base64 +## .. zeek:see:: encode_base64 function encode_base64_custom%(s: string, a: string%): string &deprecated %{ BroString* t = encode_base64(s->AsString(), a->AsString()); @@ -2871,7 +2871,7 @@ function encode_base64_custom%(s: string, a: string%): string &deprecated ## ## Returns: The decoded version of *s*. ## -## .. bro:see:: decode_base64_conn encode_base64 +## .. zeek:see:: decode_base64_conn encode_base64 function decode_base64%(s: string, a: string &default=""%): string %{ BroString* t = decode_base64(s->AsString(), a->AsString()); @@ -2897,7 +2897,7 @@ function decode_base64%(s: string, a: string &default=""%): string ## ## Returns: The decoded version of *s*. ## -## .. bro:see:: decode_base64 +## .. zeek:see:: decode_base64 function decode_base64_conn%(cid: conn_id, s: string, a: string &default=""%): string %{ Connection* conn = sessions->FindConnection(cid); @@ -2926,7 +2926,7 @@ function decode_base64_conn%(cid: conn_id, s: string, a: string &default=""%): s ## ## Returns: The decoded version of *s*. ## -## .. bro:see:: decode_base64 decode_base64_conn +## .. zeek:see:: decode_base64 decode_base64_conn function decode_base64_custom%(s: string, a: string%): string &deprecated %{ BroString* t = decode_base64(s->AsString(), a->AsString()); @@ -2990,12 +2990,12 @@ function uuid_to_string%(uuid: string%): string ## ## Returns: The compiled pattern of the concatenation of *p1* and *p2*. ## -## .. bro:see:: convert_for_pattern string_to_pattern +## .. zeek:see:: convert_for_pattern string_to_pattern ## ## .. note:: ## ## This function must be called at Zeek startup time, e.g., in the event -## :bro:id:`zeek_init`. +## :zeek:id:`zeek_init`. function merge_pattern%(p1: pattern, p2: pattern%): pattern &deprecated %{ RE_Matcher* re = new RE_Matcher(); @@ -3028,16 +3028,16 @@ char* to_pat_str(int sn, const char* ss) } %%} -## Escapes a string so that it becomes a valid :bro:type:`pattern` and can be -## used with the :bro:id:`string_to_pattern`. Any character from the set +## Escapes a string so that it becomes a valid :zeek:type:`pattern` and can be +## used with the :zeek:id:`string_to_pattern`. Any character from the set ## ``^$-:"\/|*+?.(){}[]`` is prefixed with a ``\``. ## ## s: The string to escape. ## ## Returns: An escaped version of *s* that has the structure of a valid -## :bro:type:`pattern`. +## :zeek:type:`pattern`. ## -## .. bro:see:: merge_pattern string_to_pattern +## .. zeek:see:: merge_pattern string_to_pattern ## function convert_for_pattern%(s: string%): string %{ @@ -3047,22 +3047,22 @@ function convert_for_pattern%(s: string%): string return ret; %} -## Converts a :bro:type:`string` into a :bro:type:`pattern`. +## Converts a :zeek:type:`string` into a :zeek:type:`pattern`. ## ## s: The string to convert. ## ## convert: If true, *s* is first passed through the function -## :bro:id:`convert_for_pattern` to escape special characters of +## :zeek:id:`convert_for_pattern` to escape special characters of ## patterns. ## -## Returns: *s* as :bro:type:`pattern`. +## Returns: *s* as :zeek:type:`pattern`. ## -## .. bro:see:: convert_for_pattern merge_pattern +## .. zeek:see:: convert_for_pattern merge_pattern ## ## .. note:: ## ## This function must be called at Zeek startup time, e.g., in the event -## :bro:id:`zeek_init`. +## :zeek:id:`zeek_init`. function string_to_pattern%(s: string, convert: bool%): pattern %{ const char* ss = (const char*) (s->Bytes()); @@ -3147,7 +3147,7 @@ function strptime%(fmt: string, d: string%) : time ## ## Returns: The address *a* masked down to *top_bits_to_keep* bits. ## -## .. bro:see:: remask_addr +## .. zeek:see:: remask_addr function mask_addr%(a: addr, top_bits_to_keep: count%): subnet %{ return new SubNetVal(a->AsAddr(), top_bits_to_keep); @@ -3169,7 +3169,7 @@ function mask_addr%(a: addr, top_bits_to_keep: count%): subnet ## ## Returns: The address *a* masked down to *top_bits_to_keep* bits. ## -## .. bro:see:: mask_addr +## .. zeek:see:: mask_addr function remask_addr%(a1: addr, a2: addr, top_bits_from_a1: count%): addr %{ IPAddr addr1(a1->AsAddr()); @@ -3179,37 +3179,37 @@ function remask_addr%(a1: addr, a2: addr, top_bits_from_a1: count%): addr return new AddrVal(addr1|addr2); %} -## Checks whether a given :bro:type:`port` has TCP as transport protocol. +## Checks whether a given :zeek:type:`port` has TCP as transport protocol. ## -## p: The :bro:type:`port` to check. +## p: The :zeek:type:`port` to check. ## ## Returns: True iff *p* is a TCP port. ## -## .. bro:see:: is_udp_port is_icmp_port +## .. zeek:see:: is_udp_port is_icmp_port function is_tcp_port%(p: port%): bool %{ return val_mgr->GetBool(p->IsTCP()); %} -## Checks whether a given :bro:type:`port` has UDP as transport protocol. +## Checks whether a given :zeek:type:`port` has UDP as transport protocol. ## -## p: The :bro:type:`port` to check. +## p: The :zeek:type:`port` to check. ## ## Returns: True iff *p* is a UDP port. ## -## .. bro:see:: is_icmp_port is_tcp_port +## .. zeek:see:: is_icmp_port is_tcp_port function is_udp_port%(p: port%): bool %{ return val_mgr->GetBool(p->IsUDP()); %} -## Checks whether a given :bro:type:`port` has ICMP as transport protocol. +## Checks whether a given :zeek:type:`port` has ICMP as transport protocol. ## -## p: The :bro:type:`port` to check. +## p: The :zeek:type:`port` to check. ## ## Returns: True iff *p* is an ICMP port. ## -## .. bro:see:: is_tcp_port is_udp_port +## .. zeek:see:: is_tcp_port is_udp_port function is_icmp_port%(p: port%): bool %{ return val_mgr->GetBool(p->IsICMP()); @@ -3251,7 +3251,7 @@ EnumVal* map_conn_type(TransportProto tp) ## ## Returns: The transport protocol of the connection identified by *cid*. ## -## .. bro:see:: get_port_transport_proto +## .. zeek:see:: get_port_transport_proto ## get_orig_seq get_resp_seq function get_conn_transport_proto%(cid: conn_id%): transport_proto %{ @@ -3265,13 +3265,13 @@ function get_conn_transport_proto%(cid: conn_id%): transport_proto return map_conn_type(c->ConnTransport()); %} -## Extracts the transport protocol from a :bro:type:`port`. +## Extracts the transport protocol from a :zeek:type:`port`. ## ## p: The port. ## ## Returns: The transport protocol of the port *p*. ## -## .. bro:see:: get_conn_transport_proto +## .. zeek:see:: get_conn_transport_proto ## get_orig_seq get_resp_seq function get_port_transport_proto%(p: port%): transport_proto %{ @@ -3284,7 +3284,7 @@ function get_port_transport_proto%(p: port%): transport_proto ## ## Returns: True if the connection identified by *c* exists. ## -## .. bro:see:: lookup_connection +## .. zeek:see:: lookup_connection function connection_exists%(c: conn_id%): bool %{ if ( sessions->FindConnection(c) ) @@ -3293,15 +3293,15 @@ function connection_exists%(c: conn_id%): bool return val_mgr->GetBool(0); %} -## Returns the :bro:type:`connection` record for a given connection identifier. +## Returns the :zeek:type:`connection` record for a given connection identifier. ## ## cid: The connection ID. ## -## Returns: The :bro:type:`connection` record for *cid*. If *cid* does not point +## Returns: The :zeek:type:`connection` record for *cid*. If *cid* does not point ## to an existing connection, the function generates a run-time error ## and returns a dummy value. ## -## .. bro:see:: connection_exists +## .. zeek:see:: connection_exists function lookup_connection%(cid: conn_id%): connection %{ Connection* conn = sessions->FindConnection(cid); @@ -3361,7 +3361,7 @@ const char* conn_id_string(Val* c) ## ## Returns: True on success. ## -## .. bro:see:: dump_packet get_current_packet send_current_packet +## .. zeek:see:: dump_packet get_current_packet send_current_packet function dump_current_packet%(file_name: string%) : bool %{ const Packet* pkt; @@ -3392,7 +3392,7 @@ function dump_current_packet%(file_name: string%) : bool ## Returns: The currently processed packet, which is a record ## containing the timestamp, ``snaplen``, and packet data. ## -## .. bro:see:: dump_current_packet dump_packet send_current_packet +## .. zeek:see:: dump_current_packet dump_packet send_current_packet function get_current_packet%(%) : pcap_packet %{ const Packet* p; @@ -3422,10 +3422,10 @@ function get_current_packet%(%) : pcap_packet ## Function to get the raw headers of the currently processed packet. ## -## Returns: The :bro:type:`raw_pkt_hdr` record containing the Layer 2, 3 and +## Returns: The :zeek:type:`raw_pkt_hdr` record containing the Layer 2, 3 and ## 4 headers of the currently processed packet. ## -## .. bro:see:: raw_pkt_hdr get_current_packet +## .. zeek:see:: raw_pkt_hdr get_current_packet function get_current_packet_header%(%) : raw_pkt_hdr %{ const Packet* p; @@ -3448,7 +3448,7 @@ function get_current_packet_header%(%) : raw_pkt_hdr ## ## Returns: True on success ## -## .. bro:see:: get_current_packet dump_current_packet send_current_packet +## .. zeek:see:: get_current_packet dump_current_packet send_current_packet function dump_packet%(pkt: pcap_packet, file_name: string%) : bool %{ if ( addl_pkt_dumper && addl_pkt_dumper->Path() != file_name->CheckString()) @@ -3555,7 +3555,7 @@ private: ## ## Returns: The DNS name of *host*. ## -## .. bro:see:: lookup_hostname +## .. zeek:see:: lookup_hostname function lookup_addr%(host: addr%) : string %{ // FIXME: It should be easy to adapt the function to synchronous @@ -3584,7 +3584,7 @@ function lookup_addr%(host: addr%) : string ## ## Returns: The DNS TXT record associated with *host*. ## -## .. bro:see:: lookup_hostname +## .. zeek:see:: lookup_hostname function lookup_hostname_txt%(host: string%) : string %{ // FIXME: Is should be easy to adapt the function to synchronous @@ -3613,7 +3613,7 @@ function lookup_hostname_txt%(host: string%) : string ## ## Returns: A set of DNS A and AAAA records associated with *host*. ## -## .. bro:see:: lookup_addr +## .. zeek:see:: lookup_addr function lookup_hostname%(host: string%) : addr_set %{ // FIXME: Is should be easy to adapt the function to synchronous @@ -3945,7 +3945,7 @@ static bool mmdb_try_open_asn () ## ## Returns: A boolean indicating whether the db was successfully opened. ## -## .. bro:see:: lookup_asn +## .. zeek:see:: lookup_asn function mmdb_open_location_db%(f: string%) : bool %{ #ifdef USE_GEOIP @@ -3962,7 +3962,7 @@ function mmdb_open_location_db%(f: string%) : bool ## ## Returns: A boolean indicating whether the db was successfully opened. ## -## .. bro:see:: lookup_asn +## .. zeek:see:: lookup_asn function mmdb_open_asn_db%(f: string%) : bool %{ #ifdef USE_GEOIP @@ -3979,7 +3979,7 @@ function mmdb_open_asn_db%(f: string%) : bool ## ## Returns: A record with country, region, city, latitude, and longitude. ## -## .. bro:see:: lookup_asn +## .. zeek:see:: lookup_asn function lookup_location%(a: addr%) : geo_location %{ RecordVal* location = new RecordVal(geo_location); @@ -4064,7 +4064,7 @@ function lookup_location%(a: addr%) : geo_location ## ## Returns: The number of the ASN that contains *a*. ## -## .. bro:see:: lookup_location +## .. zeek:see:: lookup_location function lookup_asn%(a: addr%) : count %{ #ifdef USE_GEOIP @@ -4128,7 +4128,7 @@ function lookup_asn%(a: addr%) : count ## ## Returns: Distance in miles. ## -## .. bro:see:: haversine_distance_ip +## .. zeek:see:: haversine_distance_ip function haversine_distance%(lat1: double, long1: double, lat2: double, long2: double%): double %{ const double PI = 3.14159; @@ -4254,7 +4254,7 @@ function file_mode%(mode: count%): string ## Returns: True if the connection identified by *cid* exists and has analyzer ## *aid*. ## -## .. bro:see:: Analyzer::schedule_analyzer Analyzer::name +## .. zeek:see:: Analyzer::schedule_analyzer Analyzer::name function disable_analyzer%(cid: conn_id, aid: count, err_if_no_conn: bool &default=T%) : bool %{ Connection* c = sessions->FindConnection(cid); @@ -4289,7 +4289,7 @@ function disable_analyzer%(cid: conn_id, aid: count, err_if_no_conn: bool &defau ## .. note:: ## ## Bro will still generate connection-oriented events such as -## :bro:id:`connection_finished`. +## :zeek:id:`connection_finished`. function skip_further_processing%(cid: conn_id%): bool %{ Connection* c = sessions->FindConnection(cid); @@ -4311,15 +4311,15 @@ function skip_further_processing%(cid: conn_id%): bool ## Returns: False if *cid* does not point to an active connection, and true ## otherwise. ## -## .. bro:see:: skip_further_processing +## .. zeek:see:: skip_further_processing ## ## .. note:: ## ## This is independent of whether Bro processes the packets of this ## connection, which is controlled separately by -## :bro:id:`skip_further_processing`. +## :zeek:id:`skip_further_processing`. ## -## .. bro:see:: get_contents_file set_contents_file +## .. zeek:see:: get_contents_file set_contents_file function set_record_packets%(cid: conn_id, do_record: bool%): bool %{ Connection* c = sessions->FindConnection(cid); @@ -4357,13 +4357,13 @@ function set_inactivity_timeout%(cid: conn_id, t: interval%): interval # =========================================================================== ## Opens a file for writing. If a file with the same name already exists, this -## function overwrites it (as opposed to :bro:id:`open_for_append`). +## function overwrites it (as opposed to :zeek:id:`open_for_append`). ## ## f: The path to the file. ## -## Returns: A :bro:type:`file` handle for subsequent operations. +## Returns: A :zeek:type:`file` handle for subsequent operations. ## -## .. bro:see:: active_file open_for_append close write_file +## .. zeek:see:: active_file open_for_append close write_file ## get_file_name set_buf flush_all mkdir enable_raw_output ## rmdir unlink rename function open%(f: string%): file @@ -4377,13 +4377,13 @@ function open%(f: string%): file %} ## Opens a file for writing or appending. If a file with the same name already -## exists, this function appends to it (as opposed to :bro:id:`open`). +## exists, this function appends to it (as opposed to :zeek:id:`open`). ## ## f: The path to the file. ## -## Returns: A :bro:type:`file` handle for subsequent operations. +## Returns: A :zeek:type:`file` handle for subsequent operations. ## -## .. bro:see:: active_file open close write_file +## .. zeek:see:: active_file open close write_file ## get_file_name set_buf flush_all mkdir enable_raw_output ## rmdir unlink rename function open_for_append%(f: string%): file @@ -4393,11 +4393,11 @@ function open_for_append%(f: string%): file ## Closes an open file and flushes any buffered content. ## -## f: A :bro:type:`file` handle to an open file. +## f: A :zeek:type:`file` handle to an open file. ## ## Returns: True on success. ## -## .. bro:see:: active_file open open_for_append write_file +## .. zeek:see:: active_file open open_for_append write_file ## get_file_name set_buf flush_all mkdir enable_raw_output ## rmdir unlink rename function close%(f: file%): bool @@ -4407,13 +4407,13 @@ function close%(f: file%): bool ## Writes data to an open file. ## -## f: A :bro:type:`file` handle to an open file. +## f: A :zeek:type:`file` handle to an open file. ## ## data: The data to write to *f*. ## ## Returns: True on success. ## -## .. bro:see:: active_file open open_for_append close +## .. zeek:see:: active_file open open_for_append close ## get_file_name set_buf flush_all mkdir enable_raw_output ## rmdir unlink rename function write_file%(f: file, data: string%): bool @@ -4426,14 +4426,14 @@ function write_file%(f: file, data: string%): bool ## Alters the buffering behavior of a file. ## -## f: A :bro:type:`file` handle to an open file. +## f: A :zeek:type:`file` handle to an open file. ## ## buffered: When true, *f* is fully buffered, i.e., bytes are saved in a ## buffer until the block size has been reached. When ## false, *f* is line buffered, i.e., bytes are saved up until a ## newline occurs. ## -## .. bro:see:: active_file open open_for_append close +## .. zeek:see:: active_file open open_for_append close ## get_file_name write_file flush_all mkdir enable_raw_output ## rmdir unlink rename function set_buf%(f: file, buffered: bool%): any @@ -4446,7 +4446,7 @@ function set_buf%(f: file, buffered: bool%): any ## ## Returns: True on success. ## -## .. bro:see:: active_file open open_for_append close +## .. zeek:see:: active_file open open_for_append close ## get_file_name write_file set_buf mkdir enable_raw_output ## rmdir unlink rename function flush_all%(%): bool @@ -4461,7 +4461,7 @@ function flush_all%(%): bool ## Returns: True if the operation succeeds or if *f* already exists, ## and false if the file creation fails. ## -## .. bro:see:: active_file open_for_append close write_file +## .. zeek:see:: active_file open_for_append close write_file ## get_file_name set_buf flush_all enable_raw_output ## rmdir unlink rename function mkdir%(f: string%): bool @@ -4493,7 +4493,7 @@ function mkdir%(f: string%): bool ## Returns: True if the operation succeeds, and false if the ## directory delete operation fails. ## -## .. bro:see:: active_file open_for_append close write_file +## .. zeek:see:: active_file open_for_append close write_file ## get_file_name set_buf flush_all enable_raw_output ## mkdir unlink rename function rmdir%(d: string%): bool @@ -4517,7 +4517,7 @@ function rmdir%(d: string%): bool ## Returns: True if the operation succeeds and the file was deleted, ## and false if the deletion fails. ## -## .. bro:see:: active_file open_for_append close write_file +## .. zeek:see:: active_file open_for_append close write_file ## get_file_name set_buf flush_all enable_raw_output ## mkdir rmdir rename function unlink%(f: string%): bool @@ -4542,7 +4542,7 @@ function unlink%(f: string%): bool ## ## Returns: True if the rename succeeds and false otherwise. ## -## .. bro:see:: active_file open_for_append close write_file +## .. zeek:see:: active_file open_for_append close write_file ## get_file_name set_buf flush_all enable_raw_output ## mkdir rmdir unlink function rename%(src_f: string, dst_f: string%): bool @@ -4564,7 +4564,7 @@ function rename%(src_f: string, dst_f: string%): bool ## ## f: The file to check. ## -## Returns: True if *f* is an open :bro:type:`file`. +## Returns: True if *f* is an open :zeek:type:`file`. ## ## .. todo:: Rename to ``is_open``. function active_file%(f: file%): bool @@ -4578,7 +4578,7 @@ function active_file%(f: file%): bool ## ## Returns: The filename associated with *f*. ## -## .. bro:see:: open +## .. zeek:see:: open function get_file_name%(f: file%): string %{ if ( ! f ) @@ -4594,7 +4594,7 @@ function get_file_name%(f: file%): string ## Returns: Rotation statistics which include the original file name, the name ## after the rotation, and the time when *f* was opened/closed. ## -## .. bro:see:: rotate_file_by_name calc_next_rotate +## .. zeek:see:: rotate_file_by_name calc_next_rotate function rotate_file%(f: file%): rotate_info %{ RecordVal* info = f->Rotate(); @@ -4618,7 +4618,7 @@ function rotate_file%(f: file%): rotate_info ## Returns: Rotation statistics which include the original file name, the name ## after the rotation, and the time when *f* was opened/closed. ## -## .. bro:see:: rotate_file calc_next_rotate +## .. zeek:see:: rotate_file calc_next_rotate function rotate_file_by_name%(f: string%): rotate_info %{ RecordVal* info = new RecordVal(rotate_info); @@ -4672,7 +4672,7 @@ function rotate_file_by_name%(f: string%): rotate_info ## ## Returns: The duration until the next file rotation time. ## -## .. bro:see:: rotate_file rotate_file_by_name +## .. zeek:see:: rotate_file rotate_file_by_name function calc_next_rotate%(i: interval%) : interval %{ const char* base_time = log_rotate_base_time ? @@ -4697,16 +4697,16 @@ function file_size%(f: string%) : double return new Val(double(s.st_size), TYPE_DOUBLE); %} -## Disables sending :bro:id:`print_hook` events to remote peers for a given +## Disables sending :zeek:id:`print_hook` events to remote peers for a given ## file. In a ## distributed setup, communicating Bro instances generate the event -## :bro:id:`print_hook` for each print statement and send it to the remote +## :zeek:id:`print_hook` for each print statement and send it to the remote ## side. When disabled for a particular file, these events will not be ## propagated to other peers. ## -## f: The file to disable :bro:id:`print_hook` events for. +## f: The file to disable :zeek:id:`print_hook` events for. ## -## .. bro:see:: enable_raw_output +## .. zeek:see:: enable_raw_output function disable_print_hook%(f: file%): any %{ f->DisablePrintHook(); @@ -4714,11 +4714,11 @@ function disable_print_hook%(f: file%): any %} ## Prevents escaping of non-ASCII characters when writing to a file. -## This function is equivalent to :bro:attr:`&raw_output`. +## This function is equivalent to :zeek:attr:`&raw_output`. ## ## f: The file to disable raw output for. ## -## .. bro:see:: disable_print_hook +## .. zeek:see:: disable_print_hook function enable_raw_output%(f: file%): any %{ f->EnableRawOutput(); @@ -4745,7 +4745,7 @@ function enable_raw_output%(f: file%): any ## ## Returns: True (unconditionally). ## -## .. bro:see:: Pcap::precompile_pcap_filter +## .. zeek:see:: Pcap::precompile_pcap_filter ## Pcap::install_pcap_filter ## install_src_net_filter ## uninstall_src_addr_filter @@ -4775,7 +4775,7 @@ function install_src_addr_filter%(ip: addr, tcp_flags: count, prob: double%) : b ## ## Returns: True (unconditionally). ## -## .. bro:see:: Pcap::precompile_pcap_filter +## .. zeek:see:: Pcap::precompile_pcap_filter ## Pcap::install_pcap_filter ## install_src_addr_filter ## uninstall_src_addr_filter @@ -4799,7 +4799,7 @@ function install_src_net_filter%(snet: subnet, tcp_flags: count, prob: double%) ## ## Returns: True on success. ## -## .. bro:see:: Pcap::precompile_pcap_filter +## .. zeek:see:: Pcap::precompile_pcap_filter ## Pcap::install_pcap_filter ## install_src_addr_filter ## install_src_net_filter @@ -4820,7 +4820,7 @@ function uninstall_src_addr_filter%(ip: addr%) : bool ## ## Returns: True on success. ## -## .. bro:see:: Pcap::precompile_pcap_filter +## .. zeek:see:: Pcap::precompile_pcap_filter ## Pcap::install_pcap_filter ## install_src_addr_filter ## install_src_net_filter @@ -4850,7 +4850,7 @@ function uninstall_src_net_filter%(snet: subnet%) : bool ## ## Returns: True (unconditionally). ## -## .. bro:see:: Pcap::precompile_pcap_filter +## .. zeek:see:: Pcap::precompile_pcap_filter ## Pcap::install_pcap_filter ## install_src_addr_filter ## install_src_net_filter @@ -4880,7 +4880,7 @@ function install_dst_addr_filter%(ip: addr, tcp_flags: count, prob: double%) : b ## ## Returns: True (unconditionally). ## -## .. bro:see:: Pcap::precompile_pcap_filter +## .. zeek:see:: Pcap::precompile_pcap_filter ## Pcap::install_pcap_filter ## install_src_addr_filter ## install_src_net_filter @@ -4904,7 +4904,7 @@ function install_dst_net_filter%(snet: subnet, tcp_flags: count, prob: double%) ## ## Returns: True on success. ## -## .. bro:see:: Pcap::precompile_pcap_filter +## .. zeek:see:: Pcap::precompile_pcap_filter ## Pcap::install_pcap_filter ## install_src_addr_filter ## install_src_net_filter @@ -4925,7 +4925,7 @@ function uninstall_dst_addr_filter%(ip: addr%) : bool ## ## Returns: True on success. ## -## .. bro:see:: Pcap::precompile_pcap_filter +## .. zeek:see:: Pcap::precompile_pcap_filter ## Pcap::install_pcap_filter ## install_src_addr_filter ## install_src_net_filter @@ -4966,13 +4966,13 @@ function enable_communication%(%): any &deprecated return 0; %} -## Flushes in-memory state tagged with the :bro:attr:`&persistent` attribute +## Flushes in-memory state tagged with the :zeek:attr:`&persistent` attribute ## to disk. The function writes the state to the file ``.state/state.bst`` in ## the directory where Bro was started. ## ## Returns: True on success. ## -## .. bro:see:: rescan_state +## .. zeek:see:: rescan_state function checkpoint_state%(%) : bool %{ return val_mgr->GetBool(persistence_serializer->WriteState(true)); @@ -4980,11 +4980,11 @@ function checkpoint_state%(%) : bool ## Reads persistent state and populates the in-memory data structures ## accordingly. Persistent state is read from the ``.state`` directory. -## This function is the dual to :bro:id:`checkpoint_state`. +## This function is the dual to :zeek:id:`checkpoint_state`. ## ## Returns: True on success. ## -## .. bro:see:: checkpoint_state +## .. zeek:see:: checkpoint_state function rescan_state%(%) : bool %{ return val_mgr->GetBool(persistence_serializer->ReadAll(false, true)); @@ -4997,7 +4997,7 @@ function rescan_state%(%) : bool ## ## Returns: True if opening the target file succeeds. ## -## .. bro:see:: capture_state_updates +## .. zeek:see:: capture_state_updates function capture_events%(filename: string%) : bool %{ if ( ! event_serializer ) @@ -5009,14 +5009,14 @@ function capture_events%(filename: string%) : bool (const char*) filename->CheckString())); %} -## Writes state updates generated by :bro:attr:`&synchronized` variables to a +## Writes state updates generated by :zeek:attr:`&synchronized` variables to a ## file. ## ## filename: The name of the file which stores the state updates. ## ## Returns: True if opening the target file succeeds. ## -## .. bro:see:: capture_events +## .. zeek:see:: capture_events function capture_state_updates%(filename: string%) : bool %{ if ( ! state_serializer ) @@ -5049,7 +5049,7 @@ function capture_state_updates%(filename: string%) : bool ## ## Returns: A locally unique ID of the new peer. ## -## .. bro:see:: disconnect +## .. zeek:see:: disconnect ## listen ## request_remote_events ## request_remote_sync @@ -5068,11 +5068,11 @@ function connect%(ip: addr, zone_id: string, p: port, our_class: string, retry: ## Terminate the connection with a peer. ## -## p: The peer ID returned from :bro:id:`connect`. +## p: The peer ID returned from :zeek:id:`connect`. ## ## Returns: True on success. ## -## .. bro:see:: connect listen +## .. zeek:see:: connect listen function disconnect%(p: event_peer%) : bool &deprecated %{ RemoteSerializer::PeerID id = p->AsRecordVal()->Lookup(0)->AsCount(); @@ -5082,13 +5082,13 @@ function disconnect%(p: event_peer%) : bool &deprecated ## Subscribes to all events from a remote peer whose names match a given ## pattern. ## -## p: The peer ID returned from :bro:id:`connect`. +## p: The peer ID returned from :zeek:id:`connect`. ## ## handlers: The pattern describing the events to request from peer *p*. ## ## Returns: True on success. ## -## .. bro:see:: request_remote_sync +## .. zeek:see:: request_remote_sync ## request_remote_logs ## set_accept_state function request_remote_events%(p: event_peer, handlers: pattern%) : bool &deprecated @@ -5099,14 +5099,14 @@ function request_remote_events%(p: event_peer, handlers: pattern%) : bool &depre ## Requests synchronization of IDs with a remote peer. ## -## p: The peer ID returned from :bro:id:`connect`. +## p: The peer ID returned from :zeek:id:`connect`. ## ## auth: If true, the local instance considers its current state authoritative ## and sends it to *p* right after the handshake. ## ## Returns: True on success. ## -## .. bro:see:: request_remote_events +## .. zeek:see:: request_remote_events ## request_remote_logs ## set_accept_state function request_remote_sync%(p: event_peer, auth: bool%) : bool &deprecated @@ -5117,11 +5117,11 @@ function request_remote_sync%(p: event_peer, auth: bool%) : bool &deprecated ## Requests logs from a remote peer. ## -## p: The peer ID returned from :bro:id:`connect`. +## p: The peer ID returned from :zeek:id:`connect`. ## ## Returns: True on success. ## -## .. bro:see:: request_remote_events +## .. zeek:see:: request_remote_events ## request_remote_sync function request_remote_logs%(p: event_peer%) : bool &deprecated %{ @@ -5131,13 +5131,13 @@ function request_remote_logs%(p: event_peer%) : bool &deprecated ## Sets a boolean flag indicating whether Bro accepts state from a remote peer. ## -## p: The peer ID returned from :bro:id:`connect`. +## p: The peer ID returned from :zeek:id:`connect`. ## ## accept: True if Bro accepts state from peer *p*, or false otherwise. ## ## Returns: True on success. ## -## .. bro:see:: request_remote_events +## .. zeek:see:: request_remote_events ## request_remote_sync ## set_compression_level function set_accept_state%(p: event_peer, accept: bool%) : bool &deprecated @@ -5148,14 +5148,14 @@ function set_accept_state%(p: event_peer, accept: bool%) : bool &deprecated ## Sets the compression level of the session with a remote peer. ## -## p: The peer ID returned from :bro:id:`connect`. +## p: The peer ID returned from :zeek:id:`connect`. ## ## level: Allowed values are in the range *[0, 9]*, where 0 is the default and ## means no compression. ## ## Returns: True on success. ## -## .. bro:see:: set_accept_state +## .. zeek:see:: set_accept_state function set_compression_level%(p: event_peer, level: count%) : bool &deprecated %{ RemoteSerializer::PeerID id = p->AsRecordVal()->Lookup(0)->AsCount(); @@ -5181,7 +5181,7 @@ function set_compression_level%(p: event_peer, level: count%) : bool &deprecated ## ## Returns: True on success. ## -## .. bro:see:: connect disconnect +## .. zeek:see:: connect disconnect function listen%(ip: addr, p: port, ssl: bool, ipv6: bool, zone_id: string, retry_interval: interval%) : bool &deprecated %{ return val_mgr->GetBool(remote_serializer->Listen(ip->AsAddr(), p->Port(), ssl, ipv6, zone_id->CheckString(), retry_interval)); @@ -5197,11 +5197,11 @@ function is_remote_event%(%) : bool ## Sends all persistent state to a remote peer. ## -## p: The peer ID returned from :bro:id:`connect`. +## p: The peer ID returned from :zeek:id:`connect`. ## ## Returns: True on success. ## -## .. bro:see:: send_id send_ping send_current_packet send_capture_filter +## .. zeek:see:: send_id send_ping send_current_packet send_capture_filter function send_state%(p: event_peer%) : bool %{ RemoteSerializer::PeerID id = p->AsRecordVal()->Lookup(0)->AsCount(); @@ -5211,13 +5211,13 @@ function send_state%(p: event_peer%) : bool ## Sends a global identifier to a remote peer, which then might install it ## locally. ## -## p: The peer ID returned from :bro:id:`connect`. +## p: The peer ID returned from :zeek:id:`connect`. ## ## id: The identifier to send. ## ## Returns: True on success. ## -## .. bro:see:: send_state send_ping send_current_packet send_capture_filter +## .. zeek:see:: send_state send_ping send_current_packet send_capture_filter function send_id%(p: event_peer, id: string%) : bool &deprecated %{ RemoteSerializer::PeerID pid = p->AsRecordVal()->Lookup(0)->AsCount(); @@ -5245,7 +5245,7 @@ function terminate_communication%(%) : bool &deprecated ## Signals a remote peer that the local Bro instance finished the initial ## handshake. ## -## p: The peer ID returned from :bro:id:`connect`. +## p: The peer ID returned from :zeek:id:`connect`. ## ## Returns: True on success. function complete_handshake%(p: event_peer%) : bool &deprecated @@ -5255,16 +5255,16 @@ function complete_handshake%(p: event_peer%) : bool &deprecated %} ## Sends a ping event to a remote peer. In combination with an event handler -## for :bro:id:`remote_pong`, this function can be used to measure latency +## for :zeek:id:`remote_pong`, this function can be used to measure latency ## between two peers. ## -## p: The peer ID returned from :bro:id:`connect`. +## p: The peer ID returned from :zeek:id:`connect`. ## -## seq: A sequence number (also included by :bro:id:`remote_pong`). +## seq: A sequence number (also included by :zeek:id:`remote_pong`). ## ## Returns: True if sending the ping succeeds. ## -## .. bro:see:: send_state send_id send_current_packet send_capture_filter +## .. zeek:see:: send_state send_id send_current_packet send_capture_filter function send_ping%(p: event_peer, seq: count%) : bool &deprecated %{ RemoteSerializer::PeerID id = p->AsRecordVal()->Lookup(0)->AsCount(); @@ -5273,11 +5273,11 @@ function send_ping%(p: event_peer, seq: count%) : bool &deprecated ## Sends the currently processed packet to a remote peer. ## -## p: The peer ID returned from :bro:id:`connect`. +## p: The peer ID returned from :zeek:id:`connect`. ## ## Returns: True if sending the packet succeeds. ## -## .. bro:see:: send_id send_state send_ping send_capture_filter +## .. zeek:see:: send_id send_state send_ping send_capture_filter ## dump_packet dump_current_packet get_current_packet function send_current_packet%(p: event_peer%) : bool &deprecated %{ @@ -5301,7 +5301,7 @@ function send_current_packet%(p: event_peer%) : bool &deprecated ## ## Returns: The ID of the peer who generated the last event. ## -## .. bro:see:: get_local_event_peer +## .. zeek:see:: get_local_event_peer function get_event_peer%(%) : event_peer &deprecated %{ SourceID src = mgr.CurrentSource(); @@ -5340,7 +5340,7 @@ function get_event_peer%(%) : event_peer &deprecated ## ## Returns: The peer ID of the local Bro instance. ## -## .. bro:see:: get_event_peer +## .. zeek:see:: get_event_peer function get_local_event_peer%(%) : event_peer &deprecated %{ RecordVal* p = mgr.GetLocalPeerVal(); @@ -5350,13 +5350,13 @@ function get_local_event_peer%(%) : event_peer &deprecated ## Sends a capture filter to a remote peer. ## -## p: The peer ID returned from :bro:id:`connect`. +## p: The peer ID returned from :zeek:id:`connect`. ## ## s: The capture filter. ## ## Returns: True if sending the packet succeeds. ## -## .. bro:see:: send_id send_state send_ping send_current_packet +## .. zeek:see:: send_id send_state send_ping send_current_packet function send_capture_filter%(p: event_peer, s: string%) : bool &deprecated %{ RemoteSerializer::PeerID id = p->AsRecordVal()->Lookup(0)->AsCount(); @@ -5367,7 +5367,7 @@ function send_capture_filter%(p: event_peer, s: string%) : bool &deprecated ## distributed trace processing with communication enabled ## (*pseudo-realtime* mode). ## -## .. bro:see:: continue_processing suspend_state_updates resume_state_updates +## .. zeek:see:: continue_processing suspend_state_updates resume_state_updates function suspend_processing%(%) : any %{ net_suspend_processing(); @@ -5376,16 +5376,16 @@ function suspend_processing%(%) : any ## Resumes Bro's packet processing. ## -## .. bro:see:: suspend_processing suspend_state_updates resume_state_updates +## .. zeek:see:: suspend_processing suspend_state_updates resume_state_updates function continue_processing%(%) : any %{ net_continue_processing(); return 0; %} -## Stops propagating :bro:attr:`&synchronized` accesses. +## Stops propagating :zeek:attr:`&synchronized` accesses. ## -## .. bro:see:: suspend_processing continue_processing resume_state_updates +## .. zeek:see:: suspend_processing continue_processing resume_state_updates function suspend_state_updates%(%) : any &deprecated %{ if ( remote_serializer ) @@ -5393,9 +5393,9 @@ function suspend_state_updates%(%) : any &deprecated return 0; %} -## Resumes propagating :bro:attr:`&synchronized` accesses. +## Resumes propagating :zeek:attr:`&synchronized` accesses. ## -## .. bro:see:: suspend_processing continue_processing suspend_state_updates +## .. zeek:see:: suspend_processing continue_processing suspend_state_updates function resume_state_updates%(%) : any &deprecated %{ if ( remote_serializer ) @@ -5442,7 +5442,7 @@ function match_signatures%(c: connection, pattern_type: int, s: string, ## ## width: The number of bits from the top that should remain intact. ## -## .. bro:see:: preserve_subnet anonymize_addr +## .. zeek:see:: preserve_subnet anonymize_addr ## ## .. todo:: Currently dysfunctional. function preserve_prefix%(a: addr, width: count%): any @@ -5468,7 +5468,7 @@ function preserve_prefix%(a: addr, width: count%): any ## ## a: The subnet to preserve. ## -## .. bro:see:: preserve_prefix anonymize_addr +## .. zeek:see:: preserve_prefix anonymize_addr ## ## .. todo:: Currently dysfunctional. function preserve_subnet%(a: subnet%): any @@ -5504,7 +5504,7 @@ function preserve_subnet%(a: subnet%): any ## ## Returns: An anonymized version of *a*. ## -## .. bro:see:: preserve_prefix preserve_subnet +## .. zeek:see:: preserve_prefix preserve_subnet ## ## .. todo:: Currently dysfunctional. function anonymize_addr%(a: addr, cl: IPAddrAnonymizationClass%): addr diff --git a/src/broker/data.bif b/src/broker/data.bif index 2f6dc2cd77..53ce5d506c 100644 --- a/src/broker/data.bif +++ b/src/broker/data.bif @@ -7,7 +7,7 @@ module Broker; -## Enumerates the possible types that :bro:see:`Broker::Data` may be in +## Enumerates the possible types that :zeek:see:`Broker::Data` may be in ## terms of Bro data types. enum DataType %{ NONE, diff --git a/src/broker/messaging.bif b/src/broker/messaging.bif index ec7696c752..807cefa3fc 100644 --- a/src/broker/messaging.bif +++ b/src/broker/messaging.bif @@ -74,7 +74,7 @@ module Broker; type Broker::Event: record; ## Create a data structure that may be used to send a remote event via -## :bro:see:`Broker::publish`. +## :zeek:see:`Broker::publish`. ## ## args: an event, followed by a list of argument values that may be used ## to call it. @@ -93,7 +93,7 @@ function Broker::make_event%(...%): Broker::Event ## topic: a topic associated with the event message. ## ## args: Either the event arguments as already made by -## :bro:see:`Broker::make_event` or the argument list to pass along +## :zeek:see:`Broker::make_event` or the argument list to pass along ## to it. ## ## Returns: true if the message is sent. @@ -172,7 +172,7 @@ type Cluster::Pool: record; ## script like "Intel::cluster_rr_key". ## ## args: Either the event arguments as already made by -## :bro:see:`Broker::make_event` or the argument list to pass along +## :zeek:see:`Broker::make_event` or the argument list to pass along ## to it. ## ## Returns: true if the message is sent. @@ -215,7 +215,7 @@ function Cluster::publish_rr%(pool: Pool, key: string, ...%): bool ## distribute keys among available nodes. ## ## args: Either the event arguments as already made by -## :bro:see:`Broker::make_event` or the argument list to pass along +## :zeek:see:`Broker::make_event` or the argument list to pass along ## to it. ## ## Returns: true if the message is sent. diff --git a/src/event.bif b/src/event.bif index 2cab61752c..3932618188 100644 --- a/src/event.bif +++ b/src/event.bif @@ -24,7 +24,7 @@ # # - Parameters # -# - .. bro:see:: +# - .. zeek:see:: # # - .. note:: # @@ -35,12 +35,12 @@ ## one-time initialization code at startup. At the time a handler runs, Zeek will ## have executed any global initializations and statements. ## -## .. bro:see:: zeek_done +## .. zeek:see:: zeek_done ## ## .. note:: ## ## When a ``zeek_init`` handler executes, Zeek has not yet seen any input -## packets and therefore :bro:id:`network_time` is not initialized yet. An +## packets and therefore :zeek:id:`network_time` is not initialized yet. An ## artifact of that is that any timer installed in a ``zeek_init`` handler ## will fire immediately with the first packet. The standard way to work ## around that is to ignore the first time the timer fires and immediately @@ -50,7 +50,7 @@ event zeek_init%(%); ## Deprecated synonym for ``zeek_init``. ## -## .. bro:see: zeek_init +## .. zeek:see: zeek_init event bro_init%(%) &deprecated; ## Generated at Zeek termination time. The event engine generates this event when @@ -58,17 +58,17 @@ event bro_init%(%) &deprecated; ## trace file(s), receiving a termination signal, or because Zeek was run without ## a network input source and has finished executing any global statements. ## -## .. bro:see:: zeek_init +## .. zeek:see:: zeek_init ## ## .. note:: ## -## If Zeek terminates due to an invocation of :bro:id:`exit`, then this event +## If Zeek terminates due to an invocation of :zeek:id:`exit`, then this event ## is not generated. event zeek_done%(%); ## Deprecated synonym for ``zeek_done``. ## -## .. bro:see: zeek_done +## .. zeek:see: zeek_done event bro_done%(%) &deprecated; ## Generated for every new connection. This event is raised with the first @@ -78,7 +78,7 @@ event bro_done%(%) &deprecated; ## ## c: The connection. ## -## .. bro:see:: connection_EOF connection_SYN_packet connection_attempt +## .. zeek:see:: connection_EOF connection_SYN_packet connection_attempt ## connection_established connection_external connection_finished ## connection_first_ACK connection_half_finished connection_partial_close ## connection_pending connection_rejected connection_reset connection_reused @@ -108,12 +108,12 @@ event tunnel_changed%(c: connection, e: EncapsulatingConnVector%); ## Generated when a TCP connection timed out. This event is raised when ## no activity was seen for an interval of at least -## :bro:id:`tcp_connection_linger`, and either one endpoint has already +## :zeek:id:`tcp_connection_linger`, and either one endpoint has already ## closed the connection or one side never became active. ## ## c: The connection. ## -## .. bro:see:: connection_EOF connection_SYN_packet connection_attempt +## .. zeek:see:: connection_EOF connection_SYN_packet connection_attempt ## connection_established connection_external connection_finished ## connection_first_ACK connection_half_finished connection_partial_close ## connection_pending connection_rejected connection_reset connection_reused @@ -125,7 +125,7 @@ event tunnel_changed%(c: connection, e: EncapsulatingConnVector%); ## ## The precise semantics of this event can be unintuitive as it only ## covers a subset of cases where a connection times out. Often, handling -## :bro:id:`connection_state_remove` is the better option. That one will be +## :zeek:id:`connection_state_remove` is the better option. That one will be ## generated reliably when an interval of ``tcp_inactivity_timeout`` has ## passed without any activity seen (but also for all other ways a ## connection may terminate). @@ -140,7 +140,7 @@ event connection_timeout%(c: connection%); ## ## c: The connection. ## -## .. bro:see:: connection_EOF connection_SYN_packet connection_attempt +## .. zeek:see:: connection_EOF connection_SYN_packet connection_attempt ## connection_established connection_external connection_finished ## connection_first_ACK connection_half_finished connection_partial_close ## connection_pending connection_rejected connection_reset connection_reused @@ -155,7 +155,7 @@ event connection_state_remove%(c: connection%); ## ## c: The connection. ## -## .. bro:see:: connection_EOF connection_SYN_packet connection_attempt +## .. zeek:see:: connection_EOF connection_SYN_packet connection_attempt ## connection_established connection_external connection_finished ## connection_first_ACK connection_half_finished connection_partial_close ## connection_pending connection_rejected connection_reset connection_state_remove @@ -169,7 +169,7 @@ event connection_reused%(c: connection%); ## ## c: The connection. ## -## .. bro:see:: connection_EOF connection_SYN_packet connection_attempt +## .. zeek:see:: connection_EOF connection_SYN_packet connection_attempt ## connection_established connection_external connection_finished ## connection_first_ACK connection_half_finished connection_partial_close ## connection_pending connection_rejected connection_reset connection_reused @@ -188,7 +188,7 @@ event connection_status_update%(c: connection%); ## ## new_label: The new flow label that the endpoint is using. ## -## .. bro:see:: connection_established new_connection +## .. zeek:see:: connection_established new_connection event connection_flow_label_changed%(c: connection, is_orig: bool, old_label: count, new_label: count%); ## Generated for a new connection received from the communication subsystem. @@ -208,11 +208,11 @@ event connection_external%(c: connection, tag: string%); ## ## u: The connection record for the corresponding UDP flow. ## -## .. bro:see:: udp_contents udp_reply udp_request +## .. zeek:see:: udp_contents udp_reply udp_request event udp_session_done%(u: connection%); ## Generated when a connection is seen that is marked as being expected. -## The function :bro:id:`Analyzer::schedule_analyzer` tells Bro to expect a +## The function :zeek:id:`Analyzer::schedule_analyzer` tells Bro to expect a ## particular connection to come up, and which analyzer to associate with it. ## Once the first packet of such a connection is indeed seen, this event is ## raised. @@ -220,11 +220,11 @@ event udp_session_done%(u: connection%); ## c: The connection. ## ## a: The analyzer that was scheduled for the connection with the -## :bro:id:`Analyzer::schedule_analyzer` call. When the event is raised, that +## :zeek:id:`Analyzer::schedule_analyzer` call. When the event is raised, that ## analyzer will already have been activated to process the connection. The ## ``count`` is one of the ``ANALYZER_*`` constants, e.g., ``ANALYZER_HTTP``. ## -## .. bro:see:: connection_EOF connection_SYN_packet connection_attempt +## .. zeek:see:: connection_EOF connection_SYN_packet connection_attempt ## connection_established connection_external connection_finished ## connection_first_ACK connection_half_finished connection_partial_close ## connection_pending connection_rejected connection_reset connection_reused @@ -243,11 +243,11 @@ event scheduled_analyzer_applied%(c: connection, a: Analyzer::Tag%); ## ## p: Information from the header of the packet that triggered the event. ## -## .. bro:see:: new_packet packet_contents +## .. zeek:see:: new_packet packet_contents event raw_packet%(p: raw_pkt_hdr%); ## Generated for all packets that make it into Bro's connection processing. In -## contrast to :bro:id:`raw_packet` this filters out some more packets that don't +## contrast to :zeek:id:`raw_packet` this filters out some more packets that don't ## pass certain sanity checks. ## ## This is a very low-level and expensive event that should be avoided when at all @@ -259,7 +259,7 @@ event raw_packet%(p: raw_pkt_hdr%); ## ## p: Information from the header of the packet that triggered the event. ## -## .. bro:see:: tcp_packet packet_contents raw_packet +## .. zeek:see:: tcp_packet packet_contents raw_packet event new_packet%(c: connection, p: pkt_hdr%); ## Generated for every IPv6 packet that contains extension headers. @@ -270,7 +270,7 @@ event new_packet%(c: connection, p: pkt_hdr%); ## ## p: Information from the header of the packet that triggered the event. ## -## .. bro:see:: new_packet tcp_packet packet_contents esp_packet +## .. zeek:see:: new_packet tcp_packet packet_contents esp_packet event ipv6_ext_headers%(c: connection, p: pkt_hdr%); ## Generated for any packets using the IPv6 Encapsulating Security Payload (ESP) @@ -278,35 +278,35 @@ event ipv6_ext_headers%(c: connection, p: pkt_hdr%); ## ## p: Information from the header of the packet that triggered the event. ## -## .. bro:see:: new_packet tcp_packet ipv6_ext_headers +## .. zeek:see:: new_packet tcp_packet ipv6_ext_headers event esp_packet%(p: pkt_hdr%); ## Generated for any packet using a Mobile IPv6 Mobility Header. ## ## p: Information from the header of the packet that triggered the event. ## -## .. bro:see:: new_packet tcp_packet ipv6_ext_headers +## .. zeek:see:: new_packet tcp_packet ipv6_ext_headers event mobile_ipv6_message%(p: pkt_hdr%); ## Generated for every packet that has a non-empty transport-layer payload. ## This is a very low-level and expensive event that should be avoided when ## at all possible. It's usually infeasible to handle when processing even ## medium volumes of traffic in real-time. It's even worse than -## :bro:id:`new_packet`. That said, if you work from a trace and want to +## :zeek:id:`new_packet`. That said, if you work from a trace and want to ## do some packet-level analysis, it may come in handy. ## ## c: The connection the packet is part of. ## ## contents: The raw transport-layer payload. ## -## .. bro:see:: new_packet tcp_packet +## .. zeek:see:: new_packet tcp_packet event packet_contents%(c: connection, contents: string%); ## Generated when Bro detects a TCP retransmission inconsistency. When ## reassembling a TCP stream, Bro buffers all payload until it sees the ## responder acking it. If during that time, the sender resends a chunk of ## payload but with different content than originally, this event will be -## raised. In addition, if :bro:id:`tcp_max_old_segments` is larger than zero, +## raised. In addition, if :zeek:id:`tcp_max_old_segments` is larger than zero, ## mismatches with that older still-buffered data will likewise trigger the event. ## ## c: The connection showing the inconsistency. @@ -321,7 +321,7 @@ event packet_contents%(c: connection, contents: string%); ## ``A`` -> ACK; ``P`` -> PUSH. This string will not always be set, ## only if the information is available; it's "best effort". ## -## .. bro:see:: tcp_rexmit tcp_contents +## .. zeek:see:: tcp_rexmit tcp_contents event rexmit_inconsistency%(c: connection, t1: string, t2: string, tcp_flags: string%); ## Generated when Bro detects a gap in a reassembled TCP payload stream. This @@ -362,14 +362,14 @@ event content_gap%(c: connection, is_orig: bool, seq: count, length: count%); ## aid: A unique integer ID identifying the specific *instance* of the ## analyzer *atype* that is analyzing the connection ``c``. The ID can ## be used to reference the analyzer when using builtin functions like -## :bro:id:`disable_analyzer`. +## :zeek:id:`disable_analyzer`. ## -## .. bro:see:: protocol_violation +## .. zeek:see:: protocol_violation ## ## .. note:: ## ## Bro's default scripts use this event to determine the ``service`` column -## of :bro:type:`Conn::Info`: once confirmed, the protocol will be listed +## of :zeek:type:`Conn::Info`: once confirmed, the protocol will be listed ## there (and thus in ``conn.log``). event protocol_confirmation%(c: connection, atype: Analyzer::Tag, aid: count%); @@ -390,16 +390,16 @@ event protocol_confirmation%(c: connection, atype: Analyzer::Tag, aid: count%); ## aid: A unique integer ID identifying the specific *instance* of the ## analyzer *atype* that is analyzing the connection ``c``. The ID can ## be used to reference the analyzer when using builtin functions like -## :bro:id:`disable_analyzer`. +## :zeek:id:`disable_analyzer`. ## ## reason: TODO. ## -## .. bro:see:: protocol_confirmation +## .. zeek:see:: protocol_confirmation ## ## .. note:: ## ## Bro's default scripts use this event to disable an analyzer via -## :bro:id:`disable_analyzer` if it's parsing the wrong protocol. That's +## :zeek:id:`disable_analyzer` if it's parsing the wrong protocol. That's ## however a script-level decision and not done automatically by the event ## engine. event protocol_violation%(c: connection, atype: Analyzer::Tag, aid: count, reason: string%); @@ -414,7 +414,7 @@ event protocol_violation%(c: connection, atype: Analyzer::Tag, aid: count, reaso ## ## rs: Statistics for the responder endpoint. ## -## .. bro:see:: connection_state_remove +## .. zeek:see:: connection_state_remove event conn_stats%(c: connection, os: endpoint_stats, rs: endpoint_stats%); ## Generated for unexpected activity related to a specific connection. When @@ -431,7 +431,7 @@ event conn_stats%(c: connection, os: endpoint_stats, rs: endpoint_stats%); ## ## addl: Optional additional context further describing the situation. ## -## .. bro:see:: flow_weird net_weird file_weird +## .. zeek:see:: flow_weird net_weird file_weird ## ## .. note:: "Weird" activity is much more common in real-world network traffic ## than one would intuitively expect. While in principle, any protocol @@ -454,7 +454,7 @@ event conn_weird%(name: string, c: connection, addl: string%); ## ## dst: The destination address corresponding to the activity. ## -## .. bro:see:: conn_weird net_weird file_weird +## .. zeek:see:: conn_weird net_weird file_weird ## ## .. note:: "Weird" activity is much more common in real-world network traffic ## than one would intuitively expect. While in principle, any protocol @@ -472,7 +472,7 @@ event flow_weird%(name: string, src: addr, dst: addr%); ## scripts use this name in filtering policies that specify which ## "weirds" are worth reporting. ## -## .. bro:see:: flow_weird file_weird +## .. zeek:see:: flow_weird file_weird ## ## .. note:: "Weird" activity is much more common in real-world network traffic ## than one would intuitively expect. While in principle, any protocol @@ -493,7 +493,7 @@ event net_weird%(name: string%); ## ## addl: Additional information related to the weird. ## -## .. bro:see:: flow_weird net_weird conn_weird +## .. zeek:see:: flow_weird net_weird conn_weird ## ## .. note:: "Weird" activity is much more common in real-world network traffic ## than one would intuitively expect. While in principle, any protocol @@ -502,7 +502,7 @@ event net_weird%(name: string%); event file_weird%(name: string, f: fa_file, addl: string%); ## Generated regularly for the purpose of profiling Bro's processing. This event -## is raised for every :bro:id:`load_sample_freq` packet. For these packets, +## is raised for every :zeek:id:`load_sample_freq` packet. For these packets, ## Bro records script-level functions executed during their processing as well ## as further internal locations. By sampling the processing in this form, one ## can understand where Bro spends its time. @@ -538,7 +538,7 @@ event signature_match%(state: signature_state, msg: string, data: string%); ## used on a system. This is a protocol-independent event that is fed by ## different analyzers. For example, the HTTP analyzer reports user-agent and ## server software by raising this event, assuming it can parse it (if not, -## :bro:id:`software_parse_error` will be generated instead). +## :zeek:id:`software_parse_error` will be generated instead). ## ## c: The connection. ## @@ -549,7 +549,7 @@ event signature_match%(state: signature_state, msg: string, data: string%); ## descr: The raw (unparsed) software identification string as extracted from ## the protocol. ## -## .. bro:see:: software_parse_error software_unparsed_version_found OS_version_found +## .. zeek:see:: software_parse_error software_unparsed_version_found OS_version_found event software_version_found%(c: connection, host: addr, s: software, descr: string%); @@ -557,7 +557,7 @@ event software_version_found%(c: connection, host: addr, ## used on a system but cannot parse it. This is a protocol-independent event ## that is fed by different analyzers. For example, the HTTP analyzer reports ## user-agent and server software by raising this event if it cannot parse them -## directly (if it can :bro:id:`software_version_found` will be generated +## directly (if it can :zeek:id:`software_version_found` will be generated ## instead). ## ## c: The connection. @@ -567,7 +567,7 @@ event software_version_found%(c: connection, host: addr, ## descr: The raw (unparsed) software identification string as extracted from ## the protocol. ## -## .. bro:see:: software_version_found software_unparsed_version_found +## .. zeek:see:: software_version_found software_unparsed_version_found ## OS_version_found event software_parse_error%(c: connection, host: addr, descr: string%); @@ -575,7 +575,7 @@ event software_parse_error%(c: connection, host: addr, descr: string%); ## used on a system. This is a protocol-independent event that is fed by ## different analyzers. For example, the HTTP analyzer reports user-agent and ## server software by raising this event. Different from -## :bro:id:`software_version_found` and :bro:id:`software_parse_error`, this +## :zeek:id:`software_version_found` and :zeek:id:`software_parse_error`, this ## event is always raised, independent of whether Bro can parse the version ## string. ## @@ -585,13 +585,13 @@ event software_parse_error%(c: connection, host: addr, descr: string%); ## ## str: The software identification string as extracted from the protocol. ## -## .. bro:see:: software_parse_error software_version_found OS_version_found +## .. zeek:see:: software_parse_error software_version_found OS_version_found event software_unparsed_version_found%(c: connection, host: addr, str: string%); ## Generated when an operating system has been fingerprinted. Bro uses `p0f ## `__ to fingerprint endpoints passively, ## and it raises this event for each system identified. The p0f fingerprints are -## defined by :bro:id:`passive_fingerprint_file`. +## defined by :zeek:id:`passive_fingerprint_file`. ## ## c: The connection. ## @@ -599,7 +599,7 @@ event software_unparsed_version_found%(c: connection, host: addr, str: string%); ## ## OS: The OS version string. ## -## .. bro:see:: passive_fingerprint_file software_parse_error +## .. zeek:see:: passive_fingerprint_file software_parse_error ## software_version_found software_unparsed_version_found ## generate_OS_version_event event OS_version_found%(c: connection, host: addr, OS: OS_version%); @@ -610,7 +610,7 @@ event OS_version_found%(c: connection, host: addr, OS: OS_version%); ## ## p: A record describing the peer. ## -## .. bro:see:: remote_capture_filter remote_connection_closed remote_connection_error +## .. zeek:see:: remote_capture_filter remote_connection_closed remote_connection_error ## remote_connection_handshake_done remote_event_registered remote_log remote_pong ## remote_state_access_performed remote_state_inconsistency print_hook event remote_connection_established%(p: event_peer%); @@ -621,7 +621,7 @@ event remote_connection_established%(p: event_peer%); ## ## p: A record describing the peer. ## -## .. bro:see:: remote_capture_filter remote_connection_error +## .. zeek:see:: remote_capture_filter remote_connection_error ## remote_connection_established remote_connection_handshake_done ## remote_event_registered remote_log remote_pong remote_state_access_performed ## remote_state_inconsistency print_hook @@ -633,7 +633,7 @@ event remote_connection_closed%(p: event_peer%); ## ## p: A record describing the peer. ## -## .. bro:see:: remote_capture_filter remote_connection_closed remote_connection_error +## .. zeek:see:: remote_capture_filter remote_connection_closed remote_connection_error ## remote_connection_established remote_event_registered remote_log remote_pong ## remote_state_access_performed remote_state_inconsistency print_hook event remote_connection_handshake_done%(p: event_peer%); @@ -646,7 +646,7 @@ event remote_connection_handshake_done%(p: event_peer%); ## ## name: TODO. ## -## .. bro:see:: remote_capture_filter remote_connection_closed +## .. zeek:see:: remote_capture_filter remote_connection_closed ## remote_connection_error remote_connection_established ## remote_connection_handshake_done remote_log remote_pong ## remote_state_access_performed remote_state_inconsistency print_hook @@ -660,7 +660,7 @@ event remote_event_registered%(p: event_peer, name: string%); ## ## reason: A textual description of the error. ## -## .. bro:see:: remote_capture_filter remote_connection_closed +## .. zeek:see:: remote_capture_filter remote_connection_closed ## remote_connection_established remote_connection_handshake_done ## remote_event_registered remote_log remote_pong remote_state_access_performed ## remote_state_inconsistency print_hook @@ -674,20 +674,20 @@ event remote_connection_error%(p: event_peer, reason: string%); ## ## filter: The filter string sent by the peer. ## -## .. bro:see:: remote_connection_closed remote_connection_error +## .. zeek:see:: remote_connection_closed remote_connection_error ## remote_connection_established remote_connection_handshake_done ## remote_event_registered remote_log remote_pong remote_state_access_performed ## remote_state_inconsistency print_hook event remote_capture_filter%(p: event_peer, filter: string%); -## Generated after a call to :bro:id:`send_state` when all data has been +## Generated after a call to :zeek:id:`send_state` when all data has been ## successfully sent to the remote side. While this event is ## intended primarily for use by Bro's communication framework, it can also ## trigger additional code if helpful. ## ## p: A record describing the remote peer. ## -## .. bro:see:: remote_capture_filter remote_connection_closed +## .. zeek:see:: remote_capture_filter remote_connection_closed ## remote_connection_error remote_connection_established ## remote_connection_handshake_done remote_event_registered remote_log remote_pong ## remote_state_access_performed remote_state_inconsistency print_hook @@ -696,7 +696,7 @@ event finished_send_state%(p: event_peer%); ## Generated if state synchronization detects an inconsistency. While this ## event is intended primarily for use by Bro's communication framework, it can ## also trigger additional code if helpful. This event is only raised if -## :bro:id:`remote_check_sync_consistency` is false. +## :zeek:id:`remote_check_sync_consistency` is false. ## ## operation: The textual description of the state operation performed. ## @@ -709,7 +709,7 @@ event finished_send_state%(p: event_peer%); ## found before the operation was carried out. The difference between ## *real_old* and *expected_old* is the inconsistency being reported. ## -## .. bro:see:: remote_capture_filter remote_connection_closed +## .. zeek:see:: remote_capture_filter remote_connection_closed ## remote_connection_error remote_connection_established ## remote_connection_handshake_done remote_event_registered remote_log remote_pong ## remote_state_access_performed print_hook remote_check_sync_consistency @@ -720,17 +720,17 @@ event remote_state_inconsistency%(operation: string, id: string, ## intended primarily for use by Bro's communication framework, it can also ## trigger additional code if helpful. ## -## level: The log level, which is either :bro:id:`REMOTE_LOG_INFO` or -## :bro:id:`REMOTE_LOG_ERROR`. +## level: The log level, which is either :zeek:id:`REMOTE_LOG_INFO` or +## :zeek:id:`REMOTE_LOG_ERROR`. ## ## src: The component of the communication system that logged the message. -## Currently, this will be one of :bro:id:`REMOTE_SRC_CHILD` (Bro's -## child process), :bro:id:`REMOTE_SRC_PARENT` (Bro's main process), or -## :bro:id:`REMOTE_SRC_SCRIPT` (the script level). +## Currently, this will be one of :zeek:id:`REMOTE_SRC_CHILD` (Bro's +## child process), :zeek:id:`REMOTE_SRC_PARENT` (Bro's main process), or +## :zeek:id:`REMOTE_SRC_SCRIPT` (the script level). ## ## msg: The message logged. ## -## .. bro:see:: remote_capture_filter remote_connection_closed remote_connection_error +## .. zeek:see:: remote_capture_filter remote_connection_closed remote_connection_error ## remote_connection_established remote_connection_handshake_done ## remote_event_registered remote_pong remote_state_access_performed ## remote_state_inconsistency print_hook remote_log_peer @@ -739,21 +739,21 @@ event remote_log%(level: count, src: count, msg: string%); ## Generated for communication log messages. While this event is ## intended primarily for use by Bro's communication framework, it can also ## trigger additional code if helpful. This event is equivalent to -## :bro:see:`remote_log` except the message is with respect to a certain peer. +## :zeek:see:`remote_log` except the message is with respect to a certain peer. ## ## p: A record describing the remote peer. ## -## level: The log level, which is either :bro:id:`REMOTE_LOG_INFO` or -## :bro:id:`REMOTE_LOG_ERROR`. +## level: The log level, which is either :zeek:id:`REMOTE_LOG_INFO` or +## :zeek:id:`REMOTE_LOG_ERROR`. ## ## src: The component of the communication system that logged the message. -## Currently, this will be one of :bro:id:`REMOTE_SRC_CHILD` (Bro's -## child process), :bro:id:`REMOTE_SRC_PARENT` (Bro's main process), or -## :bro:id:`REMOTE_SRC_SCRIPT` (the script level). +## Currently, this will be one of :zeek:id:`REMOTE_SRC_CHILD` (Bro's +## child process), :zeek:id:`REMOTE_SRC_PARENT` (Bro's main process), or +## :zeek:id:`REMOTE_SRC_SCRIPT` (the script level). ## ## msg: The message logged. ## -## .. bro:see:: remote_capture_filter remote_connection_closed remote_connection_error +## .. zeek:see:: remote_capture_filter remote_connection_closed remote_connection_error ## remote_connection_established remote_connection_handshake_done ## remote_event_registered remote_pong remote_state_access_performed ## remote_state_inconsistency print_hook remote_log @@ -761,12 +761,12 @@ event remote_log_peer%(p: event_peer, level: count, src: count, msg: string%); ## Generated when a remote peer has answered to our ping. This event is part of ## Bro's infrastructure for measuring communication latency. One can send a ping -## by calling :bro:id:`send_ping` and when a corresponding reply is received, +## by calling :zeek:id:`send_ping` and when a corresponding reply is received, ## this event will be raised. ## ## p: The peer sending us the pong. ## -## seq: The sequence number passed to the original :bro:id:`send_ping` call. +## seq: The sequence number passed to the original :zeek:id:`send_ping` call. ## The number is sent back by the peer in its response. ## ## d1: The time interval between sending the ping and receiving the pong. This @@ -779,7 +779,7 @@ event remote_log_peer%(p: event_peer, level: count, src: count, msg: string%); ## ping and when its parent process sent the pong. This is the ## processing latency at the peer. ## -## .. bro:see:: remote_capture_filter remote_connection_closed remote_connection_error +## .. zeek:see:: remote_capture_filter remote_connection_closed remote_connection_error ## remote_connection_established remote_connection_handshake_done ## remote_event_registered remote_log remote_state_access_performed ## remote_state_inconsistency print_hook @@ -793,27 +793,27 @@ event remote_pong%(p: event_peer, seq: count, ## ## v: The new value of the variable. ## -## .. bro:see:: remote_capture_filter remote_connection_closed remote_connection_error +## .. zeek:see:: remote_capture_filter remote_connection_closed remote_connection_error ## remote_connection_established remote_connection_handshake_done ## remote_event_registered remote_log remote_pong remote_state_inconsistency ## print_hook event remote_state_access_performed%(id: string, v: any%); ## Generated each time Bro's internal profiling log is updated. The file is -## defined by :bro:id:`profiling_file`, and its update frequency by -## :bro:id:`profiling_interval` and :bro:id:`expensive_profiling_multiple`. +## defined by :zeek:id:`profiling_file`, and its update frequency by +## :zeek:id:`profiling_interval` and :zeek:id:`expensive_profiling_multiple`. ## ## f: The profiling file. ## ## expensive: True if this event corresponds to heavier-weight profiling as -## indicated by the :bro:id:`expensive_profiling_multiple` variable. +## indicated by the :zeek:id:`expensive_profiling_multiple` variable. ## -## .. bro:see:: profiling_interval expensive_profiling_multiple +## .. zeek:see:: profiling_interval expensive_profiling_multiple event profiling_update%(f: file, expensive: bool%); ## Raised for informational messages reported via Bro's reporter framework. Such ## messages may be generated internally by the event engine and also by other -## scripts calling :bro:id:`Reporter::info`. +## scripts calling :zeek:id:`Reporter::info`. ## ## t: The time the message was passed to the reporter. ## @@ -822,7 +822,7 @@ event profiling_update%(f: file, expensive: bool%); ## location: A (potentially empty) string describing a location associated with ## the message. ## -## .. bro:see:: reporter_warning reporter_error Reporter::info Reporter::warning +## .. zeek:see:: reporter_warning reporter_error Reporter::info Reporter::warning ## Reporter::error ## ## .. note:: Bro will not call reporter events recursively. If the handler of @@ -832,7 +832,7 @@ event reporter_info%(t: time, msg: string, location: string%) &error_handler; ## Raised for warnings reported via Bro's reporter framework. Such messages may ## be generated internally by the event engine and also by other scripts calling -## :bro:id:`Reporter::warning`. +## :zeek:id:`Reporter::warning`. ## ## t: The time the warning was passed to the reporter. ## @@ -841,7 +841,7 @@ event reporter_info%(t: time, msg: string, location: string%) &error_handler; ## location: A (potentially empty) string describing a location associated with ## the warning. ## -## .. bro:see:: reporter_info reporter_error Reporter::info Reporter::warning +## .. zeek:see:: reporter_info reporter_error Reporter::info Reporter::warning ## Reporter::error ## ## .. note:: Bro will not call reporter events recursively. If the handler of @@ -851,7 +851,7 @@ event reporter_warning%(t: time, msg: string, location: string%) &error_handler; ## Raised for errors reported via Bro's reporter framework. Such messages may ## be generated internally by the event engine and also by other scripts calling -## :bro:id:`Reporter::error`. +## :zeek:id:`Reporter::error`. ## ## t: The time the error was passed to the reporter. ## @@ -860,7 +860,7 @@ event reporter_warning%(t: time, msg: string, location: string%) &error_handler; ## location: A (potentially empty) string describing a location associated with ## the error. ## -## .. bro:see:: reporter_info reporter_warning Reporter::info Reporter::warning +## .. zeek:see:: reporter_info reporter_warning Reporter::info Reporter::warning ## Reporter::error ## ## .. note:: Bro will not call reporter events recursively. If the handler of @@ -878,11 +878,11 @@ event zeek_script_loaded%(path: string, level: count%); ## Deprecated synonym for ``zeek_script_loaded``. ## -## .. bro:see: zeek_script_loaded +## .. zeek:see: zeek_script_loaded event bro_script_loaded%(path: string, level: count%) &deprecated; ## Generated each time Bro's script interpreter opens a file. This event is -## triggered only for files opened via :bro:id:`open`, and in particular not for +## triggered only for files opened via :zeek:id:`open`, and in particular not for ## normal log files as created by log writers. ## ## f: The opened file. @@ -896,7 +896,7 @@ event event_queue_flush_point%(%); ## belongs. All incoming data to the framework is buffered, and depends ## on a handler for this event to return a string value that uniquely ## identifies a file. Among all handlers of this event, the last one to -## call :bro:see:`set_file_handle` will "win". +## call :zeek:see:`set_file_handle` will "win". ## ## tag: The analyzer which is carrying the file data. ## @@ -904,15 +904,15 @@ event event_queue_flush_point%(%); ## ## is_orig: The direction the file data is flowing over the connection. ## -## .. bro:see:: set_file_handle +## .. zeek:see:: set_file_handle event get_file_handle%(tag: Analyzer::Tag, c: connection, is_orig: bool%); ## Indicates that an analysis of a new file has begun. The analysis can be -## augmented at this time via :bro:see:`Files::add_analyzer`. +## augmented at this time via :zeek:see:`Files::add_analyzer`. ## ## f: The file. ## -## .. bro:see:: file_over_new_connection file_timeout file_gap +## .. zeek:see:: file_over_new_connection file_timeout file_gap ## file_sniff file_state_remove event file_new%(f: fa_file%); @@ -925,16 +925,16 @@ event file_new%(f: fa_file%); ## ## is_orig: true if the originator of *c* is the one sending the file. ## -## .. bro:see:: file_new file_timeout file_gap file_sniff +## .. zeek:see:: file_new file_timeout file_gap file_sniff ## file_state_remove event file_over_new_connection%(f: fa_file, c: connection, is_orig: bool%); ## Provide all metadata that has been inferred about a particular file ## from inspection of the initial content that been seen at the beginning ## of the file. The analysis can be augmented at this time via -## :bro:see:`Files::add_analyzer`. The amount of data fed into the file +## :zeek:see:`Files::add_analyzer`. The amount of data fed into the file ## sniffing can be increased or decreased by changing either -## :bro:see:`default_file_bof_buffer_size` or the `bof_buffer_size` field +## :zeek:see:`default_file_bof_buffer_size` or the `bof_buffer_size` field ## in an `fa_file` record. The event will be raised even if content inspection ## has been unable to infer any metadata, in which case the fields in *meta* ## will be left all unset. @@ -943,7 +943,7 @@ event file_over_new_connection%(f: fa_file, c: connection, is_orig: bool%); ## ## meta: Metadata that's been discovered about the file. ## -## .. bro:see:: file_over_new_connection file_timeout file_gap +## .. zeek:see:: file_over_new_connection file_timeout file_gap ## file_state_remove event file_sniff%(f: fa_file, meta: fa_metadata%); @@ -952,7 +952,7 @@ event file_sniff%(f: fa_file, meta: fa_metadata%); ## ## f: The file. ## -## .. bro:see:: file_new file_over_new_connection file_gap +## .. zeek:see:: file_new file_over_new_connection file_gap ## file_sniff file_state_remove default_file_timeout_interval ## Files::set_timeout_interval event file_timeout%(f: fa_file%); @@ -965,12 +965,12 @@ event file_timeout%(f: fa_file%); ## ## len: The number of missing bytes. ## -## .. bro:see:: file_new file_over_new_connection file_timeout +## .. zeek:see:: file_new file_over_new_connection file_timeout ## file_sniff file_state_remove file_reassembly_overflow event file_gap%(f: fa_file, offset: count, len: count%); ## Indicates that the file had an overflow of the reassembly buffer. -## This is a specialization of the :bro:id:`file_gap` event. +## This is a specialization of the :zeek:id:`file_gap` event. ## ## f: The file. ## @@ -981,7 +981,7 @@ event file_gap%(f: fa_file, offset: count, len: count%); ## file data and get back under the reassembly buffer size limit. ## This value will also be represented as a gap. ## -## .. bro:see:: file_new file_over_new_connection file_timeout +## .. zeek:see:: file_new file_over_new_connection file_timeout ## file_sniff file_state_remove file_gap ## Files::enable_reassembler Files::reassembly_buffer_size ## Files::enable_reassembly Files::disable_reassembly @@ -992,7 +992,7 @@ event file_reassembly_overflow%(f: fa_file, offset: count, skipped: count%); ## ## f: The file. ## -## .. bro:see:: file_new file_over_new_connection file_timeout file_gap +## .. zeek:see:: file_new file_over_new_connection file_timeout file_gap ## file_sniff event file_state_remove%(f: fa_file%); @@ -1003,7 +1003,7 @@ event file_state_remove%(f: fa_file%); ## ## dm: A record describing the new resolver result (which matches the old one). ## -## .. bro:see:: dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name +## .. zeek:see:: dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name ## dns_mapping_unverified event dns_mapping_valid%(dm: dns_mapping%); @@ -1015,7 +1015,7 @@ event dns_mapping_valid%(dm: dns_mapping%); ## ## dm: A record describing the old resolver result. ## -## .. bro:see:: dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name +## .. zeek:see:: dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name ## dns_mapping_valid event dns_mapping_unverified%(dm: dns_mapping%); @@ -1026,7 +1026,7 @@ event dns_mapping_unverified%(dm: dns_mapping%); ## ## dm: A record describing the new resolver result. ## -## .. bro:see:: dns_mapping_altered dns_mapping_lost_name dns_mapping_unverified +## .. zeek:see:: dns_mapping_altered dns_mapping_lost_name dns_mapping_unverified ## dns_mapping_valid event dns_mapping_new_name%(dm: dns_mapping%); @@ -1038,7 +1038,7 @@ event dns_mapping_new_name%(dm: dns_mapping%); ## ## dm: A record describing the old resolver result. ## -## .. bro:see:: dns_mapping_altered dns_mapping_new_name dns_mapping_unverified +## .. zeek:see:: dns_mapping_altered dns_mapping_new_name dns_mapping_unverified ## dns_mapping_valid event dns_mapping_lost_name%(dm: dns_mapping%); @@ -1055,7 +1055,7 @@ event dns_mapping_lost_name%(dm: dns_mapping%); ## new_addrs: Addresses that were not part of the returned set for the query ## described by *dm*, but now are. ## -## .. bro:see:: dns_mapping_lost_name dns_mapping_new_name dns_mapping_unverified +## .. zeek:see:: dns_mapping_lost_name dns_mapping_new_name dns_mapping_unverified ## dns_mapping_valid event dns_mapping_altered%(dm: dns_mapping, old_addrs: addr_set, new_addrs: addr_set%); diff --git a/src/file_analysis/analyzer/extract/events.bif b/src/file_analysis/analyzer/extract/events.bif index d1dfe0c654..2324294b88 100644 --- a/src/file_analysis/analyzer/extract/events.bif +++ b/src/file_analysis/analyzer/extract/events.bif @@ -1,17 +1,17 @@ ## This event is generated when a file extraction analyzer is about ## to exceed the maximum permitted file size allowed by the -## *extract_limit* field of :bro:see:`Files::AnalyzerArgs`. +## *extract_limit* field of :zeek:see:`Files::AnalyzerArgs`. ## The analyzer is automatically removed from file *f*. ## ## f: The file. ## ## args: Arguments that identify a particular file extraction analyzer. ## This is only provided to be able to pass along to -## :bro:see:`FileExtract::set_limit`. +## :zeek:see:`FileExtract::set_limit`. ## ## limit: The limit, in bytes, the extracted file is about to breach. ## ## len: The length of the file chunk about to be written. ## -## .. bro:see:: Files::add_analyzer Files::ANALYZER_EXTRACT +## .. zeek:see:: Files::add_analyzer Files::ANALYZER_EXTRACT event file_extraction_limit%(f: fa_file, args: Files::AnalyzerArgs, limit: count, len: count%); diff --git a/src/file_analysis/analyzer/extract/functions.bif b/src/file_analysis/analyzer/extract/functions.bif index 18e9dde171..c91f0590bd 100644 --- a/src/file_analysis/analyzer/extract/functions.bif +++ b/src/file_analysis/analyzer/extract/functions.bif @@ -6,7 +6,7 @@ module FileExtract; #include "file_analysis/Manager.h" %%} -## :bro:see:`FileExtract::set_limit`. +## :zeek:see:`FileExtract::set_limit`. function FileExtract::__set_limit%(file_id: string, args: any, n: count%): bool %{ using BifType::Record::Files::AnalyzerArgs; diff --git a/src/file_analysis/analyzer/hash/events.bif b/src/file_analysis/analyzer/hash/events.bif index e03cbf359a..814c4741e6 100644 --- a/src/file_analysis/analyzer/hash/events.bif +++ b/src/file_analysis/analyzer/hash/events.bif @@ -7,6 +7,6 @@ ## ## hash: The result of the hashing. ## -## .. bro:see:: Files::add_analyzer Files::ANALYZER_MD5 +## .. zeek:see:: Files::add_analyzer Files::ANALYZER_MD5 ## Files::ANALYZER_SHA1 Files::ANALYZER_SHA256 event file_hash%(f: fa_file, kind: string, hash: string%); diff --git a/src/file_analysis/analyzer/pe/events.bif b/src/file_analysis/analyzer/pe/events.bif index c804937c49..1d25936a65 100644 --- a/src/file_analysis/analyzer/pe/events.bif +++ b/src/file_analysis/analyzer/pe/events.bif @@ -6,7 +6,7 @@ ## ## h: The parsed DOS header information. ## -## .. bro:see:: pe_dos_code pe_file_header pe_optional_header pe_section_header +## .. zeek:see:: pe_dos_code pe_file_header pe_optional_header pe_section_header event pe_dos_header%(f: fa_file, h: PE::DOSHeader%); ## A :abbr:`PE (Portable Executable)` file DOS stub was parsed. @@ -17,7 +17,7 @@ event pe_dos_header%(f: fa_file, h: PE::DOSHeader%); ## ## code: The DOS stub ## -## .. bro:see:: pe_dos_header pe_file_header pe_optional_header pe_section_header +## .. zeek:see:: pe_dos_header pe_file_header pe_optional_header pe_section_header event pe_dos_code%(f: fa_file, code: string%); ## A :abbr:`PE (Portable Executable)` file file header was parsed. @@ -29,7 +29,7 @@ event pe_dos_code%(f: fa_file, code: string%); ## ## h: The parsed file header information. ## -## .. bro:see:: pe_dos_header pe_dos_code pe_optional_header pe_section_header +## .. zeek:see:: pe_dos_header pe_dos_code pe_optional_header pe_section_header event pe_file_header%(f: fa_file, h: PE::FileHeader%); ## A :abbr:`PE (Portable Executable)` file optional header was parsed. @@ -42,7 +42,7 @@ event pe_file_header%(f: fa_file, h: PE::FileHeader%); ## ## h: The parsed optional header information. ## -## .. bro:see:: pe_dos_header pe_dos_code pe_file_header pe_section_header +## .. zeek:see:: pe_dos_header pe_dos_code pe_file_header pe_section_header event pe_optional_header%(f: fa_file, h: PE::OptionalHeader%); ## A :abbr:`PE (Portable Executable)` file section header was parsed. @@ -53,5 +53,5 @@ event pe_optional_header%(f: fa_file, h: PE::OptionalHeader%); ## ## h: The parsed section header information. ## -## .. bro:see:: pe_dos_header pe_dos_code pe_file_header pe_optional_header +## .. zeek:see:: pe_dos_header pe_dos_code pe_file_header pe_optional_header event pe_section_header%(f: fa_file, h: PE::SectionHeader%); diff --git a/src/file_analysis/analyzer/x509/events.bif b/src/file_analysis/analyzer/x509/events.bif index 68afe5340a..fd4f9fadfe 100644 --- a/src/file_analysis/analyzer/x509/events.bif +++ b/src/file_analysis/analyzer/x509/events.bif @@ -11,7 +11,7 @@ ## ## cert: The parsed certificate information. ## -## .. bro:see:: x509_extension x509_ext_basic_constraints +## .. zeek:see:: x509_extension x509_ext_basic_constraints ## x509_ext_subject_alternative_name x509_parse x509_verify ## x509_get_certificate_string x509_ocsp_ext_signed_certificate_timestamp event x509_certificate%(f: fa_file, cert_ref: opaque of x509, cert: X509::Certificate%); @@ -25,7 +25,7 @@ event x509_certificate%(f: fa_file, cert_ref: opaque of x509, cert: X509::Certif ## ## ext: The parsed extension. ## -## .. bro:see:: x509_certificate x509_ext_basic_constraints +## .. zeek:see:: x509_certificate x509_ext_basic_constraints ## x509_ext_subject_alternative_name x509_parse x509_verify ## x509_get_certificate_string x509_ocsp_ext_signed_certificate_timestamp event x509_extension%(f: fa_file, ext: X509::Extension%); @@ -37,7 +37,7 @@ event x509_extension%(f: fa_file, ext: X509::Extension%); ## ## ext: The parsed basic constraints extension. ## -## .. bro:see:: x509_certificate x509_extension +## .. zeek:see:: x509_certificate x509_extension ## x509_ext_subject_alternative_name x509_parse x509_verify ## x509_get_certificate_string x509_ocsp_ext_signed_certificate_timestamp event x509_ext_basic_constraints%(f: fa_file, ext: X509::BasicConstraints%); @@ -51,7 +51,7 @@ event x509_ext_basic_constraints%(f: fa_file, ext: X509::BasicConstraints%); ## ## ext: The parsed subject alternative name extension. ## -## .. bro:see:: x509_certificate x509_extension x509_ext_basic_constraints +## .. zeek:see:: x509_certificate x509_extension x509_ext_basic_constraints ## x509_parse x509_verify x509_ocsp_ext_signed_certificate_timestamp ## x509_get_certificate_string event x509_ext_subject_alternative_name%(f: fa_file, ext: X509::SubjectAlternativeName%); @@ -76,7 +76,7 @@ event x509_ext_subject_alternative_name%(f: fa_file, ext: X509::SubjectAlternati ## ## signature: signature part of the digitally_signed struct ## -## .. bro:see:: ssl_extension_signed_certificate_timestamp x509_extension x509_ext_basic_constraints +## .. zeek:see:: ssl_extension_signed_certificate_timestamp x509_extension x509_ext_basic_constraints ## x509_parse x509_verify x509_ext_subject_alternative_name ## x509_get_certificate_string ssl_extension_signed_certificate_timestamp ## sct_verify ocsp_request ocsp_request_certificate ocsp_response_status diff --git a/src/file_analysis/analyzer/x509/functions.bif b/src/file_analysis/analyzer/x509/functions.bif index e4e263fd35..40d4ec6da8 100644 --- a/src/file_analysis/analyzer/x509/functions.bif +++ b/src/file_analysis/analyzer/x509/functions.bif @@ -192,7 +192,7 @@ const EVP_MD* hash_to_evp(int hash) ## ## Returns: A X509::Certificate structure. ## -## .. bro:see:: x509_certificate x509_extension x509_ext_basic_constraints +## .. zeek:see:: x509_certificate x509_extension x509_ext_basic_constraints ## x509_ext_subject_alternative_name x509_verify ## x509_get_certificate_string function x509_parse%(cert: opaque of x509%): X509::Certificate @@ -213,7 +213,7 @@ function x509_parse%(cert: opaque of x509%): X509::Certificate ## ## Returns: X509 certificate as a string. ## -## .. bro:see:: x509_certificate x509_extension x509_ext_basic_constraints +## .. zeek:see:: x509_certificate x509_extension x509_ext_basic_constraints ## x509_ext_subject_alternative_name x509_parse x509_verify function x509_get_certificate_string%(cert: opaque of x509, pem: bool &default=F%): string %{ @@ -249,7 +249,7 @@ function x509_get_certificate_string%(cert: opaque of x509, pem: bool &default=F ## Returns: A record of type X509::Result containing the result code of the ## verify operation. ## -## .. bro:see:: x509_certificate x509_extension x509_ext_basic_constraints +## .. zeek:see:: x509_certificate x509_extension x509_ext_basic_constraints ## x509_ext_subject_alternative_name x509_parse ## x509_get_certificate_string x509_verify function x509_ocsp_verify%(certs: x509_opaque_vector, ocsp_reply: string, root_certs: table_string_of_string, verify_time: time &default=network_time()%): X509::Result @@ -536,7 +536,7 @@ x509_ocsp_cleanup: ## verify operation. In case of success also returns the full ## certificate chain. ## -## .. bro:see:: x509_certificate x509_extension x509_ext_basic_constraints +## .. zeek:see:: x509_certificate x509_extension x509_ext_basic_constraints ## x509_ext_subject_alternative_name x509_parse ## x509_get_certificate_string x509_ocsp_verify sct_verify function x509_verify%(certs: x509_opaque_vector, root_certs: table_string_of_string, verify_time: time &default=network_time()%): X509::Result @@ -646,7 +646,7 @@ x509_verify_chainerror: ## ## Returns: T if the validation could be performed succesfully, F otherwhise. ## -## .. bro:see:: ssl_extension_signed_certificate_timestamp +## .. zeek:see:: ssl_extension_signed_certificate_timestamp ## x509_ocsp_ext_signed_certificate_timestamp ## x509_verify function sct_verify%(cert: opaque of x509, logid: string, log_key: string, signature: string, timestamp: count, hash_algorithm: count, issuer_key_hash: string &default=""%): bool @@ -876,7 +876,7 @@ StringVal* x509_entity_hash(file_analysis::X509Val *cert_handle, unsigned int ha ## ## Returns: The hash as a string. ## -## .. bro:see:: x509_issuer_name_hash x509_spki_hash +## .. zeek:see:: x509_issuer_name_hash x509_spki_hash ## x509_verify sct_verify function x509_subject_name_hash%(cert: opaque of x509, hash_alg: count%): string %{ @@ -894,7 +894,7 @@ function x509_subject_name_hash%(cert: opaque of x509, hash_alg: count%): string ## ## Returns: The hash as a string. ## -## .. bro:see:: x509_subject_name_hash x509_spki_hash +## .. zeek:see:: x509_subject_name_hash x509_spki_hash ## x509_verify sct_verify function x509_issuer_name_hash%(cert: opaque of x509, hash_alg: count%): string %{ @@ -912,7 +912,7 @@ function x509_issuer_name_hash%(cert: opaque of x509, hash_alg: count%): string ## ## Returns: The hash as a string. ## -## .. bro:see:: x509_subject_name_hash x509_issuer_name_hash +## .. zeek:see:: x509_subject_name_hash x509_issuer_name_hash ## x509_verify sct_verify function x509_spki_hash%(cert: opaque of x509, hash_alg: count%): string %{ diff --git a/src/file_analysis/analyzer/x509/ocsp_events.bif b/src/file_analysis/analyzer/x509/ocsp_events.bif index f49208d238..564126b2bb 100644 --- a/src/file_analysis/analyzer/x509/ocsp_events.bif +++ b/src/file_analysis/analyzer/x509/ocsp_events.bif @@ -7,7 +7,7 @@ ## ## req: version: the version of the OCSP request. Typically 0 (Version 1). ## -## .. bro:see:: ocsp_request_certificate ocsp_response_status +## .. zeek:see:: ocsp_request_certificate ocsp_response_status ## ocsp_response_bytes ocsp_response_certificate ocsp_extension ## x509_ocsp_ext_signed_certificate_timestamp event ocsp_request%(f: fa_file, version: count%); @@ -27,7 +27,7 @@ event ocsp_request%(f: fa_file, version: count%); ## ## serialNumber: Serial number of the certificate for which the status is requested. ## -## .. bro:see:: ocsp_request ocsp_response_status +## .. zeek:see:: ocsp_request ocsp_response_status ## ocsp_response_bytes ocsp_response_certificate ocsp_extension ## x509_ocsp_ext_signed_certificate_timestamp event ocsp_request_certificate%(f: fa_file, hashAlgorithm: string, issuerNameHash: string, issuerKeyHash: string, serialNumber: string%); @@ -41,7 +41,7 @@ event ocsp_request_certificate%(f: fa_file, hashAlgorithm: string, issuerNameHas ## ## status: The status of the OCSP response (e.g. succesful, malformedRequest, tryLater). ## -## .. bro:see:: ocsp_request ocsp_request_certificate +## .. zeek:see:: ocsp_request ocsp_request_certificate ## ocsp_response_bytes ocsp_response_certificate ocsp_extension ## x509_ocsp_ext_signed_certificate_timestamp event ocsp_response_status%(f: fa_file, status: string%); @@ -68,7 +68,7 @@ event ocsp_response_status%(f: fa_file, status: string%); ## certs: Optional list of certificates that are sent with the OCSP response; these typically ## are needed to perform validation of the reply. ## -## .. bro:see:: ocsp_request ocsp_request_certificate ocsp_response_status +## .. zeek:see:: ocsp_request ocsp_request_certificate ocsp_response_status ## ocsp_response_certificate ocsp_extension ## x509_ocsp_ext_signed_certificate_timestamp event ocsp_response_bytes%(f: fa_file, resp_ref: opaque of ocsp_resp, status: string, version: count, responderId: string, producedAt: time, signatureAlgorithm: string, certs: x509_opaque_vector%); @@ -96,7 +96,7 @@ event ocsp_response_bytes%(f: fa_file, resp_ref: opaque of ocsp_resp, status: st ## ## nextUpdate: Time next response will be ready; 0 if not supploed. ## -## .. bro:see:: ocsp_request ocsp_request_certificate ocsp_response_status +## .. zeek:see:: ocsp_request ocsp_request_certificate ocsp_response_status ## ocsp_response_bytes ocsp_extension ## x509_ocsp_ext_signed_certificate_timestamp event ocsp_response_certificate%(f: fa_file, hashAlgorithm: string, issuerNameHash: string, issuerKeyHash: string, serialNumber: string, certStatus: string, revokeTime: time, revokeReason: string, thisUpdate: time, nextUpdate: time%); @@ -111,7 +111,7 @@ event ocsp_response_certificate%(f: fa_file, hashAlgorithm: string, issuerNameHa ## global_resp: T if extension encountered in the global response (in ResponseData), ## F when encountered in a SingleResponse. ## -## .. bro:see:: ocsp_request ocsp_request_certificate ocsp_response_status +## .. zeek:see:: ocsp_request ocsp_request_certificate ocsp_response_status ## ocsp_response_bytes ocsp_response_certificate ## x509_ocsp_ext_signed_certificate_timestamp event ocsp_extension%(f: fa_file, ext: X509::Extension, global_resp: bool%); diff --git a/src/file_analysis/file_analysis.bif b/src/file_analysis/file_analysis.bif index 81435bc3b5..f3086041b0 100644 --- a/src/file_analysis/file_analysis.bif +++ b/src/file_analysis/file_analysis.bif @@ -8,35 +8,35 @@ module Files; type AnalyzerArgs: record; -## :bro:see:`Files::set_timeout_interval`. +## :zeek:see:`Files::set_timeout_interval`. function Files::__set_timeout_interval%(file_id: string, t: interval%): bool %{ bool result = file_mgr->SetTimeoutInterval(file_id->CheckString(), t); return val_mgr->GetBool(result); %} -## :bro:see:`Files::enable_reassembly`. +## :zeek:see:`Files::enable_reassembly`. function Files::__enable_reassembly%(file_id: string%): bool %{ bool result = file_mgr->EnableReassembly(file_id->CheckString()); return val_mgr->GetBool(result); %} -## :bro:see:`Files::disable_reassembly`. +## :zeek:see:`Files::disable_reassembly`. function Files::__disable_reassembly%(file_id: string%): bool %{ bool result = file_mgr->DisableReassembly(file_id->CheckString()); return val_mgr->GetBool(result); %} -## :bro:see:`Files::set_reassembly_buffer_size`. +## :zeek:see:`Files::set_reassembly_buffer_size`. function Files::__set_reassembly_buffer%(file_id: string, max: count%): bool %{ bool result = file_mgr->SetReassemblyBuffer(file_id->CheckString(), max); return val_mgr->GetBool(result); %} -## :bro:see:`Files::add_analyzer`. +## :zeek:see:`Files::add_analyzer`. function Files::__add_analyzer%(file_id: string, tag: Files::Tag, args: any%): bool %{ using BifType::Record::Files::AnalyzerArgs; @@ -47,7 +47,7 @@ function Files::__add_analyzer%(file_id: string, tag: Files::Tag, args: any%): b return val_mgr->GetBool(result); %} -## :bro:see:`Files::remove_analyzer`. +## :zeek:see:`Files::remove_analyzer`. function Files::__remove_analyzer%(file_id: string, tag: Files::Tag, args: any%): bool %{ using BifType::Record::Files::AnalyzerArgs; @@ -58,20 +58,20 @@ function Files::__remove_analyzer%(file_id: string, tag: Files::Tag, args: any%) return val_mgr->GetBool(result); %} -## :bro:see:`Files::stop`. +## :zeek:see:`Files::stop`. function Files::__stop%(file_id: string%): bool %{ bool result = file_mgr->IgnoreFile(file_id->CheckString()); return val_mgr->GetBool(result); %} -## :bro:see:`Files::analyzer_name`. +## :zeek:see:`Files::analyzer_name`. function Files::__analyzer_name%(tag: Files::Tag%) : string %{ return new StringVal(file_mgr->GetComponentName(tag)); %} -## :bro:see:`Files::file_exists`. +## :zeek:see:`Files::file_exists`. function Files::__file_exists%(fuid: string%): bool %{ if ( file_mgr->LookupFile(fuid->CheckString()) != nullptr ) @@ -80,7 +80,7 @@ function Files::__file_exists%(fuid: string%): bool return val_mgr->GetFalse(); %} -## :bro:see:`Files::lookup_file`. +## :zeek:see:`Files::lookup_file`. function Files::__lookup_file%(fuid: string%): fa_file %{ auto f = file_mgr->LookupFile(fuid->CheckString()); @@ -95,14 +95,14 @@ function Files::__lookup_file%(fuid: string%): fa_file module GLOBAL; -## For use within a :bro:see:`get_file_handle` handler to set a unique +## For use within a :zeek:see:`get_file_handle` handler to set a unique ## identifier to associate with the current input to the file analysis ## framework. Using an empty string for the handle signifies that the ## input will be ignored/discarded. ## ## handle: A string that uniquely identifies a file. ## -## .. bro:see:: get_file_handle +## .. zeek:see:: get_file_handle function set_file_handle%(handle: string%): any %{ auto bytes = reinterpret_cast(handle->Bytes()); diff --git a/src/iosource/pcap/pcap.bif b/src/iosource/pcap/pcap.bif index 1e7ca8a844..9e6e0238ba 100644 --- a/src/iosource/pcap/pcap.bif +++ b/src/iosource/pcap/pcap.bif @@ -12,7 +12,7 @@ const bufsize: count; ## ## Returns: True if *s* is valid and precompiles successfully. ## -## .. bro:see:: Pcap::install_pcap_filter +## .. zeek:see:: Pcap::install_pcap_filter ## install_src_addr_filter ## install_src_net_filter ## uninstall_src_addr_filter @@ -51,14 +51,14 @@ function precompile_pcap_filter%(id: PcapFilterID, s: string%): bool %} ## Installs a PCAP filter that has been precompiled with -## :bro:id:`Pcap::precompile_pcap_filter`. +## :zeek:id:`Pcap::precompile_pcap_filter`. ## ## id: The PCAP filter id of a precompiled filter. ## ## Returns: True if the filter associated with *id* has been installed ## successfully. ## -## .. bro:see:: Pcap::precompile_pcap_filter +## .. zeek:see:: Pcap::precompile_pcap_filter ## install_src_addr_filter ## install_src_net_filter ## uninstall_src_addr_filter @@ -90,7 +90,7 @@ function Pcap::install_pcap_filter%(id: PcapFilterID%): bool ## ## Returns: A descriptive error message of the PCAP function that failed. ## -## .. bro:see:: Pcap::precompile_pcap_filter +## .. zeek:see:: Pcap::precompile_pcap_filter ## Pcap::install_pcap_filter ## install_src_addr_filter ## install_src_net_filter diff --git a/src/main.cc b/src/main.cc index 1dddc99681..af29b1e7d7 100644 --- a/src/main.cc +++ b/src/main.cc @@ -55,7 +55,7 @@ extern "C" { #include "analyzer/Tag.h" #include "plugin/Manager.h" #include "file_analysis/Manager.h" -#include "broxygen/Manager.h" +#include "zeexygen/Manager.h" #include "iosource/Manager.h" #include "broker/Manager.h" @@ -91,7 +91,7 @@ input::Manager* input_mgr = 0; plugin::Manager* plugin_mgr = 0; analyzer::Manager* analyzer_mgr = 0; file_analysis::Manager* file_mgr = 0; -broxygen::Manager* broxygen_mgr = 0; +zeexygen::Manager* zeexygen_mgr = 0; iosource::Manager* iosource_mgr = 0; bro_broker::Manager* broker_mgr = 0; @@ -194,7 +194,7 @@ void usage(int code = 1) fprintf(stderr, " -T|--re-level | set 'RE_level' for rules\n"); fprintf(stderr, " -U|--status-file | Record process status in file\n"); fprintf(stderr, " -W|--watchdog | activate watchdog timer\n"); - fprintf(stderr, " -X|--broxygen | generate documentation based on config file\n"); + fprintf(stderr, " -X|--zeexygen | generate documentation based on config file\n"); #ifdef USE_PERFTOOLS_DEBUG fprintf(stderr, " -m|--mem-leaks | show leaks [perftools]\n"); @@ -214,7 +214,7 @@ void usage(int code = 1) fprintf(stderr, " $BRO_SEED_FILE | file to load seeds from (not set)\n"); fprintf(stderr, " $BRO_LOG_SUFFIX | ASCII log file extension (.%s)\n", logging::writer::Ascii::LogExt().c_str()); fprintf(stderr, " $BRO_PROFILER_FILE | Output file for script execution statistics (not set)\n"); - fprintf(stderr, " $BRO_DISABLE_BROXYGEN | Disable Broxygen documentation support (%s)\n", getenv("BRO_DISABLE_BROXYGEN") ? "set" : "not set"); + fprintf(stderr, " $BRO_DISABLE_BROXYGEN | Disable Zeexygen documentation support (%s)\n", getenv("BRO_DISABLE_BROXYGEN") ? "set" : "not set"); fprintf(stderr, "\n"); @@ -370,7 +370,7 @@ void terminate_bro() plugin_mgr->FinishPlugins(); - delete broxygen_mgr; + delete zeexygen_mgr; delete timer_mgr; delete persistence_serializer; delete event_serializer; @@ -534,7 +534,7 @@ int main(int argc, char** argv) {"filter", required_argument, 0, 'f'}, {"help", no_argument, 0, 'h'}, {"iface", required_argument, 0, 'i'}, - {"broxygen", required_argument, 0, 'X'}, + {"zeexygen", required_argument, 0, 'X'}, {"prefix", required_argument, 0, 'p'}, {"readfile", required_argument, 0, 'r'}, {"rulefile", required_argument, 0, 's'}, @@ -586,7 +586,7 @@ int main(int argc, char** argv) if ( p ) add_to_name_list(p, ':', prefixes); - string broxygen_config; + string zeexygen_config; #ifdef USE_IDMEF string libidmef_dtd_path = "idmef-message.dtd"; @@ -739,7 +739,7 @@ int main(int argc, char** argv) break; case 'X': - broxygen_config = optarg; + zeexygen_config = optarg; break; #ifdef USE_PERFTOOLS_DEBUG @@ -821,7 +821,7 @@ int main(int argc, char** argv) timer_mgr = new PQ_TimerMgr(""); // timer_mgr = new CQ_TimerMgr(); - broxygen_mgr = new broxygen::Manager(broxygen_config, bro_argv[0]); + zeexygen_mgr = new zeexygen::Manager(zeexygen_config, bro_argv[0]); add_essential_input_file("base/init-bare.zeek"); add_essential_input_file("base/init-frameworks-and-bifs.zeek"); @@ -872,7 +872,7 @@ int main(int argc, char** argv) plugin_mgr->InitPreScript(); analyzer_mgr->InitPreScript(); file_mgr->InitPreScript(); - broxygen_mgr->InitPreScript(); + zeexygen_mgr->InitPreScript(); bool missing_plugin = false; @@ -958,7 +958,7 @@ int main(int argc, char** argv) exit(1); plugin_mgr->InitPostScript(); - broxygen_mgr->InitPostScript(); + zeexygen_mgr->InitPostScript(); broker_mgr->InitPostScript(); if ( print_plugins ) @@ -988,7 +988,7 @@ int main(int argc, char** argv) } reporter->InitOptions(); - broxygen_mgr->GenerateDocs(); + zeexygen_mgr->GenerateDocs(); if ( user_pcap_filter ) { diff --git a/src/option.bif b/src/option.bif index 2156808763..849e6ccfb0 100644 --- a/src/option.bif +++ b/src/option.bif @@ -48,10 +48,10 @@ static bool call_option_handlers_and_set_value(StringVal* name, ID* i, Val* val, ## ## Returns: true on success, false when an error occurred. ## -## .. bro:see:: Option::set_change_handler Config::set_value +## .. zeek:see:: Option::set_change_handler Config::set_value ## -## .. note:: :bro:id:`Option::set` only works on one node and does not distribute -## new values across a cluster. The higher-level :bro:id:`Config::set_value` +## .. note:: :zeek:id:`Option::set` only works on one node and does not distribute +## new values across a cluster. The higher-level :zeek:id:`Config::set_value` ## supports clusterization and should typically be used instead of this ## lower-level function. function Option::set%(ID: string, val: any, location: string &default=""%): bool @@ -105,7 +105,7 @@ function Option::set%(ID: string, val: any, location: string &default=""%): bool %} ## Set a change handler for an option. The change handler will be -## called anytime :bro:id:`Option::set` is called for the option. +## called anytime :zeek:id:`Option::set` is called for the option. ## ## ID: The ID of the option for which change notifications are desired. ## @@ -127,7 +127,7 @@ function Option::set%(ID: string, val: any, location: string &default=""%): bool ## ## Returns: true when the change handler was set, false when an error occurred. ## -## .. bro:see:: Option::set +## .. zeek:see:: Option::set function Option::set_change_handler%(ID: string, on_change: any, priority: int &default=0%): bool %{ auto i = global_scope()->Lookup(ID->CheckString()); diff --git a/src/parse.y b/src/parse.y index 3b5d2cab14..0e363eb321 100644 --- a/src/parse.y +++ b/src/parse.y @@ -88,7 +88,7 @@ #include "Scope.h" #include "Reporter.h" #include "Brofiler.h" -#include "broxygen/Manager.h" +#include "zeexygen/Manager.h" #include #include @@ -1039,7 +1039,7 @@ type_decl: $$ = new TypeDecl($3, $1, $4, (in_record > 0)); if ( in_record > 0 && cur_decl_type_id ) - broxygen_mgr->RecordField(cur_decl_type_id, $$, ::filename); + zeexygen_mgr->RecordField(cur_decl_type_id, $$, ::filename); } ; @@ -1073,7 +1073,7 @@ decl: TOK_MODULE TOK_ID ';' { current_module = $2; - broxygen_mgr->ModuleUsage(::filename, current_module); + zeexygen_mgr->ModuleUsage(::filename, current_module); } | TOK_EXPORT '{' { is_export = true; } decl_list '}' @@ -1082,36 +1082,36 @@ decl: | TOK_GLOBAL def_global_id opt_type init_class opt_init opt_attr ';' { add_global($2, $3, $4, $5, $6, VAR_REGULAR); - broxygen_mgr->Identifier($2); + zeexygen_mgr->Identifier($2); } | TOK_OPTION def_global_id opt_type init_class opt_init opt_attr ';' { add_global($2, $3, $4, $5, $6, VAR_OPTION); - broxygen_mgr->Identifier($2); + zeexygen_mgr->Identifier($2); } | TOK_CONST def_global_id opt_type init_class opt_init opt_attr ';' { add_global($2, $3, $4, $5, $6, VAR_CONST); - broxygen_mgr->Identifier($2); + zeexygen_mgr->Identifier($2); } | TOK_REDEF global_id opt_type init_class opt_init opt_attr ';' { add_global($2, $3, $4, $5, $6, VAR_REDEF); - broxygen_mgr->Redef($2, ::filename); + zeexygen_mgr->Redef($2, ::filename); } | TOK_REDEF TOK_ENUM global_id TOK_ADD_TO '{' - { parser_redef_enum($3); broxygen_mgr->Redef($3, ::filename); } + { parser_redef_enum($3); zeexygen_mgr->Redef($3, ::filename); } enum_body '}' ';' { - // Broxygen already grabbed new enum IDs as the type created them. + // Zeexygen already grabbed new enum IDs as the type created them. } | TOK_REDEF TOK_RECORD global_id - { cur_decl_type_id = $3; broxygen_mgr->Redef($3, ::filename); } + { cur_decl_type_id = $3; zeexygen_mgr->Redef($3, ::filename); } TOK_ADD_TO '{' { ++in_record; } type_decl_list @@ -1127,12 +1127,12 @@ decl: } | TOK_TYPE global_id ':' - { cur_decl_type_id = $2; broxygen_mgr->StartType($2); } + { cur_decl_type_id = $2; zeexygen_mgr->StartType($2); } type opt_attr ';' { cur_decl_type_id = 0; add_type($2, $5, $6); - broxygen_mgr->Identifier($2); + zeexygen_mgr->Identifier($2); } | func_hdr func_body @@ -1167,7 +1167,7 @@ func_hdr: begin_func($2, current_module.c_str(), FUNC_FLAVOR_FUNCTION, 0, $3, $4); $$ = $3; - broxygen_mgr->Identifier($2); + zeexygen_mgr->Identifier($2); } | TOK_EVENT event_id func_params opt_attr { diff --git a/src/plugin/ComponentManager.h b/src/plugin/ComponentManager.h index 0069c77359..22bd2dd302 100644 --- a/src/plugin/ComponentManager.h +++ b/src/plugin/ComponentManager.h @@ -10,7 +10,7 @@ #include "Var.h" #include "Val.h" #include "Reporter.h" -#include "broxygen/Manager.h" +#include "zeexygen/Manager.h" namespace plugin { @@ -134,7 +134,7 @@ ComponentManager::ComponentManager(const string& arg_module, const string& tag_enum_type = new EnumType(module + "::" + local_id); ::ID* id = install_ID(local_id.c_str(), module.c_str(), true, true); add_type(id, tag_enum_type, 0); - broxygen_mgr->Identifier(id); + zeexygen_mgr->Identifier(id); } template diff --git a/src/probabilistic/bloom-filter.bif b/src/probabilistic/bloom-filter.bif index 468a6eeae2..284aebc745 100644 --- a/src/probabilistic/bloom-filter.bif +++ b/src/probabilistic/bloom-filter.bif @@ -22,14 +22,14 @@ module GLOBAL; ## rate of *fp*. ## ## name: A name that uniquely identifies and seeds the Bloom filter. If empty, -## the filter will use :bro:id:`global_hash_seed` if that's set, and +## the filter will use :zeek:id:`global_hash_seed` if that's set, and ## otherwise use a local seed tied to the current Bro process. Only ## filters with the same seed can be merged with -## :bro:id:`bloomfilter_merge`. +## :zeek:id:`bloomfilter_merge`. ## ## Returns: A Bloom filter handle. ## -## .. bro:see:: bloomfilter_basic_init2 bloomfilter_counting_init bloomfilter_add +## .. zeek:see:: bloomfilter_basic_init2 bloomfilter_counting_init bloomfilter_add ## bloomfilter_lookup bloomfilter_clear bloomfilter_merge global_hash_seed function bloomfilter_basic_init%(fp: double, capacity: count, name: string &default=""%): opaque of bloomfilter @@ -50,7 +50,7 @@ function bloomfilter_basic_init%(fp: double, capacity: count, %} ## Creates a basic Bloom filter. This function serves as a low-level -## alternative to :bro:id:`bloomfilter_basic_init` where the user has full +## alternative to :zeek:id:`bloomfilter_basic_init` where the user has full ## control over the number of hash functions and cells in the underlying bit ## vector. ## @@ -59,14 +59,14 @@ function bloomfilter_basic_init%(fp: double, capacity: count, ## cells: The number of cells of the underlying bit vector. ## ## name: A name that uniquely identifies and seeds the Bloom filter. If empty, -## the filter will use :bro:id:`global_hash_seed` if that's set, and +## the filter will use :zeek:id:`global_hash_seed` if that's set, and ## otherwise use a local seed tied to the current Bro process. Only ## filters with the same seed can be merged with -## :bro:id:`bloomfilter_merge`. +## :zeek:id:`bloomfilter_merge`. ## ## Returns: A Bloom filter handle. ## -## .. bro:see:: bloomfilter_basic_init bloomfilter_counting_init bloomfilter_add +## .. zeek:see:: bloomfilter_basic_init bloomfilter_counting_init bloomfilter_add ## bloomfilter_lookup bloomfilter_clear bloomfilter_merge global_hash_seed function bloomfilter_basic_init2%(k: count, cells: count, name: string &default=""%): opaque of bloomfilter @@ -103,14 +103,14 @@ function bloomfilter_basic_init2%(k: count, cells: count, ## counter vector becomes a cell of size *w* bits. ## ## name: A name that uniquely identifies and seeds the Bloom filter. If empty, -## the filter will use :bro:id:`global_hash_seed` if that's set, and +## the filter will use :zeek:id:`global_hash_seed` if that's set, and ## otherwise use a local seed tied to the current Bro process. Only ## filters with the same seed can be merged with -## :bro:id:`bloomfilter_merge`. +## :zeek:id:`bloomfilter_merge`. ## ## Returns: A Bloom filter handle. ## -## .. bro:see:: bloomfilter_basic_init bloomfilter_basic_init2 bloomfilter_add +## .. zeek:see:: bloomfilter_basic_init bloomfilter_basic_init2 bloomfilter_add ## bloomfilter_lookup bloomfilter_clear bloomfilter_merge global_hash_seed function bloomfilter_counting_init%(k: count, cells: count, max: count, name: string &default=""%): opaque of bloomfilter @@ -139,7 +139,7 @@ function bloomfilter_counting_init%(k: count, cells: count, max: count, ## ## x: The element to add. ## -## .. bro:see:: bloomfilter_basic_init bloomfilter_basic_init2 +## .. zeek:see:: bloomfilter_basic_init bloomfilter_basic_init2 ## bloomfilter_counting_init bloomfilter_lookup bloomfilter_clear ## bloomfilter_merge function bloomfilter_add%(bf: opaque of bloomfilter, x: any%): any @@ -166,7 +166,7 @@ function bloomfilter_add%(bf: opaque of bloomfilter, x: any%): any ## ## Returns: the counter associated with *x* in *bf*. ## -## .. bro:see:: bloomfilter_basic_init bloomfilter_basic_init2 +## .. zeek:see:: bloomfilter_basic_init bloomfilter_basic_init2 ## bloomfilter_counting_init bloomfilter_add bloomfilter_clear ## bloomfilter_merge function bloomfilter_lookup%(bf: opaque of bloomfilter, x: any%): count @@ -191,7 +191,7 @@ function bloomfilter_lookup%(bf: opaque of bloomfilter, x: any%): count ## ## bf: The Bloom filter handle. ## -## .. bro:see:: bloomfilter_basic_init bloomfilter_basic_init2 +## .. zeek:see:: bloomfilter_basic_init bloomfilter_basic_init2 ## bloomfilter_counting_init bloomfilter_add bloomfilter_lookup ## bloomfilter_merge function bloomfilter_clear%(bf: opaque of bloomfilter%): any @@ -216,7 +216,7 @@ function bloomfilter_clear%(bf: opaque of bloomfilter%): any ## ## Returns: The union of *bf1* and *bf2*. ## -## .. bro:see:: bloomfilter_basic_init bloomfilter_basic_init2 +## .. zeek:see:: bloomfilter_basic_init bloomfilter_basic_init2 ## bloomfilter_counting_init bloomfilter_add bloomfilter_lookup ## bloomfilter_clear function bloomfilter_merge%(bf1: opaque of bloomfilter, diff --git a/src/probabilistic/cardinality-counter.bif b/src/probabilistic/cardinality-counter.bif index 4ba528bd3c..2fa7953c9e 100644 --- a/src/probabilistic/cardinality-counter.bif +++ b/src/probabilistic/cardinality-counter.bif @@ -17,7 +17,7 @@ module GLOBAL; ## ## Returns: a HLL cardinality handle. ## -## .. bro:see:: hll_cardinality_estimate hll_cardinality_merge_into hll_cardinality_add +## .. zeek:see:: hll_cardinality_estimate hll_cardinality_merge_into hll_cardinality_add ## hll_cardinality_copy function hll_cardinality_init%(err: double, confidence: double%): opaque of cardinality %{ @@ -35,7 +35,7 @@ function hll_cardinality_init%(err: double, confidence: double%): opaque of card ## ## Returns: true on success. ## -## .. bro:see:: hll_cardinality_estimate hll_cardinality_merge_into +## .. zeek:see:: hll_cardinality_estimate hll_cardinality_merge_into ## hll_cardinality_init hll_cardinality_copy function hll_cardinality_add%(handle: opaque of cardinality, elem: any%): bool %{ @@ -60,7 +60,7 @@ function hll_cardinality_add%(handle: opaque of cardinality, elem: any%): bool ## Merges a HLL cardinality counter into another. ## ## .. note:: The same restrictions as for Bloom filter merging apply, -## see :bro:id:`bloomfilter_merge`. +## see :zeek:id:`bloomfilter_merge`. ## ## handle1: the first HLL handle, which will contain the merged result. ## @@ -68,7 +68,7 @@ function hll_cardinality_add%(handle: opaque of cardinality, elem: any%): bool ## ## Returns: true on success. ## -## .. bro:see:: hll_cardinality_estimate hll_cardinality_add +## .. zeek:see:: hll_cardinality_estimate hll_cardinality_add ## hll_cardinality_init hll_cardinality_copy function hll_cardinality_merge_into%(handle1: opaque of cardinality, handle2: opaque of cardinality%): bool %{ @@ -103,7 +103,7 @@ function hll_cardinality_merge_into%(handle1: opaque of cardinality, handle2: op ## ## Returns: the cardinality estimate. Returns -1.0 if the counter is empty. ## -## .. bro:see:: hll_cardinality_merge_into hll_cardinality_add +## .. zeek:see:: hll_cardinality_merge_into hll_cardinality_add ## hll_cardinality_init hll_cardinality_copy function hll_cardinality_estimate%(handle: opaque of cardinality%): double %{ @@ -121,7 +121,7 @@ function hll_cardinality_estimate%(handle: opaque of cardinality%): double ## ## Returns: copy of handle. ## -## .. bro:see:: hll_cardinality_estimate hll_cardinality_merge_into hll_cardinality_add +## .. zeek:see:: hll_cardinality_estimate hll_cardinality_merge_into hll_cardinality_add ## hll_cardinality_init function hll_cardinality_copy%(handle: opaque of cardinality%): opaque of cardinality %{ diff --git a/src/probabilistic/top-k.bif b/src/probabilistic/top-k.bif index 8d2a8c0fd8..8691521f31 100644 --- a/src/probabilistic/top-k.bif +++ b/src/probabilistic/top-k.bif @@ -10,7 +10,7 @@ ## ## Returns: Opaque pointer to the data structure. ## -## .. bro:see:: topk_add topk_get_top topk_count topk_epsilon +## .. zeek:see:: topk_add topk_get_top topk_count topk_epsilon ## topk_size topk_sum topk_merge topk_merge_prune function topk_init%(size: count%): opaque of topk %{ @@ -28,7 +28,7 @@ function topk_init%(size: count%): opaque of topk ## ## value: observed value. ## -## .. bro:see:: topk_init topk_get_top topk_count topk_epsilon +## .. zeek:see:: topk_init topk_get_top topk_count topk_epsilon ## topk_size topk_sum topk_merge topk_merge_prune function topk_add%(handle: opaque of topk, value: any%): any %{ @@ -47,7 +47,7 @@ function topk_add%(handle: opaque of topk, value: any%): any ## ## Returns: vector of the first k elements. ## -## .. bro:see:: topk_init topk_add topk_count topk_epsilon +## .. zeek:see:: topk_init topk_add topk_count topk_epsilon ## topk_size topk_sum topk_merge topk_merge_prune function topk_get_top%(handle: opaque of topk, k: count%): any_vec %{ @@ -68,7 +68,7 @@ function topk_get_top%(handle: opaque of topk, k: count%): any_vec ## ## Returns: Overestimated number for how often the element has been encountered. ## -## .. bro:see:: topk_init topk_add topk_get_top topk_epsilon +## .. zeek:see:: topk_init topk_add topk_get_top topk_epsilon ## topk_size topk_sum topk_merge topk_merge_prune function topk_count%(handle: opaque of topk, value: any%): count %{ @@ -79,7 +79,7 @@ function topk_count%(handle: opaque of topk, value: any%): count ## Get the maximal overestimation for count. ## -## .. note:: Same restrictions as for :bro:id:`topk_count` apply. +## .. note:: Same restrictions as for :zeek:id:`topk_count` apply. ## ## handle: the TopK handle. ## @@ -88,7 +88,7 @@ function topk_count%(handle: opaque of topk, value: any%): count ## Returns: Number which represents the maximal overestimation for the count of ## this element. ## -## .. bro:see:: topk_init topk_add topk_get_top topk_count +## .. zeek:see:: topk_init topk_add topk_get_top topk_count ## topk_size topk_sum topk_merge topk_merge_prune function topk_epsilon%(handle: opaque of topk, value: any%): count %{ @@ -107,7 +107,7 @@ function topk_epsilon%(handle: opaque of topk, value: any%): count ## ## Returns: size given during initialization. ## -## .. bro:see:: topk_init topk_add topk_get_top topk_count topk_epsilon +## .. zeek:see:: topk_init topk_add topk_get_top topk_count topk_epsilon ## topk_sum topk_merge topk_merge_prune function topk_size%(handle: opaque of topk%): count %{ @@ -120,14 +120,14 @@ function topk_size%(handle: opaque of topk%): count ## ## .. note:: This is equal to the number of all inserted objects if the data ## structure never has been pruned. Do not use after -## calling :bro:id:`topk_merge_prune` (will throw a warning message if used +## calling :zeek:id:`topk_merge_prune` (will throw a warning message if used ## afterwards). ## ## handle: the TopK handle. ## ## Returns: sum of all counts. ## -## .. bro:see:: topk_init topk_add topk_get_top topk_count topk_epsilon +## .. zeek:see:: topk_init topk_add topk_get_top topk_count topk_epsilon ## topk_size topk_merge topk_merge_prune function topk_sum%(handle: opaque of topk%): count %{ @@ -145,7 +145,7 @@ function topk_sum%(handle: opaque of topk%): count ## .. note:: This does not remove any elements, the resulting data structure ## can be bigger than the maximum size given on initialization. ## -## .. bro:see:: topk_init topk_add topk_get_top topk_count topk_epsilon +## .. zeek:see:: topk_init topk_add topk_get_top topk_count topk_epsilon ## topk_size topk_sum topk_merge_prune function topk_merge%(handle1: opaque of topk, handle2: opaque of topk%): any %{ @@ -164,14 +164,14 @@ function topk_merge%(handle1: opaque of topk, handle2: opaque of topk%): any ## data structure back to the size given on initialization. ## ## .. note:: Use with care and only when being aware of the restrictions this -## entails. Do not call :bro:id:`topk_size` or :bro:id:`topk_add` afterwards, +## entails. Do not call :zeek:id:`topk_size` or :zeek:id:`topk_add` afterwards, ## results will probably not be what you expect. ## ## handle1: the TopK handle in which the second TopK structure is merged. ## ## handle2: the TopK handle in which is merged into the first TopK structure. ## -## .. bro:see:: topk_init topk_add topk_get_top topk_count topk_epsilon +## .. zeek:see:: topk_init topk_add topk_get_top topk_count topk_epsilon ## topk_size topk_sum topk_merge function topk_merge_prune%(handle1: opaque of topk, handle2: opaque of topk%): any %{ diff --git a/src/reporter.bif b/src/reporter.bif index d273c5cac8..dd74b944d6 100644 --- a/src/reporter.bif +++ b/src/reporter.bif @@ -19,7 +19,7 @@ module Reporter; ## ## Returns: Always true. ## -## .. bro:see:: reporter_info +## .. zeek:see:: reporter_info function Reporter::info%(msg: string%): bool %{ reporter->PushLocation(frame->GetCall()->GetLocationInfo()); @@ -34,7 +34,7 @@ function Reporter::info%(msg: string%): bool ## ## Returns: Always true. ## -## .. bro:see:: reporter_warning +## .. zeek:see:: reporter_warning function Reporter::warning%(msg: string%): bool %{ reporter->PushLocation(frame->GetCall()->GetLocationInfo()); @@ -50,7 +50,7 @@ function Reporter::warning%(msg: string%): bool ## ## Returns: Always true. ## -## .. bro:see:: reporter_error +## .. zeek:see:: reporter_error function Reporter::error%(msg: string%): bool %{ reporter->PushLocation(frame->GetCall()->GetLocationInfo()); diff --git a/src/scan.l b/src/scan.l index fb8ca20f8e..0b9a019cc8 100644 --- a/src/scan.l +++ b/src/scan.l @@ -29,7 +29,7 @@ #include "Traverse.h" #include "analyzer/Analyzer.h" -#include "broxygen/Manager.h" +#include "zeexygen/Manager.h" #include "plugin/Manager.h" @@ -162,19 +162,19 @@ ESCSEQ (\\([^\n]|[0-7]+|x[[:xdigit:]]+)) %% ##!.* { - broxygen_mgr->SummaryComment(::filename, yytext + 3); + zeexygen_mgr->SummaryComment(::filename, yytext + 3); } ##<.* { string hint(cur_enum_type && last_id_tok ? make_full_var_name(current_module.c_str(), last_id_tok) : ""); - broxygen_mgr->PostComment(yytext + 3, hint); + zeexygen_mgr->PostComment(yytext + 3, hint); } ##.* { if ( yytext[2] != '#' ) - broxygen_mgr->PreComment(yytext + 2); + zeexygen_mgr->PreComment(yytext + 2); } #{OWS}@no-test.* return TOK_NO_TEST; @@ -376,7 +376,7 @@ when return TOK_WHEN; string loader = ::filename; // load_files may change ::filename, save copy string loading = find_relative_script_file(new_file); (void) load_files(new_file); - broxygen_mgr->ScriptDependency(loader, loading); + zeexygen_mgr->ScriptDependency(loader, loading); } @load-sigs{WS}{FILE} { @@ -720,7 +720,7 @@ static int load_files(const char* orig_file) else file_stack.append(new FileInfo); - broxygen_mgr->Script(file_path); + zeexygen_mgr->Script(file_path); DBG_LOG(DBG_SCRIPTS, "Loading %s", file_path.c_str()); diff --git a/src/stats.bif b/src/stats.bif index bb4d92586f..d31f66de4e 100644 --- a/src/stats.bif +++ b/src/stats.bif @@ -25,7 +25,7 @@ RecordType* ReporterStats; ## ## Returns: A record of packet statistics. ## -## .. bro:see:: get_conn_stats +## .. zeek:see:: get_conn_stats ## get_dns_stats ## get_event_stats ## get_file_analysis_stats @@ -74,7 +74,7 @@ function get_net_stats%(%): NetStats ## ## Returns: A record with connection and packet statistics. ## -## .. bro:see:: get_dns_stats +## .. zeek:see:: get_dns_stats ## get_event_stats ## get_file_analysis_stats ## get_gap_stats @@ -125,7 +125,7 @@ function get_conn_stats%(%): ConnStats ## ## Returns: A record with process statistics. ## -## .. bro:see:: get_conn_stats +## .. zeek:see:: get_conn_stats ## get_dns_stats ## get_event_stats ## get_file_analysis_stats @@ -182,7 +182,7 @@ function get_proc_stats%(%): ProcStats ## ## Returns: A record with event engine statistics. ## -## .. bro:see:: get_conn_stats +## .. zeek:see:: get_conn_stats ## get_dns_stats ## get_file_analysis_stats ## get_gap_stats @@ -209,7 +209,7 @@ function get_event_stats%(%): EventStats ## ## Returns: A record with reassembler statistics. ## -## .. bro:see:: get_conn_stats +## .. zeek:see:: get_conn_stats ## get_dns_stats ## get_event_stats ## get_file_analysis_stats @@ -238,7 +238,7 @@ function get_reassembler_stats%(%): ReassemblerStats ## ## Returns: A record with DNS lookup statistics. ## -## .. bro:see:: get_conn_stats +## .. zeek:see:: get_conn_stats ## get_event_stats ## get_file_analysis_stats ## get_gap_stats @@ -272,7 +272,7 @@ function get_dns_stats%(%): DNSStats ## ## Returns: A record with timer usage statistics. ## -## .. bro:see:: get_conn_stats +## .. zeek:see:: get_conn_stats ## get_dns_stats ## get_event_stats ## get_file_analysis_stats @@ -300,7 +300,7 @@ function get_timer_stats%(%): TimerStats ## ## Returns: A record with file analysis statistics. ## -## .. bro:see:: get_conn_stats +## .. zeek:see:: get_conn_stats ## get_dns_stats ## get_event_stats ## get_gap_stats @@ -328,7 +328,7 @@ function get_file_analysis_stats%(%): FileAnalysisStats ## ## Returns: A record with thread usage statistics. ## -## .. bro:see:: get_conn_stats +## .. zeek:see:: get_conn_stats ## get_dns_stats ## get_event_stats ## get_file_analysis_stats @@ -354,7 +354,7 @@ function get_thread_stats%(%): ThreadStats ## ## Returns: A record with TCP gap statistics. ## -## .. bro:see:: get_conn_stats +## .. zeek:see:: get_conn_stats ## get_dns_stats ## get_event_stats ## get_file_analysis_stats @@ -386,7 +386,7 @@ function get_gap_stats%(%): GapStats ## ## Returns: A record with matcher statistics. ## -## .. bro:see:: get_conn_stats +## .. zeek:see:: get_conn_stats ## get_dns_stats ## get_event_stats ## get_file_analysis_stats @@ -423,7 +423,7 @@ function get_matcher_stats%(%): MatcherStats ## ## Returns: A record with Broker statistics. ## -## .. bro:see:: get_conn_stats +## .. zeek:see:: get_conn_stats ## get_dns_stats ## get_event_stats ## get_file_analysis_stats @@ -459,7 +459,7 @@ function get_broker_stats%(%): BrokerStats ## ## Returns: A record with reporter statistics. ## -## .. bro:see:: get_conn_stats +## .. zeek:see:: get_conn_stats ## get_dns_stats ## get_event_stats ## get_file_analysis_stats diff --git a/src/strings.bif b/src/strings.bif index e7571d5c70..ef584ee7af 100644 --- a/src/strings.bif +++ b/src/strings.bif @@ -55,7 +55,7 @@ function levenshtein_distance%(s1: string, s2: string%): count ## ## Returns: The concatenation of all (string) arguments. ## -## .. bro:see:: cat cat_sep cat_string_array cat_string_array_n +## .. zeek:see:: cat cat_sep cat_string_array cat_string_array_n ## fmt ## join_string_vec join_string_array function string_cat%(...%): string @@ -123,11 +123,11 @@ BroString* cat_string_array_n(TableVal* tbl, int start, int end) ## Concatenates all elements in an array of strings. ## -## a: The :bro:type:`string_array` (``table[count] of string``). +## a: The :zeek:type:`string_array` (``table[count] of string``). ## ## Returns: The concatenation of all elements in *a*. ## -## .. bro:see:: cat cat_sep string_cat cat_string_array_n +## .. zeek:see:: cat cat_sep string_cat cat_string_array_n ## fmt ## join_string_vec join_string_array function cat_string_array%(a: string_array%): string &deprecated @@ -138,7 +138,7 @@ function cat_string_array%(a: string_array%): string &deprecated ## Concatenates a specific range of elements in an array of strings. ## -## a: The :bro:type:`string_array` (``table[count] of string``). +## a: The :zeek:type:`string_array` (``table[count] of string``). ## ## start: The array index of the first element of the range. ## @@ -146,7 +146,7 @@ function cat_string_array%(a: string_array%): string &deprecated ## ## Returns: The concatenation of the range *[start, end]* in *a*. ## -## .. bro:see:: cat string_cat cat_string_array +## .. zeek:see:: cat string_cat cat_string_array ## fmt ## join_string_vec join_string_array function cat_string_array_n%(a: string_array, start: count, end: count%): string &deprecated @@ -160,12 +160,12 @@ function cat_string_array_n%(a: string_array, start: count, end: count%): string ## ## sep: The separator to place between each element. ## -## a: The :bro:type:`string_array` (``table[count] of string``). +## a: The :zeek:type:`string_array` (``table[count] of string``). ## ## Returns: The concatenation of all elements in *a*, with *sep* placed ## between each element. ## -## .. bro:see:: cat cat_sep string_cat cat_string_array cat_string_array_n +## .. zeek:see:: cat cat_sep string_cat cat_string_array cat_string_array_n ## fmt ## join_string_vec function join_string_array%(sep: string, a: string_array%): string &deprecated @@ -196,12 +196,12 @@ function join_string_array%(sep: string, a: string_array%): string &deprecated ## ## sep: The separator to place between each element. ## -## vec: The :bro:type:`string_vec` (``vector of string``). +## vec: The :zeek:type:`string_vec` (``vector of string``). ## ## Returns: The concatenation of all elements in *vec*, with *sep* placed ## between each element. ## -## .. bro:see:: cat cat_sep string_cat cat_string_array cat_string_array_n +## .. zeek:see:: cat cat_sep string_cat cat_string_array cat_string_array_n ## fmt ## join_string_array function join_string_vec%(vec: string_vec, sep: string%): string @@ -233,11 +233,11 @@ function join_string_vec%(vec: string_vec, sep: string%): string ## Sorts an array of strings. ## -## a: The :bro:type:`string_array` (``table[count] of string``). +## a: The :zeek:type:`string_array` (``table[count] of string``). ## ## Returns: A sorted copy of *a*. ## -## .. bro:see:: sort +## .. zeek:see:: sort function sort_string_array%(a: string_array%): string_array &deprecated %{ TableVal* tbl = a->AsTableVal(); @@ -278,7 +278,7 @@ function sort_string_array%(a: string_array%): string_array &deprecated ## Returns: An edited version of *arg_s* where *arg_edit_char* triggers the ## deletion of the last character. ## -## .. bro:see:: clean +## .. zeek:see:: clean ## to_string_literal ## escape_string ## strip @@ -558,7 +558,7 @@ Val* do_sub(StringVal* str_val, RE_Matcher* re, StringVal* repl, int do_all) ## Returns: An array of strings where each element corresponds to a substring ## in *str* separated by *re*. ## -## .. bro:see:: split1 split_all split_n str_split split_string1 split_string_all split_string_n str_split +## .. zeek:see:: split1 split_all split_n str_split split_string1 split_string_all split_string_n str_split ## ## .. note:: The returned table starts at index 1. Note that conceptually the ## return value is meant to be a vector and this might change in the @@ -578,7 +578,7 @@ function split%(str: string, re: pattern%): string_array &deprecated ## Returns: An array of strings where each element corresponds to a substring ## in *str* separated by *re*. ## -## .. bro:see:: split_string1 split_string_all split_string_n str_split +## .. zeek:see:: split_string1 split_string_all split_string_n str_split ## function split_string%(str: string, re: pattern%): string_vec %{ @@ -586,7 +586,7 @@ function split_string%(str: string, re: pattern%): string_vec %} ## Splits a string *once* into a two-element array of strings according to a -## pattern. This function is the same as :bro:id:`split`, but *str* is only +## pattern. This function is the same as :zeek:id:`split`, but *str* is only ## split once (if possible) at the earliest position and an array of two strings ## is returned. ## @@ -599,14 +599,14 @@ function split_string%(str: string, re: pattern%): string_vec ## second everything after *re*. An array of one string is returned ## when *s* cannot be split. ## -## .. bro:see:: split split_all split_n str_split split_string split_string_all split_string_n str_split +## .. zeek:see:: split split_all split_n str_split split_string split_string_all split_string_n str_split function split1%(str: string, re: pattern%): string_array &deprecated %{ return do_split(str, re, 0, 1); %} ## Splits a string *once* into a two-element array of strings according to a -## pattern. This function is the same as :bro:id:`split_string`, but *str* is +## pattern. This function is the same as :zeek:id:`split_string`, but *str* is ## only split once (if possible) at the earliest position and an array of two ## strings is returned. ## @@ -619,14 +619,14 @@ function split1%(str: string, re: pattern%): string_array &deprecated ## second everything after *re*. An array of one string is returned ## when *s* cannot be split. ## -## .. bro:see:: split_string split_string_all split_string_n str_split +## .. zeek:see:: split_string split_string_all split_string_n str_split function split_string1%(str: string, re: pattern%): string_vec %{ return do_split_string(str, re, 0, 1); %} ## Splits a string into an array of strings according to a pattern. This -## function is the same as :bro:id:`split`, except that the separators are +## function is the same as :zeek:id:`split`, except that the separators are ## returned as well. For example, ``split_all("a-b--cd", /(\-)+/)`` returns ## ``{"a", "-", "b", "--", "cd"}``: odd-indexed elements do not match the ## pattern and even-indexed ones do. @@ -639,14 +639,14 @@ function split_string1%(str: string, re: pattern%): string_vec ## to a substring in *str* of the part not matching *re* (odd-indexed) ## and the part that matches *re* (even-indexed). ## -## .. bro:see:: split split1 split_n str_split split_string split_string1 split_string_n str_split +## .. zeek:see:: split split1 split_n str_split split_string split_string1 split_string_n str_split function split_all%(str: string, re: pattern%): string_array &deprecated %{ return do_split(str, re, 1, 0); %} ## Splits a string into an array of strings according to a pattern. This -## function is the same as :bro:id:`split_string`, except that the separators +## function is the same as :zeek:id:`split_string`, except that the separators ## are returned as well. For example, ``split_string_all("a-b--cd", /(\-)+/)`` ## returns ``{"a", "-", "b", "--", "cd"}``: odd-indexed elements do match the ## pattern and even-indexed ones do not. @@ -659,15 +659,15 @@ function split_all%(str: string, re: pattern%): string_array &deprecated ## to a substring in *str* of the part not matching *re* (even-indexed) ## and the part that matches *re* (odd-indexed). ## -## .. bro:see:: split_string split_string1 split_string_n str_split +## .. zeek:see:: split_string split_string1 split_string_n str_split function split_string_all%(str: string, re: pattern%): string_vec %{ return do_split_string(str, re, 1, 0); %} ## Splits a string a given number of times into an array of strings according -## to a pattern. This function is similar to :bro:id:`split1` and -## :bro:id:`split_all`, but with customizable behavior with respect to +## to a pattern. This function is similar to :zeek:id:`split1` and +## :zeek:id:`split_all`, but with customizable behavior with respect to ## including separators in the result and the number of times to split. ## ## str: The string to split. @@ -675,7 +675,7 @@ function split_string_all%(str: string, re: pattern%): string_vec ## re: The pattern describing the element separator in *str*. ## ## incl_sep: A flag indicating whether to include the separator matches in the -## result (as in :bro:id:`split_all`). +## result (as in :zeek:id:`split_all`). ## ## max_num_sep: The number of times to split *str*. ## @@ -684,7 +684,7 @@ function split_string_all%(str: string, re: pattern%): string_vec ## not matching *re* (odd-indexed) and the part that matches *re* ## (even-indexed). ## -## .. bro:see:: split split1 split_all str_split split_string split_string1 split_string_all str_split +## .. zeek:see:: split split1 split_all str_split split_string split_string1 split_string_all str_split function split_n%(str: string, re: pattern, incl_sep: bool, max_num_sep: count%): string_array &deprecated %{ @@ -692,8 +692,8 @@ function split_n%(str: string, re: pattern, %} ## Splits a string a given number of times into an array of strings according -## to a pattern. This function is similar to :bro:id:`split_string1` and -## :bro:id:`split_string_all`, but with customizable behavior with respect to +## to a pattern. This function is similar to :zeek:id:`split_string1` and +## :zeek:id:`split_string_all`, but with customizable behavior with respect to ## including separators in the result and the number of times to split. ## ## str: The string to split. @@ -701,7 +701,7 @@ function split_n%(str: string, re: pattern, ## re: The pattern describing the element separator in *str*. ## ## incl_sep: A flag indicating whether to include the separator matches in the -## result (as in :bro:id:`split_string_all`). +## result (as in :zeek:id:`split_string_all`). ## ## max_num_sep: The number of times to split *str*. ## @@ -710,7 +710,7 @@ function split_n%(str: string, re: pattern, ## not matching *re* (even-indexed) and the part that matches *re* ## (odd-indexed). ## -## .. bro:see:: split_string split_string1 split_string_all str_split +## .. zeek:see:: split_string split_string1 split_string_all str_split function split_string_n%(str: string, re: pattern, incl_sep: bool, max_num_sep: count%): string_vec %{ @@ -729,7 +729,7 @@ function split_string_n%(str: string, re: pattern, ## Returns: A copy of *str* with the first occurence of *re* replaced with ## *repl*. ## -## .. bro:see:: gsub subst_string +## .. zeek:see:: gsub subst_string function sub%(str: string, re: pattern, repl: string%): string %{ return do_sub(str, re, repl, 0); @@ -746,7 +746,7 @@ function sub%(str: string, re: pattern, repl: string%): string ## ## Returns: A copy of *str* with all occurrences of *re* replaced with *repl*. ## -## .. bro:see:: sub subst_string +## .. zeek:see:: sub subst_string function gsub%(str: string, re: pattern, repl: string%): string %{ return do_sub(str, re, repl, 1); @@ -775,7 +775,7 @@ function strcmp%(s1: string, s2: string%): int ## Returns: The location of *little* in *big*, or 0 if *little* is not found in ## *big*. ## -## .. bro:see:: find_all find_last +## .. zeek:see:: find_all find_last function strstr%(big: string, little: string%): count %{ return val_mgr->GetCount( @@ -792,7 +792,7 @@ function strstr%(big: string, little: string%): count ## ## Returns: A copy of *s* where each occurrence of *from* is replaced with *to*. ## -## .. bro:see:: sub gsub +## .. zeek:see:: sub gsub function subst_string%(s: string, from: string, to: string%): string %{ const int little_len = from->Len(); @@ -843,7 +843,7 @@ function subst_string%(s: string, from: string, to: string%): string ## by ``isascii`` and ``isupper``) folded to lowercase ## (via ``tolower``). ## -## .. bro:see:: to_upper is_ascii +## .. zeek:see:: to_upper is_ascii function to_lower%(str: string%): string %{ const u_char* s = str->Bytes(); @@ -872,7 +872,7 @@ function to_lower%(str: string%): string ## by ``isascii`` and ``islower``) folded to uppercase ## (via ``toupper``). ## -## .. bro:see:: to_lower is_ascii +## .. zeek:see:: to_lower is_ascii function to_upper%(str: string%): string %{ const u_char* s = str->Bytes(); @@ -900,13 +900,13 @@ function to_upper%(str: string%): string ## ## If the string does not yet have a trailing NUL, one is added internally. ## -## In contrast to :bro:id:`escape_string`, this encoding is *not* fully reversible.` +## In contrast to :zeek:id:`escape_string`, this encoding is *not* fully reversible.` ## ## str: The string to escape. ## ## Returns: The escaped string. ## -## .. bro:see:: to_string_literal escape_string +## .. zeek:see:: to_string_literal escape_string function clean%(str: string%): string %{ char* s = str->AsString()->Render(); @@ -924,7 +924,7 @@ function clean%(str: string%): string ## ## Returns: The escaped string. ## -## .. bro:see:: clean escape_string +## .. zeek:see:: clean escape_string function to_string_literal%(str: string%): string %{ char* s = str->AsString()->Render(BroString::BRO_STRING_LITERAL); @@ -938,7 +938,7 @@ function to_string_literal%(str: string%): string ## Returns: False if any byte value of *str* is greater than 127, and true ## otherwise. ## -## .. bro:see:: to_upper to_lower +## .. zeek:see:: to_upper to_lower function is_ascii%(str: string%): bool %{ int n = str->Len(); @@ -957,13 +957,13 @@ function is_ascii%(str: string%): bool ## - values not in *[32, 126]* to ``\xXX`` ## - ``\`` to ``\\`` ## -## In contrast to :bro:id:`clean`, this encoding is fully reversible.` +## In contrast to :zeek:id:`clean`, this encoding is fully reversible.` ## ## str: The string to escape. ## ## Returns: The escaped string. ## -## .. bro:see:: clean to_string_literal +## .. zeek:see:: clean to_string_literal function escape_string%(s: string%): string %{ char* escstr = s->AsString()->Render(BroString::ESC_HEX | BroString::ESC_ESC); @@ -1022,7 +1022,7 @@ function str_smith_waterman%(s1: string, s2: string, params: sw_params%) : sw_su ## ## Returns: A vector of strings. ## -## .. bro:see:: split split1 split_all split_n +## .. zeek:see:: split split1 split_all split_n function str_split%(s: string, idx: index_vec%): string_vec %{ vector* idx_v = idx->AsVector(); @@ -1057,7 +1057,7 @@ function str_split%(s: string, idx: index_vec%): string_vec ## ## Returns: A copy of *str* with leading and trailing whitespace removed. ## -## .. bro:see:: sub gsub lstrip rstrip +## .. zeek:see:: sub gsub lstrip rstrip function strip%(str: string%): string %{ const u_char* s = str->Bytes(); @@ -1105,7 +1105,7 @@ static bool should_strip(u_char c, const BroString* strip_chars) ## Returns: A copy of *str* with the characters in *chars* removed from ## the beginning. ## -## .. bro:see:: sub gsub strip rstrip +## .. zeek:see:: sub gsub strip rstrip function lstrip%(str: string, chars: string &default=" \t\n\r\v\f"%): string %{ const u_char* s = str->Bytes(); @@ -1136,7 +1136,7 @@ function lstrip%(str: string, chars: string &default=" \t\n\r\v\f"%): string ## Returns: A copy of *str* with the characters in *chars* removed from ## the end. ## -## .. bro:see:: sub gsub strip lstrip +## .. zeek:see:: sub gsub strip lstrip function rstrip%(str: string, chars: string &default=" \t\n\r\v\f"%): string %{ const u_char* s = str->Bytes(); @@ -1180,7 +1180,7 @@ function string_fill%(len: int, source: string%): string ## Takes a string and escapes characters that would allow execution of ## commands at the shell level. Must be used before including strings in -## :bro:id:`system` or similar calls. +## :zeek:id:`system` or similar calls. ## ## source: The string to escape. ## @@ -1191,7 +1191,7 @@ function string_fill%(len: int, source: string%): string ## backslash-escaped string in double-quotes to ultimately preserve ## the literal value of all input characters. ## -## .. bro:see:: system safe_shell_quote +## .. zeek:see:: system safe_shell_quote function safe_shell_quote%(source: string%): string %{ unsigned j = 0; @@ -1220,9 +1220,9 @@ function safe_shell_quote%(source: string%): string ## Takes a string and escapes characters that would allow execution of ## commands at the shell level. Must be used before including strings in -## :bro:id:`system` or similar calls. This function is deprecated, use -## :bro:see:`safe_shell_quote` as a replacement. The difference is that -## :bro:see:`safe_shell_quote` automatically returns a value that is +## :zeek:id:`system` or similar calls. This function is deprecated, use +## :zeek:see:`safe_shell_quote` as a replacement. The difference is that +## :zeek:see:`safe_shell_quote` automatically returns a value that is ## wrapped in double-quotes, which is required to correctly and fully ## escape any characters that might be interpreted by the shell. ## @@ -1230,7 +1230,7 @@ function safe_shell_quote%(source: string%): string ## ## Returns: A shell-escaped version of *source*. ## -## .. bro:see:: system safe_shell_quote +## .. zeek:see:: system safe_shell_quote function str_shell_escape%(source: string%): string &deprecated %{ unsigned j = 0; @@ -1267,7 +1267,7 @@ function str_shell_escape%(source: string%): string &deprecated ## ## Returns: The set of strings in *str* that match *re*, or the empty set. ## -## .. bro:see: find_last strstr +## .. zeek:see: find_last strstr function find_all%(str: string, re: pattern%) : string_set %{ TableVal* a = new TableVal(string_set); @@ -1301,7 +1301,7 @@ function find_all%(str: string, re: pattern%) : string_set ## ## Returns: The last string in *str* that matches *re*, or the empty string. ## -## .. bro:see: find_all strstr +## .. zeek:see: find_all strstr function find_last%(str: string, re: pattern%) : string %{ const u_char* s = str->Bytes(); @@ -1325,7 +1325,7 @@ function find_last%(str: string, re: pattern%) : string ## ## Returns: The hex dump of the given string. ## -## .. bro:see:: string_to_ascii_hex bytestring_to_hexstr +## .. zeek:see:: string_to_ascii_hex bytestring_to_hexstr ## ## .. note:: Based on Netdude's hex editor code. ## diff --git a/src/broxygen/CMakeLists.txt b/src/zeexygen/CMakeLists.txt similarity index 73% rename from src/broxygen/CMakeLists.txt rename to src/zeexygen/CMakeLists.txt index f41cd68ff5..43060866a9 100644 --- a/src/broxygen/CMakeLists.txt +++ b/src/zeexygen/CMakeLists.txt @@ -7,7 +7,7 @@ include_directories(BEFORE ${CMAKE_CURRENT_BINARY_DIR} ) -set(broxygen_SRCS +set(zeexygen_SRCS Manager.cc Info.h PackageInfo.cc @@ -19,7 +19,7 @@ set(broxygen_SRCS utils.cc ) -bif_target(broxygen.bif) -bro_add_subdir_library(broxygen ${broxygen_SRCS}) +bif_target(zeexygen.bif) +bro_add_subdir_library(zeexygen ${zeexygen_SRCS}) -add_dependencies(bro_broxygen generate_outputs) +add_dependencies(bro_zeexygen generate_outputs) diff --git a/src/broxygen/Configuration.cc b/src/zeexygen/Configuration.cc similarity index 87% rename from src/broxygen/Configuration.cc rename to src/zeexygen/Configuration.cc index 4780e6ad99..7b1f5e35fd 100644 --- a/src/broxygen/Configuration.cc +++ b/src/zeexygen/Configuration.cc @@ -11,7 +11,7 @@ #include #include -using namespace broxygen; +using namespace zeexygen; using namespace std; static TargetFactory create_target_factory() @@ -37,7 +37,7 @@ Config::Config(const string& arg_file, const string& delim) ifstream f(file.c_str()); if ( ! f.is_open() ) - reporter->FatalError("failed to open Broxygen config file '%s': %s", + reporter->FatalError("failed to open Zeexygen config file '%s': %s", file.c_str(), strerror(errno)); string line; @@ -59,20 +59,20 @@ Config::Config(const string& arg_file, const string& delim) continue; if ( tokens.size() != 3 ) - reporter->FatalError("malformed Broxygen target in %s:%u: %s", + reporter->FatalError("malformed Zeexygen target in %s:%u: %s", file.c_str(), line_number, line.c_str()); Target* target = target_factory.Create(tokens[0], tokens[2], tokens[1]); if ( ! target ) - reporter->FatalError("unknown Broxygen target type: %s", + reporter->FatalError("unknown Zeexygen target type: %s", tokens[0].c_str()); targets.push_back(target); } if ( f.bad() ) - reporter->InternalError("error reading Broxygen config file '%s': %s", + reporter->InternalError("error reading Zeexygen config file '%s': %s", file.c_str(), strerror(errno)); } @@ -99,5 +99,5 @@ time_t Config::GetModificationTime() const if ( file.empty() ) return 0; - return broxygen::get_mtime(file); + return zeexygen::get_mtime(file); } diff --git a/src/broxygen/Configuration.h b/src/zeexygen/Configuration.h similarity index 80% rename from src/broxygen/Configuration.h rename to src/zeexygen/Configuration.h index d41deb2c71..a0da9761bc 100644 --- a/src/broxygen/Configuration.h +++ b/src/zeexygen/Configuration.h @@ -1,7 +1,7 @@ // See the file "COPYING" in the main distribution directory for copyright. -#ifndef BROXYGEN_CONFIGURATION_H -#define BROXYGEN_CONFIGURATION_H +#ifndef ZEEXYGEN_CONFIGURATION_H +#define ZEEXYGEN_CONFIGURATION_H #include "Info.h" #include "Target.h" @@ -9,7 +9,7 @@ #include #include -namespace broxygen { +namespace zeexygen { /** * Manages the generation of reStructuredText documents corresponding to @@ -22,8 +22,8 @@ class Config { public: /** - * Read a Broxygen configuration file, parsing all targets in it. - * @param file The file containing a list of Broxygen targets. If it's + * Read a Zeexygen configuration file, parsing all targets in it. + * @param file The file containing a list of Zeexygen targets. If it's * an empty string most methods are a no-op. * @param delim The delimiter between target fields. */ @@ -41,7 +41,7 @@ public: void FindDependencies(const std::vector& infos); /** - * Build each Broxygen target (i.e. write out the reST documents to disk). + * Build each Zeexygen target (i.e. write out the reST documents to disk). */ void GenerateDocs() const; @@ -58,6 +58,6 @@ private: TargetFactory target_factory; }; -} // namespace broxygen +} // namespace zeexygen #endif diff --git a/src/broxygen/IdentifierInfo.cc b/src/zeexygen/IdentifierInfo.cc similarity index 97% rename from src/broxygen/IdentifierInfo.cc rename to src/zeexygen/IdentifierInfo.cc index afc0cf751a..ebb15373bf 100644 --- a/src/broxygen/IdentifierInfo.cc +++ b/src/zeexygen/IdentifierInfo.cc @@ -7,7 +7,7 @@ #include "Val.h" using namespace std; -using namespace broxygen; +using namespace zeexygen; IdentifierInfo::IdentifierInfo(ID* arg_id, ScriptInfo* script) : Info(), @@ -128,7 +128,7 @@ string IdentifierInfo::DoReStructuredText(bool roles_only) const { string s = comments[i]; - if ( broxygen::prettify_params(s) ) + if ( zeexygen::prettify_params(s) ) d.NL(); d.Add(s.c_str()); diff --git a/src/broxygen/IdentifierInfo.h b/src/zeexygen/IdentifierInfo.h similarity index 92% rename from src/broxygen/IdentifierInfo.h rename to src/zeexygen/IdentifierInfo.h index be7e721838..a930f67feb 100644 --- a/src/broxygen/IdentifierInfo.h +++ b/src/zeexygen/IdentifierInfo.h @@ -1,7 +1,7 @@ // See the file "COPYING" in the main distribution directory for copyright. -#ifndef BROXYGEN_IDENTIFIERINFO_H -#define BROXYGEN_IDENTIFIERINFO_H +#ifndef ZEEXYGEN_IDENTIFIERINFO_H +#define ZEEXYGEN_IDENTIFIERINFO_H #include "Info.h" #include "ScriptInfo.h" @@ -14,7 +14,7 @@ #include #include -namespace broxygen { +namespace zeexygen { class ScriptInfo; @@ -42,7 +42,7 @@ public: * Add a comment associated with the identifier. If the identifier is a * record type and it's in the middle of parsing fields, the comment is * associated with the last field that was parsed. - * @param comment A string extracted from Broxygen-style comment. + * @param comment A string extracted from Zeexygen-style comment. */ void AddComment(const std::string& comment) { last_field_seen ? last_field_seen->comments.push_back(comment) @@ -102,13 +102,13 @@ public: std::string GetDeclaringScriptForField(const std::string& field) const; /** - * @return All Broxygen comments associated with the identifier. + * @return All Zeexygen comments associated with the identifier. */ std::vector GetComments() const; /** * @param field A record field name. - * @return All Broxygen comments associated with the record field. + * @return All Zeexygen comments associated with the record field. */ std::vector GetFieldComments(const std::string& field) const; @@ -118,7 +118,7 @@ public: struct Redefinition { std::string from_script; /**< Name of script doing the redef. */ std::string new_val_desc; /**< Description of new value bound to ID. */ - std::vector comments; /**< Broxygen comments on redef. */ + std::vector comments; /**< Zeexygen comments on redef. */ }; /** @@ -159,6 +159,6 @@ private: ScriptInfo* declaring_script; }; -} // namespace broxygen +} // namespace zeexygen #endif diff --git a/src/broxygen/Info.h b/src/zeexygen/Info.h similarity index 89% rename from src/broxygen/Info.h rename to src/zeexygen/Info.h index 9df73f899f..46fba7b7b6 100644 --- a/src/broxygen/Info.h +++ b/src/zeexygen/Info.h @@ -1,15 +1,15 @@ // See the file "COPYING" in the main distribution directory for copyright. -#ifndef BROXYGEN_INFO_H -#define BROXYGEN_INFO_H +#ifndef ZEEXYGEN_INFO_H +#define ZEEXYGEN_INFO_H #include #include -namespace broxygen { +namespace zeexygen { /** - * Abstract base class for any thing that Broxygen can document. + * Abstract base class for any thing that Zeexygen can document. */ class Info { @@ -68,6 +68,6 @@ private: { } }; -} // namespace broxygen +} // namespace zeexygen #endif diff --git a/src/broxygen/Manager.cc b/src/zeexygen/Manager.cc similarity index 87% rename from src/broxygen/Manager.cc rename to src/zeexygen/Manager.cc index c54b05754e..d638705d8b 100644 --- a/src/broxygen/Manager.cc +++ b/src/zeexygen/Manager.cc @@ -7,7 +7,7 @@ #include #include -using namespace broxygen; +using namespace zeexygen; using namespace std; static void DbgAndWarn(const char* msg) @@ -19,7 +19,7 @@ static void DbgAndWarn(const char* msg) return; reporter->Warning("%s", msg); - DBG_LOG(DBG_BROXYGEN, "%s", msg); + DBG_LOG(DBG_ZEEXYGEN, "%s", msg); } static void WarnMissingScript(const char* type, const ID* id, @@ -28,7 +28,7 @@ static void WarnMissingScript(const char* type, const ID* id, if ( script == "" ) return; - DbgAndWarn(fmt("Can't generate Broxygen doumentation for %s %s, " + DbgAndWarn(fmt("Can't generate Zeexygen doumentation for %s %s, " "lookup of %s failed", type, id->Name(), script.c_str())); } @@ -83,7 +83,7 @@ Manager::Manager(const string& arg_config, const string& bro_command) // a PATH component that starts with a tilde (such as "~/bin"). A simple // workaround is to just run bro with a relative or absolute path. if ( path_to_bro.empty() || stat(path_to_bro.c_str(), &s) < 0 ) - reporter->InternalError("Broxygen can't get mtime of bro binary %s (try again by specifying the absolute or relative path to Bro): %s", + reporter->InternalError("Zeexygen can't get mtime of bro binary %s (try again by specifying the absolute or relative path to Bro): %s", path_to_bro.c_str(), strerror(errno)); bro_mtime = s.st_mtime; @@ -129,7 +129,7 @@ void Manager::Script(const string& path) if ( scripts.GetInfo(name) ) { - DbgAndWarn(fmt("Duplicate Broxygen script documentation: %s", + DbgAndWarn(fmt("Duplicate Zeexygen script documentation: %s", name.c_str())); return; } @@ -137,7 +137,7 @@ void Manager::Script(const string& path) ScriptInfo* info = new ScriptInfo(name, path); scripts.map[name] = info; all_info.push_back(info); - DBG_LOG(DBG_BROXYGEN, "Made ScriptInfo %s", name.c_str()); + DBG_LOG(DBG_ZEEXYGEN, "Made ScriptInfo %s", name.c_str()); if ( ! info->IsPkgLoader() ) return; @@ -146,7 +146,7 @@ void Manager::Script(const string& path) if ( packages.GetInfo(name) ) { - DbgAndWarn(fmt("Duplicate Broxygen package documentation: %s", + DbgAndWarn(fmt("Duplicate Zeexygen package documentation: %s", name.c_str())); return; } @@ -154,7 +154,7 @@ void Manager::Script(const string& path) PackageInfo* pkginfo = new PackageInfo(name); packages.map[name] = pkginfo; all_info.push_back(pkginfo); - DBG_LOG(DBG_BROXYGEN, "Made PackageInfo %s", name.c_str()); + DBG_LOG(DBG_ZEEXYGEN, "Made PackageInfo %s", name.c_str()); } void Manager::ScriptDependency(const string& path, const string& dep) @@ -164,7 +164,7 @@ void Manager::ScriptDependency(const string& path, const string& dep) if ( dep.empty() ) { - DbgAndWarn(fmt("Empty Broxygen script doc dependency: %s", + DbgAndWarn(fmt("Empty Zeexygen script doc dependency: %s", path.c_str())); return; } @@ -175,17 +175,17 @@ void Manager::ScriptDependency(const string& path, const string& dep) if ( ! script_info ) { - DbgAndWarn(fmt("Failed to add Broxygen script doc dependency %s " + DbgAndWarn(fmt("Failed to add Zeexygen script doc dependency %s " "for %s", depname.c_str(), name.c_str())); return; } script_info->AddDependency(depname); - DBG_LOG(DBG_BROXYGEN, "Added script dependency %s for %s", + DBG_LOG(DBG_ZEEXYGEN, "Added script dependency %s for %s", depname.c_str(), name.c_str()); for ( size_t i = 0; i < comment_buffer.size(); ++i ) - DbgAndWarn(fmt("Discarded extraneous Broxygen comment: %s", + DbgAndWarn(fmt("Discarded extraneous Zeexygen comment: %s", comment_buffer[i].c_str())); } @@ -199,13 +199,13 @@ void Manager::ModuleUsage(const string& path, const string& module) if ( ! script_info ) { - DbgAndWarn(fmt("Failed to add Broxygen module usage %s in %s", + DbgAndWarn(fmt("Failed to add Zeexygen module usage %s in %s", module.c_str(), name.c_str())); return; } script_info->AddModule(module); - DBG_LOG(DBG_BROXYGEN, "Added module usage %s in %s", + DBG_LOG(DBG_ZEEXYGEN, "Added module usage %s in %s", module.c_str(), name.c_str()); } @@ -246,7 +246,7 @@ void Manager::StartType(ID* id) if ( id->GetLocationInfo() == &no_location ) { - DbgAndWarn(fmt("Can't generate broxygen doumentation for %s, " + DbgAndWarn(fmt("Can't generate zeexygen doumentation for %s, " "no location available", id->Name())); return; } @@ -261,7 +261,7 @@ void Manager::StartType(ID* id) } incomplete_type = CreateIdentifierInfo(id, script_info); - DBG_LOG(DBG_BROXYGEN, "Made IdentifierInfo (incomplete) %s, in %s", + DBG_LOG(DBG_ZEEXYGEN, "Made IdentifierInfo (incomplete) %s, in %s", id->Name(), script.c_str()); } @@ -279,7 +279,7 @@ void Manager::Identifier(ID* id) { if ( incomplete_type->Name() == id->Name() ) { - DBG_LOG(DBG_BROXYGEN, "Finished document for type %s", id->Name()); + DBG_LOG(DBG_ZEEXYGEN, "Finished document for type %s", id->Name()); incomplete_type->CompletedTypeDecl(); incomplete_type = 0; return; @@ -309,7 +309,7 @@ void Manager::Identifier(ID* id) { // Internally-created identifier (e.g. file/proto analyzer enum tags). // Handled specially since they don't have a script location. - DBG_LOG(DBG_BROXYGEN, "Made internal IdentifierInfo %s", + DBG_LOG(DBG_ZEEXYGEN, "Made internal IdentifierInfo %s", id->Name()); CreateIdentifierInfo(id, 0); return; @@ -325,7 +325,7 @@ void Manager::Identifier(ID* id) } CreateIdentifierInfo(id, script_info); - DBG_LOG(DBG_BROXYGEN, "Made IdentifierInfo %s, in script %s", + DBG_LOG(DBG_ZEEXYGEN, "Made IdentifierInfo %s, in script %s", id->Name(), script.c_str()); } @@ -339,7 +339,7 @@ void Manager::RecordField(const ID* id, const TypeDecl* field, if ( ! idd ) { - DbgAndWarn(fmt("Can't generate broxygen doumentation for " + DbgAndWarn(fmt("Can't generate zeexygen doumentation for " "record field %s, unknown record: %s", field->id, id->Name())); return; @@ -348,7 +348,7 @@ void Manager::RecordField(const ID* id, const TypeDecl* field, string script = NormalizeScriptPath(path); idd->AddRecordField(field, script, comment_buffer); comment_buffer.clear(); - DBG_LOG(DBG_BROXYGEN, "Document record field %s, identifier %s, script %s", + DBG_LOG(DBG_ZEEXYGEN, "Document record field %s, identifier %s, script %s", field->id, id->Name(), script.c_str()); } @@ -365,7 +365,7 @@ void Manager::Redef(const ID* id, const string& path) if ( ! id_info ) { - DbgAndWarn(fmt("Can't generate broxygen doumentation for " + DbgAndWarn(fmt("Can't generate zeexygen doumentation for " "redef of %s, identifier lookup failed", id->Name())); return; @@ -384,7 +384,7 @@ void Manager::Redef(const ID* id, const string& path) script_info->AddRedef(id_info); comment_buffer.clear(); last_identifier_seen = id_info; - DBG_LOG(DBG_BROXYGEN, "Added redef of %s from %s", + DBG_LOG(DBG_ZEEXYGEN, "Added redef of %s from %s", id->Name(), from_script.c_str()); } @@ -421,7 +421,7 @@ void Manager::PostComment(const string& comment, const string& id_hint) if ( last_identifier_seen ) last_identifier_seen->AddComment(RemoveLeadingSpace(comment)); else - DbgAndWarn(fmt("Discarded unassociated Broxygen comment %s", + DbgAndWarn(fmt("Discarded unassociated Zeexygen comment %s", comment.c_str())); return; diff --git a/src/broxygen/Manager.h b/src/zeexygen/Manager.h similarity index 89% rename from src/broxygen/Manager.h rename to src/zeexygen/Manager.h index 7978adc180..5b2142e047 100644 --- a/src/broxygen/Manager.h +++ b/src/zeexygen/Manager.h @@ -1,7 +1,7 @@ // See the file "COPYING" in the main distribution directory for copyright. -#ifndef BROXYGEN_MANAGER_H -#define BROXYGEN_MANAGER_H +#ifndef ZEEXYGEN_MANAGER_H +#define ZEEXYGEN_MANAGER_H #include "Configuration.h" #include "Info.h" @@ -21,7 +21,7 @@ #include #include -namespace broxygen { +namespace zeexygen { /** * Map of info objects. Just a wrapper around std::map to improve code @@ -54,7 +54,7 @@ public: /** * Ctor. - * @param config Path to a Broxygen config file if documentation is to be + * @param config Path to a Zeexygen config file if documentation is to be * written to disk. * @param bro_command The command used to invoke the bro process. * It's used when checking for out-of-date targets. If the bro binary is @@ -80,7 +80,7 @@ public: void InitPostScript(); /** - * Builds all Broxygen targets specified by config file and write out + * Builds all Zeexygen targets specified by config file and write out * documentation to disk. */ void GenerateDocs() const; @@ -140,24 +140,24 @@ public: void Redef(const ID* id, const std::string& path); /** - * Register Broxygen script summary content. + * Register Zeexygen script summary content. * @param path Absolute path to a Bro script. - * @param comment Broxygen-style summary comment ("##!") to associate with + * @param comment Zeexygen-style summary comment ("##!") to associate with * script given by \a path. */ void SummaryComment(const std::string& path, const std::string& comment); /** - * Register a Broxygen comment ("##") for an upcoming identifier (i.e. + * Register a Zeexygen comment ("##") for an upcoming identifier (i.e. * this content is buffered and consumed by next identifier/field * declaration. - * @param comment Content of the Broxygen comment. + * @param comment Content of the Zeexygen comment. */ void PreComment(const std::string& comment); /** - * Register a Broxygen comment ("##<") for the last identifier seen. - * @param comment Content of the Broxygen comment. + * Register a Zeexygen comment ("##<") for the last identifier seen. + * @param comment Content of the Zeexygen comment. * @param identifier_hint Expected name of identifier with which to * associate \a comment. */ @@ -197,11 +197,11 @@ public: { return packages.GetInfo(name); } /** - * Check if a Broxygen target is up-to-date. - * @param target_file output file of a Broxygen target. + * Check if a Zeexygen target is up-to-date. + * @param target_file output file of a Zeexygen target. * @param dependencies all dependencies of the target. * @return true if modification time of \a target_file is newer than - * modification time of Bro binary, Broxygen config file, and all + * modification time of Bro binary, Zeexygen config file, and all * dependencies, else false. */ template @@ -241,7 +241,7 @@ bool Manager::IsUpToDate(const string& target_file, // Doesn't exist. return false; - reporter->InternalError("Broxygen failed to stat target file '%s': %s", + reporter->InternalError("Zeexygen failed to stat target file '%s': %s", target_file.c_str(), strerror(errno)); } @@ -258,8 +258,8 @@ bool Manager::IsUpToDate(const string& target_file, return true; } -} // namespace broxygen +} // namespace zeexygen -extern broxygen::Manager* broxygen_mgr; +extern zeexygen::Manager* zeexygen_mgr; #endif diff --git a/src/broxygen/PackageInfo.cc b/src/zeexygen/PackageInfo.cc similarity index 85% rename from src/broxygen/PackageInfo.cc rename to src/zeexygen/PackageInfo.cc index 1cbff5a07f..1fd607fd08 100644 --- a/src/broxygen/PackageInfo.cc +++ b/src/zeexygen/PackageInfo.cc @@ -9,7 +9,7 @@ #include using namespace std; -using namespace broxygen; +using namespace zeexygen; PackageInfo::PackageInfo(const string& arg_name) : Info(), @@ -23,7 +23,7 @@ PackageInfo::PackageInfo(const string& arg_name) ifstream f(readme_file.c_str()); if ( ! f.is_open() ) - reporter->InternalWarning("Broxygen failed to open '%s': %s", + reporter->InternalWarning("Zeexygen failed to open '%s': %s", readme_file.c_str(), strerror(errno)); string line; @@ -32,7 +32,7 @@ PackageInfo::PackageInfo(const string& arg_name) readme.push_back(line); if ( f.bad() ) - reporter->InternalWarning("Broxygen error reading '%s': %s", + reporter->InternalWarning("Zeexygen error reading '%s': %s", readme_file.c_str(), strerror(errno)); } @@ -54,5 +54,5 @@ time_t PackageInfo::DoGetModificationTime() const if ( readme_file.empty() ) return 0; - return broxygen::get_mtime(readme_file); + return zeexygen::get_mtime(readme_file); } diff --git a/src/broxygen/PackageInfo.h b/src/zeexygen/PackageInfo.h similarity index 89% rename from src/broxygen/PackageInfo.h rename to src/zeexygen/PackageInfo.h index 967bbe3443..977f31fece 100644 --- a/src/broxygen/PackageInfo.h +++ b/src/zeexygen/PackageInfo.h @@ -1,14 +1,14 @@ // See the file "COPYING" in the main distribution directory for copyright. -#ifndef BROXYGEN_PACKAGEINFO_H -#define BROXYGEN_PACKAGEINFO_H +#ifndef ZEEXYGEN_PACKAGEINFO_H +#define ZEEXYGEN_PACKAGEINFO_H #include "Info.h" #include #include -namespace broxygen { +namespace zeexygen { /** * Information about a Bro script package. @@ -45,6 +45,6 @@ private: std::vector readme; }; -} // namespace broxygen +} // namespace zeexygen #endif diff --git a/src/broxygen/ReStructuredTextTable.cc b/src/zeexygen/ReStructuredTextTable.cc similarity index 98% rename from src/broxygen/ReStructuredTextTable.cc rename to src/zeexygen/ReStructuredTextTable.cc index 2cdb774224..c8306313e5 100644 --- a/src/broxygen/ReStructuredTextTable.cc +++ b/src/zeexygen/ReStructuredTextTable.cc @@ -5,7 +5,7 @@ #include using namespace std; -using namespace broxygen; +using namespace zeexygen; ReStructuredTextTable::ReStructuredTextTable(size_t arg_num_cols) : num_cols(arg_num_cols), rows(), longest_row_in_column() diff --git a/src/broxygen/ReStructuredTextTable.h b/src/zeexygen/ReStructuredTextTable.h similarity index 92% rename from src/broxygen/ReStructuredTextTable.h rename to src/zeexygen/ReStructuredTextTable.h index 34cc30c332..9a4059ca83 100644 --- a/src/broxygen/ReStructuredTextTable.h +++ b/src/zeexygen/ReStructuredTextTable.h @@ -1,12 +1,12 @@ // See the file "COPYING" in the main distribution directory for copyright. -#ifndef BROXYGEN_RESTTABLE_H -#define BROXYGEN_RESTTABLE_H +#ifndef ZEEXYGEN_RESTTABLE_H +#define ZEEXYGEN_RESTTABLE_H #include #include -namespace broxygen { +namespace zeexygen { /** * A reST table with arbitrary number of columns. @@ -48,6 +48,6 @@ private: std::vector longest_row_in_column; }; -} // namespace broxygen +} // namespace zeexygen #endif diff --git a/src/broxygen/ScriptInfo.cc b/src/zeexygen/ScriptInfo.cc similarity index 86% rename from src/broxygen/ScriptInfo.cc rename to src/zeexygen/ScriptInfo.cc index b13498bddb..47769c615a 100644 --- a/src/broxygen/ScriptInfo.cc +++ b/src/zeexygen/ScriptInfo.cc @@ -10,7 +10,7 @@ #include "Desc.h" using namespace std; -using namespace broxygen; +using namespace zeexygen; bool IdInfoComp::operator ()(const IdentifierInfo* lhs, const IdentifierInfo* rhs) const @@ -24,11 +24,11 @@ static vector summary_comment(const vector& cmnts) for ( size_t i = 0; i < cmnts.size(); ++i ) { - size_t end = broxygen::end_of_first_sentence(cmnts[i]); + size_t end = zeexygen::end_of_first_sentence(cmnts[i]); if ( end == string::npos ) { - if ( broxygen::is_all_whitespace(cmnts[i]) ) + if ( zeexygen::is_all_whitespace(cmnts[i]) ) break; rval.push_back(cmnts[i]); @@ -86,7 +86,7 @@ static string make_summary(const string& heading, char underline, char border, add_summary_rows(d, summary_comment((*it)->GetComments()), &table); } - return broxygen::make_heading(heading, underline) + table.AsString(border) + return zeexygen::make_heading(heading, underline) + table.AsString(border) + "\n"; } @@ -115,7 +115,7 @@ static string make_redef_summary(const string& heading, char underline, add_summary_rows(d, summary_comment(iit->comments), &table); } - return broxygen::make_heading(heading, underline) + table.AsString(border) + return zeexygen::make_heading(heading, underline) + table.AsString(border) + "\n"; } @@ -125,7 +125,7 @@ static string make_details(const string& heading, char underline, if ( id_list.empty() ) return ""; - string rval = broxygen::make_heading(heading, underline); + string rval = zeexygen::make_heading(heading, underline); for ( id_info_list::const_iterator it = id_list.begin(); it != id_list.end(); ++it ) @@ -143,7 +143,7 @@ static string make_redef_details(const string& heading, char underline, if ( id_set.empty() ) return ""; - string rval = broxygen::make_heading(heading, underline); + string rval = zeexygen::make_heading(heading, underline); for ( id_info_set::const_iterator it = id_set.begin(); it != id_set.end(); ++it ) @@ -178,13 +178,13 @@ void ScriptInfo::DoInitPostScript() IdentifierInfo* info = it->second; ID* id = info->GetID(); - if ( ! broxygen::is_public_api(id) ) + if ( ! zeexygen::is_public_api(id) ) continue; if ( id->AsType() ) { types.push_back(info); - DBG_LOG(DBG_BROXYGEN, "Filter id '%s' in '%s' as a type", + DBG_LOG(DBG_ZEEXYGEN, "Filter id '%s' in '%s' as a type", id->Name(), name.c_str()); continue; } @@ -193,17 +193,17 @@ void ScriptInfo::DoInitPostScript() { switch ( id->Type()->AsFuncType()->Flavor() ) { case FUNC_FLAVOR_HOOK: - DBG_LOG(DBG_BROXYGEN, "Filter id '%s' in '%s' as a hook", + DBG_LOG(DBG_ZEEXYGEN, "Filter id '%s' in '%s' as a hook", id->Name(), name.c_str()); hooks.push_back(info); break; case FUNC_FLAVOR_EVENT: - DBG_LOG(DBG_BROXYGEN, "Filter id '%s' in '%s' as a event", + DBG_LOG(DBG_ZEEXYGEN, "Filter id '%s' in '%s' as a event", id->Name(), name.c_str()); events.push_back(info); break; case FUNC_FLAVOR_FUNCTION: - DBG_LOG(DBG_BROXYGEN, "Filter id '%s' in '%s' as a function", + DBG_LOG(DBG_ZEEXYGEN, "Filter id '%s' in '%s' as a function", id->Name(), name.c_str()); functions.push_back(info); break; @@ -219,13 +219,13 @@ void ScriptInfo::DoInitPostScript() { if ( id->FindAttr(ATTR_REDEF) ) { - DBG_LOG(DBG_BROXYGEN, "Filter id '%s' in '%s' as a redef_option", + DBG_LOG(DBG_ZEEXYGEN, "Filter id '%s' in '%s' as a redef_option", id->Name(), name.c_str()); redef_options.push_back(info); } else { - DBG_LOG(DBG_BROXYGEN, "Filter id '%s' in '%s' as a constant", + DBG_LOG(DBG_ZEEXYGEN, "Filter id '%s' in '%s' as a constant", id->Name(), name.c_str()); constants.push_back(info); } @@ -234,7 +234,7 @@ void ScriptInfo::DoInitPostScript() } else if ( id->IsOption() ) { - DBG_LOG(DBG_BROXYGEN, "Filter id '%s' in '%s' as an runtime option", + DBG_LOG(DBG_ZEEXYGEN, "Filter id '%s' in '%s' as an runtime option", id->Name(), name.c_str()); options.push_back(info); @@ -246,7 +246,7 @@ void ScriptInfo::DoInitPostScript() // documentation. continue; - DBG_LOG(DBG_BROXYGEN, "Filter id '%s' in '%s' as a state variable", + DBG_LOG(DBG_ZEEXYGEN, "Filter id '%s' in '%s' as a state variable", id->Name(), name.c_str()); state_vars.push_back(info); } @@ -275,11 +275,11 @@ string ScriptInfo::DoReStructuredText(bool roles_only) const string rval; rval += ":tocdepth: 3\n\n"; - rval += broxygen::make_heading(name, '='); + rval += zeexygen::make_heading(name, '='); for ( string_set::const_iterator it = module_usages.begin(); it != module_usages.end(); ++it ) - rval += ".. bro:namespace:: " + *it + "\n"; + rval += ".. zeek:namespace:: " + *it + "\n"; rval += "\n"; @@ -329,7 +329,7 @@ string ScriptInfo::DoReStructuredText(bool roles_only) const //rval += fmt(":Source File: :download:`/scripts/%s`\n", name.c_str()); rval += "\n"; - rval += broxygen::make_heading("Summary", '~'); + rval += zeexygen::make_heading("Summary", '~'); rval += make_summary("Runtime Options", '#', '=', options); rval += make_summary("Redefinable Options", '#', '=', redef_options); rval += make_summary("Constants", '#', '=', constants); @@ -340,7 +340,7 @@ string ScriptInfo::DoReStructuredText(bool roles_only) const rval += make_summary("Hooks", '#', '=', hooks); rval += make_summary("Functions", '#', '=', functions); rval += "\n"; - rval += broxygen::make_heading("Detailed Interface", '~'); + rval += zeexygen::make_heading("Detailed Interface", '~'); rval += make_details("Runtime Options", '#', options); rval += make_details("Redefinable Options", '#', redef_options); rval += make_details("Constants", '#', constants); @@ -356,25 +356,25 @@ string ScriptInfo::DoReStructuredText(bool roles_only) const time_t ScriptInfo::DoGetModificationTime() const { - time_t most_recent = broxygen::get_mtime(path); + time_t most_recent = zeexygen::get_mtime(path); for ( string_set::const_iterator it = dependencies.begin(); it != dependencies.end(); ++it ) { - Info* info = broxygen_mgr->GetScriptInfo(*it); + Info* info = zeexygen_mgr->GetScriptInfo(*it); if ( ! info ) { for (const string& ext : script_extensions) { string pkg_name = *it + "/__load__" + ext; - info = broxygen_mgr->GetScriptInfo(pkg_name); + info = zeexygen_mgr->GetScriptInfo(pkg_name); if ( info ) break; } if ( ! info ) - reporter->InternalWarning("Broxygen failed to get mtime of %s", + reporter->InternalWarning("Zeexygen failed to get mtime of %s", it->c_str()); continue; } diff --git a/src/broxygen/ScriptInfo.h b/src/zeexygen/ScriptInfo.h similarity index 92% rename from src/broxygen/ScriptInfo.h rename to src/zeexygen/ScriptInfo.h index dd43e15a4e..fb0f0c15ae 100644 --- a/src/broxygen/ScriptInfo.h +++ b/src/zeexygen/ScriptInfo.h @@ -1,7 +1,7 @@ // See the file "COPYING" in the main distribution directory for copyright. -#ifndef BROXYGEN_SCRIPTINFO_H -#define BROXYGEN_SCRIPTINFO_H +#ifndef ZEEXYGEN_SCRIPTINFO_H +#define ZEEXYGEN_SCRIPTINFO_H #include "Info.h" #include "IdentifierInfo.h" @@ -12,7 +12,7 @@ #include #include -namespace broxygen { +namespace zeexygen { class IdentifierInfo; @@ -39,7 +39,7 @@ public: ScriptInfo(const std::string& name, const std::string& path); /** - * Associate a Broxygen summary comment ("##!") with the script. + * Associate a Zeexygen summary comment ("##!") with the script. * @param comment String extracted from the comment. */ void AddComment(const std::string& comment) @@ -83,7 +83,7 @@ public: { return is_pkg_loader; } /** - * @return All the scripts Broxygen summary comments. + * @return All the scripts Zeexygen summary comments. */ std::vector GetComments() const; @@ -119,6 +119,6 @@ private: id_info_set redefs; }; -} // namespace broxygen +} // namespace zeexygen #endif diff --git a/src/broxygen/Target.cc b/src/zeexygen/Target.cc similarity index 89% rename from src/broxygen/Target.cc rename to src/zeexygen/Target.cc index 98b74ff8db..406f6ffe4d 100644 --- a/src/broxygen/Target.cc +++ b/src/zeexygen/Target.cc @@ -16,7 +16,7 @@ #include using namespace std; -using namespace broxygen; +using namespace zeexygen; static void write_plugin_section_heading(FILE* f, const plugin::Plugin* p) { @@ -38,7 +38,7 @@ static void write_analyzer_component(FILE* f, const analyzer::Component* c) if ( atag->Lookup("Analyzer", tag.c_str()) < 0 ) reporter->InternalError("missing analyzer tag for %s", tag.c_str()); - fprintf(f, ":bro:enum:`Analyzer::%s`\n\n", tag.c_str()); + fprintf(f, ":zeek:enum:`Analyzer::%s`\n\n", tag.c_str()); } static void write_analyzer_component(FILE* f, const file_analysis::Component* c) @@ -49,7 +49,7 @@ static void write_analyzer_component(FILE* f, const file_analysis::Component* c) if ( atag->Lookup("Files", tag.c_str()) < 0 ) reporter->InternalError("missing analyzer tag for %s", tag.c_str()); - fprintf(f, ":bro:enum:`Files::%s`\n\n", tag.c_str()); + fprintf(f, ":zeek:enum:`Files::%s`\n\n", tag.c_str()); } static void write_plugin_components(FILE* f, const plugin::Plugin* p) @@ -123,13 +123,13 @@ static void write_plugin_bif_items(FILE* f, const plugin::Plugin* p, for ( it = bifitems.begin(); it != bifitems.end(); ++it ) { - broxygen::IdentifierInfo* doc = broxygen_mgr->GetIdentifierInfo( + zeexygen::IdentifierInfo* doc = zeexygen_mgr->GetIdentifierInfo( it->GetID()); if ( doc ) fprintf(f, "%s\n\n", doc->ReStructuredText().c_str()); else - reporter->InternalWarning("Broxygen ID lookup failed: %s\n", + reporter->InternalWarning("Zeexygen ID lookup failed: %s\n", it->GetID().c_str()); } } @@ -138,10 +138,10 @@ static void WriteAnalyzerTagDefn(FILE* f, const string& module) { string tag_id = module + "::Tag"; - broxygen::IdentifierInfo* doc = broxygen_mgr->GetIdentifierInfo(tag_id); + zeexygen::IdentifierInfo* doc = zeexygen_mgr->GetIdentifierInfo(tag_id); if ( ! doc ) - reporter->InternalError("Broxygen failed analyzer tag lookup: %s", + reporter->InternalError("Zeexygen failed analyzer tag lookup: %s", tag_id.c_str()); fprintf(f, "%s\n", doc->ReStructuredText().c_str()); @@ -177,7 +177,7 @@ static vector filter_matches(const vector& from, Target* t) if ( t->MatchesPattern(d) ) { - DBG_LOG(DBG_BROXYGEN, "'%s' matched pattern for target '%s'", + DBG_LOG(DBG_ZEEXYGEN, "'%s' matched pattern for target '%s'", d->Name().c_str(), t->Name().c_str()); rval.push_back(d); } @@ -194,14 +194,14 @@ TargetFile::TargetFile(const string& arg_name) string dir = SafeDirname(name).result; if ( ! ensure_intermediate_dirs(dir.c_str()) ) - reporter->FatalError("Broxygen failed to make dir %s", + reporter->FatalError("Zeexygen failed to make dir %s", dir.c_str()); } f = fopen(name.c_str(), "w"); if ( ! f ) - reporter->FatalError("Broxygen failed to open '%s' for writing: %s", + reporter->FatalError("Zeexygen failed to open '%s' for writing: %s", name.c_str(), strerror(errno)); } @@ -210,7 +210,7 @@ TargetFile::~TargetFile() if ( f ) fclose(f); - DBG_LOG(DBG_BROXYGEN, "Wrote out-of-date target '%s'", name.c_str()); + DBG_LOG(DBG_ZEEXYGEN, "Wrote out-of-date target '%s'", name.c_str()); } @@ -245,11 +245,11 @@ void AnalyzerTarget::DoFindDependencies(const std::vector& infos) void AnalyzerTarget::DoGenerate() const { - if ( broxygen_mgr->IsUpToDate(Name(), vector()) ) + if ( zeexygen_mgr->IsUpToDate(Name(), vector()) ) return; if ( Pattern() != "*" ) - reporter->InternalWarning("Broxygen only implements analyzer target" + reporter->InternalWarning("Zeexygen only implements analyzer target" " pattern '*'"); TargetFile file(Name()); @@ -313,7 +313,7 @@ void PackageTarget::DoFindDependencies(const vector& infos) pkg_deps = filter_matches(infos, this); if ( pkg_deps.empty() ) - reporter->FatalError("No match for Broxygen target '%s' pattern '%s'", + reporter->FatalError("No match for Zeexygen target '%s' pattern '%s'", Name().c_str(), Pattern().c_str()); for ( size_t i = 0; i < infos.size(); ++i ) @@ -329,7 +329,7 @@ void PackageTarget::DoFindDependencies(const vector& infos) pkg_deps[j]->Name().size())) continue; - DBG_LOG(DBG_BROXYGEN, "Script %s associated with package %s", + DBG_LOG(DBG_ZEEXYGEN, "Script %s associated with package %s", script->Name().c_str(), pkg_deps[j]->Name().c_str()); pkg_manifest[pkg_deps[j]].push_back(script); script_deps.push_back(script); @@ -339,8 +339,8 @@ void PackageTarget::DoFindDependencies(const vector& infos) void PackageTarget::DoGenerate() const { - if ( broxygen_mgr->IsUpToDate(Name(), script_deps) && - broxygen_mgr->IsUpToDate(Name(), pkg_deps) ) + if ( zeexygen_mgr->IsUpToDate(Name(), script_deps) && + zeexygen_mgr->IsUpToDate(Name(), pkg_deps) ) return; TargetFile file(Name()); @@ -382,13 +382,13 @@ void PackageIndexTarget::DoFindDependencies(const vector& infos) pkg_deps = filter_matches(infos, this); if ( pkg_deps.empty() ) - reporter->FatalError("No match for Broxygen target '%s' pattern '%s'", + reporter->FatalError("No match for Zeexygen target '%s' pattern '%s'", Name().c_str(), Pattern().c_str()); } void PackageIndexTarget::DoGenerate() const { - if ( broxygen_mgr->IsUpToDate(Name(), pkg_deps) ) + if ( zeexygen_mgr->IsUpToDate(Name(), pkg_deps) ) return; TargetFile file(Name()); @@ -402,7 +402,7 @@ void ScriptTarget::DoFindDependencies(const vector& infos) script_deps = filter_matches(infos, this); if ( script_deps.empty() ) - reporter->FatalError("No match for Broxygen target '%s' pattern '%s'", + reporter->FatalError("No match for Zeexygen target '%s' pattern '%s'", Name().c_str(), Pattern().c_str()); if ( ! IsDir() ) @@ -483,7 +483,7 @@ void ScriptTarget::DoGenerate() const vector dep; dep.push_back(script_deps[i]); - if ( broxygen_mgr->IsUpToDate(target_filename, dep) ) + if ( zeexygen_mgr->IsUpToDate(target_filename, dep) ) continue; TargetFile file(target_filename); @@ -508,7 +508,7 @@ void ScriptTarget::DoGenerate() const reporter->Warning("Failed to unlink %s: %s", f.c_str(), strerror(errno)); - DBG_LOG(DBG_BROXYGEN, "Delete stale script file %s", f.c_str()); + DBG_LOG(DBG_ZEEXYGEN, "Delete stale script file %s", f.c_str()); } return; @@ -516,7 +516,7 @@ void ScriptTarget::DoGenerate() const // Target is a single file, all matching scripts get written there. - if ( broxygen_mgr->IsUpToDate(Name(), script_deps) ) + if ( zeexygen_mgr->IsUpToDate(Name(), script_deps) ) return; TargetFile file(Name()); @@ -527,7 +527,7 @@ void ScriptTarget::DoGenerate() const void ScriptSummaryTarget::DoGenerate() const { - if ( broxygen_mgr->IsUpToDate(Name(), script_deps) ) + if ( zeexygen_mgr->IsUpToDate(Name(), script_deps) ) return; TargetFile file(Name()); @@ -552,7 +552,7 @@ void ScriptSummaryTarget::DoGenerate() const void ScriptIndexTarget::DoGenerate() const { - if ( broxygen_mgr->IsUpToDate(Name(), script_deps) ) + if ( zeexygen_mgr->IsUpToDate(Name(), script_deps) ) return; TargetFile file(Name()); @@ -577,13 +577,13 @@ void IdentifierTarget::DoFindDependencies(const vector& infos) id_deps = filter_matches(infos, this); if ( id_deps.empty() ) - reporter->FatalError("No match for Broxygen target '%s' pattern '%s'", + reporter->FatalError("No match for Zeexygen target '%s' pattern '%s'", Name().c_str(), Pattern().c_str()); } void IdentifierTarget::DoGenerate() const { - if ( broxygen_mgr->IsUpToDate(Name(), id_deps) ) + if ( zeexygen_mgr->IsUpToDate(Name(), id_deps) ) return; TargetFile file(Name()); diff --git a/src/broxygen/Target.h b/src/zeexygen/Target.h similarity index 96% rename from src/broxygen/Target.h rename to src/zeexygen/Target.h index 7f18697eaf..ef3c8b2e00 100644 --- a/src/broxygen/Target.h +++ b/src/zeexygen/Target.h @@ -1,7 +1,7 @@ // See the file "COPYING" in the main distribution directory for copyright. -#ifndef BROXYGEN_TARGET_H -#define BROXYGEN_TARGET_H +#ifndef ZEEXYGEN_TARGET_H +#define ZEEXYGEN_TARGET_H #include "Info.h" #include "PackageInfo.h" @@ -13,7 +13,7 @@ #include #include -namespace broxygen { +namespace zeexygen { /** * Helper class to create files in arbitrary file paths and automatically @@ -39,7 +39,7 @@ struct TargetFile { }; /** - * A Broxygen target abstract base class. A target is generally any portion of + * A Zeexygen target abstract base class. A target is generally any portion of * documentation that Bro can build. It's identified by a type (e.g. script, * identifier, package), a pattern (e.g. "example.zeek", "HTTP::Info"), and * a path to an output file. @@ -125,7 +125,7 @@ public: /** * Register a new target type. - * @param type_name The target type name as it will appear in Broxygen + * @param type_name The target type name as it will appear in Zeexygen * config files. */ template @@ -136,7 +136,7 @@ public: /** * Instantiate a target. - * @param type_name The target type name as it appears in Broxygen config + * @param type_name The target type name as it appears in Zeexygen config * files. * @param name The output file name of the target. * @param pattern The dependency pattern of the target. @@ -384,6 +384,6 @@ private: std::vector id_deps; }; -} // namespace broxygen +} // namespace zeexygen #endif diff --git a/src/broxygen/utils.cc b/src/zeexygen/utils.cc similarity index 83% rename from src/broxygen/utils.cc rename to src/zeexygen/utils.cc index 93f822b846..5cf76c1af6 100644 --- a/src/broxygen/utils.cc +++ b/src/zeexygen/utils.cc @@ -7,10 +7,10 @@ #include #include -using namespace broxygen; +using namespace zeexygen; using namespace std; -bool broxygen::prettify_params(string& s) +bool zeexygen::prettify_params(string& s) { size_t identifier_start_pos = 0; bool in_identifier = false; @@ -76,29 +76,29 @@ bool broxygen::prettify_params(string& s) return false; } -bool broxygen::is_public_api(const ID* id) +bool zeexygen::is_public_api(const ID* id) { return (id->Scope() == SCOPE_GLOBAL) || (id->Scope() == SCOPE_MODULE && id->IsExport()); } -time_t broxygen::get_mtime(const string& filename) +time_t zeexygen::get_mtime(const string& filename) { struct stat s; if ( stat(filename.c_str(), &s) < 0 ) - reporter->InternalError("Broxygen failed to stat file '%s': %s", + reporter->InternalError("Zeexygen failed to stat file '%s': %s", filename.c_str(), strerror(errno)); return s.st_mtime; } -string broxygen::make_heading(const string& heading, char underline) +string zeexygen::make_heading(const string& heading, char underline) { return heading + "\n" + string(heading.size(), underline) + "\n"; } -size_t broxygen::end_of_first_sentence(const string& s) +size_t zeexygen::end_of_first_sentence(const string& s) { size_t rval = 0; @@ -119,7 +119,7 @@ size_t broxygen::end_of_first_sentence(const string& s) return rval; } -bool broxygen::is_all_whitespace(const string& s) +bool zeexygen::is_all_whitespace(const string& s) { for ( size_t i = 0; i < s.size(); ++i ) if ( ! isspace(s[i]) ) @@ -128,7 +128,7 @@ bool broxygen::is_all_whitespace(const string& s) return true; } -string broxygen::redef_indication(const string& from_script) +string zeexygen::redef_indication(const string& from_script) { return fmt("(present if :doc:`/scripts/%s` is loaded)", from_script.c_str()); diff --git a/src/broxygen/utils.h b/src/zeexygen/utils.h similarity index 88% rename from src/broxygen/utils.h rename to src/zeexygen/utils.h index 7e11019a3d..b9a99a71f7 100644 --- a/src/broxygen/utils.h +++ b/src/zeexygen/utils.h @@ -1,18 +1,18 @@ // See the file "COPYING" in the main distribution directory for copyright. -#ifndef BROXYGEN_UTILS_H -#define BROXYGEN_UTILS_H +#ifndef ZEEXYGEN_UTILS_H +#define ZEEXYGEN_UTILS_H #include "ID.h" #include -namespace broxygen { +namespace zeexygen { /** - * Transform content of a Broxygen comment which may contain function + * Transform content of a Zeexygen comment which may contain function * parameter or return value documentation to a prettier reST format. - * @param s Content from a Broxygen comment to transform. "id: ..." and + * @param s Content from a Zeexygen comment to transform. "id: ..." and * "Returns: ..." change to ":id: ..." and ":returns: ...". * @return Whether any content in \a s was transformed. */ @@ -62,6 +62,6 @@ bool is_all_whitespace(const std::string& s); */ std::string redef_indication(const std::string& from_script); -} // namespace broxygen +} // namespace zeexygen #endif diff --git a/src/broxygen/broxygen.bif b/src/zeexygen/zeexygen.bif similarity index 81% rename from src/broxygen/broxygen.bif rename to src/zeexygen/zeexygen.bif index 4b2f5653b2..f7ce04d292 100644 --- a/src/broxygen/broxygen.bif +++ b/src/zeexygen/zeexygen.bif @@ -3,7 +3,7 @@ ##! Functions for querying script, package, or variable documentation. %%{ -#include "broxygen/Manager.h" +#include "zeexygen/Manager.h" #include "util.h" static StringVal* comments_to_val(const vector& comments) @@ -12,7 +12,7 @@ static StringVal* comments_to_val(const vector& comments) } %%} -## Retrieve the Broxygen-style comments (``##``) associated with an identifier +## Retrieve the Zeexygen-style comments (``##``) associated with an identifier ## (e.g. a variable or type). ## ## name: a script-level identifier for which to retrieve comments. @@ -21,8 +21,8 @@ static StringVal* comments_to_val(const vector& comments) ## identifier, an empty string is returned. function get_identifier_comments%(name: string%): string %{ - using namespace broxygen; - IdentifierInfo* d = broxygen_mgr->GetIdentifierInfo(name->CheckString()); + using namespace zeexygen; + IdentifierInfo* d = zeexygen_mgr->GetIdentifierInfo(name->CheckString()); if ( ! d ) return val_mgr->GetEmptyString(); @@ -30,7 +30,7 @@ function get_identifier_comments%(name: string%): string return comments_to_val(d->GetComments()); %} -## Retrieve the Broxygen-style summary comments (``##!``) associated with +## Retrieve the Zeexygen-style summary comments (``##!``) associated with ## a Bro script. ## ## name: the name of a Bro script. It must be a relative path to where @@ -41,8 +41,8 @@ function get_identifier_comments%(name: string%): string ## *name* is not a known script, an empty string is returned. function get_script_comments%(name: string%): string %{ - using namespace broxygen; - ScriptInfo* d = broxygen_mgr->GetScriptInfo(name->CheckString()); + using namespace zeexygen; + ScriptInfo* d = zeexygen_mgr->GetScriptInfo(name->CheckString()); if ( ! d ) return val_mgr->GetEmptyString(); @@ -59,8 +59,8 @@ function get_script_comments%(name: string%): string ## package, an empty string is returned. function get_package_readme%(name: string%): string %{ - using namespace broxygen; - PackageInfo* d = broxygen_mgr->GetPackageInfo(name->CheckString()); + using namespace zeexygen; + PackageInfo* d = zeexygen_mgr->GetPackageInfo(name->CheckString()); if ( ! d ) return val_mgr->GetEmptyString(); @@ -68,7 +68,7 @@ function get_package_readme%(name: string%): string return comments_to_val(d->GetReadme()); %} -## Retrieve the Broxygen-style comments (``##``) associated with a record field. +## Retrieve the Zeexygen-style comments (``##``) associated with a record field. ## ## name: the name of a record type and a field within it formatted like ## a typical record field access: "$". @@ -78,7 +78,7 @@ function get_package_readme%(name: string%): string ## type, an empty string is returned. function get_record_field_comments%(name: string%): string %{ - using namespace broxygen; + using namespace zeexygen; string accessor = name->CheckString(); size_t i = accessor.find('$'); @@ -87,7 +87,7 @@ function get_record_field_comments%(name: string%): string string id = accessor.substr(0, i); - IdentifierInfo* d = broxygen_mgr->GetIdentifierInfo(id); + IdentifierInfo* d = zeexygen_mgr->GetIdentifierInfo(id); if ( ! d ) return val_mgr->GetEmptyString(); diff --git a/testing/btest/Baseline/core.plugins.hooks/output b/testing/btest/Baseline/core.plugins.hooks/output index f030cb0af2..2725e48507 100644 --- a/testing/btest/Baseline/core.plugins.hooks/output +++ b/testing/btest/Baseline/core.plugins.hooks/output @@ -275,7 +275,7 @@ 0.000000 MetaHookPost LoadFile(./average) -> -1 0.000000 MetaHookPost LoadFile(./bloom-filter.bif.bro) -> -1 0.000000 MetaHookPost LoadFile(./bro.bif.bro) -> -1 -0.000000 MetaHookPost LoadFile(./broxygen.bif.bro) -> -1 +0.000000 MetaHookPost LoadFile(./zeexygen.bif.bro) -> -1 0.000000 MetaHookPost LoadFile(./cardinality-counter.bif.bro) -> -1 0.000000 MetaHookPost LoadFile(./const.bif.bro) -> -1 0.000000 MetaHookPost LoadFile(./consts) -> -1 @@ -855,7 +855,7 @@ 0.000000 MetaHookPre LoadFile(./average) 0.000000 MetaHookPre LoadFile(./bloom-filter.bif.bro) 0.000000 MetaHookPre LoadFile(./bro.bif.bro) -0.000000 MetaHookPre LoadFile(./broxygen.bif.bro) +0.000000 MetaHookPre LoadFile(./zeexygen.bif.bro) 0.000000 MetaHookPre LoadFile(./cardinality-counter.bif.bro) 0.000000 MetaHookPre LoadFile(./const.bif.bro) 0.000000 MetaHookPre LoadFile(./consts) @@ -1435,7 +1435,7 @@ 0.000000 | HookLoadFile ./average.bro/bro 0.000000 | HookLoadFile ./bloom-filter.bif.bro/bro 0.000000 | HookLoadFile ./bro.bif.bro/bro -0.000000 | HookLoadFile ./broxygen.bif.bro/bro +0.000000 | HookLoadFile ./zeexygen.bif.bro/bro 0.000000 | HookLoadFile ./cardinality-counter.bif.bro/bro 0.000000 | HookLoadFile ./const.bif.bro/bro 0.000000 | HookLoadFile ./consts.bif.bro/bro diff --git a/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log b/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log index 55c2c7c9f3..1976784e41 100644 --- a/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log +++ b/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log @@ -55,7 +55,7 @@ scripts/base/init-frameworks-and-bifs.zeek scripts/base/utils/patterns.zeek scripts/base/frameworks/files/magic/__load__.zeek build/scripts/base/bif/__load__.zeek - build/scripts/base/bif/broxygen.bif.zeek + build/scripts/base/bif/zeexygen.bif.zeek build/scripts/base/bif/pcap.bif.zeek build/scripts/base/bif/bloom-filter.bif.zeek build/scripts/base/bif/cardinality-counter.bif.zeek diff --git a/testing/btest/Baseline/coverage.bare-mode-errors/errors b/testing/btest/Baseline/coverage.bare-mode-errors/errors index 68129bbab6..6595a63eb3 100644 --- a/testing/btest/Baseline/coverage.bare-mode-errors/errors +++ b/testing/btest/Baseline/coverage.bare-mode-errors/errors @@ -6,7 +6,7 @@ warning in /Users/jon/projects/bro/bro/scripts/policy/protocols/dhcp/deprecated_ warning in /Users/jon/projects/bro/bro/scripts/policy/protocols/dhcp/deprecated_events.zeek, line 260: deprecated (dhcp_nak) warning in /Users/jon/projects/bro/bro/scripts/policy/protocols/dhcp/deprecated_events.zeek, line 263: deprecated (dhcp_release) warning in /Users/jon/projects/bro/bro/scripts/policy/protocols/dhcp/deprecated_events.zeek, line 266: deprecated (dhcp_inform) -warning in /Users/jon/projects/bro/bro/scripts/policy/protocols/smb/__load__.zeek, line 1: deprecated script loaded from /Users/jon/projects/bro/bro/testing/btest/../../scripts//broxygen/__load__.zeek:10 "Use '@load base/protocols/smb' instead" +warning in /Users/jon/projects/bro/bro/scripts/policy/protocols/smb/__load__.zeek, line 1: deprecated script loaded from /Users/jon/projects/bro/bro/testing/btest/../../scripts//zeexygen/__load__.zeek:10 "Use '@load base/protocols/smb' instead" warning in /Users/jon/projects/bro/bro/testing/btest/../../scripts//policy/protocols/dhcp/deprecated_events.zeek, line 245: deprecated (dhcp_discover) warning in /Users/jon/projects/bro/bro/testing/btest/../../scripts//policy/protocols/dhcp/deprecated_events.zeek, line 248: deprecated (dhcp_offer) warning in /Users/jon/projects/bro/bro/testing/btest/../../scripts//policy/protocols/dhcp/deprecated_events.zeek, line 251: deprecated (dhcp_request) diff --git a/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log b/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log index 6c7f592b5f..7951d68e2b 100644 --- a/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log +++ b/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log @@ -55,7 +55,7 @@ scripts/base/init-frameworks-and-bifs.zeek scripts/base/utils/patterns.zeek scripts/base/frameworks/files/magic/__load__.zeek build/scripts/base/bif/__load__.zeek - build/scripts/base/bif/broxygen.bif.zeek + build/scripts/base/bif/zeexygen.bif.zeek build/scripts/base/bif/pcap.bif.zeek build/scripts/base/bif/bloom-filter.bif.zeek build/scripts/base/bif/cardinality-counter.bif.zeek diff --git a/testing/btest/Baseline/doc.broxygen.example/example.rst b/testing/btest/Baseline/doc.broxygen.example/example.rst deleted file mode 100644 index e012c20051..0000000000 --- a/testing/btest/Baseline/doc.broxygen.example/example.rst +++ /dev/null @@ -1,248 +0,0 @@ -:tocdepth: 3 - -broxygen/example.zeek -===================== -.. bro:namespace:: BroxygenExample - -This is an example script that demonstrates Broxygen-style -documentation. It generally will make most sense when viewing -the script's raw source code and comparing to the HTML-rendered -version. - -Comments in the from ``##!`` are meant to summarize the script's -purpose. They are transferred directly in to the generated -`reStructuredText `_ -(reST) document associated with the script. - -.. tip:: You can embed directives and roles within ``##``-stylized comments. - -There's also a custom role to reference any identifier node in -the Bro Sphinx domain that's good for "see alsos", e.g. - -See also: :bro:see:`BroxygenExample::a_var`, -:bro:see:`BroxygenExample::ONE`, :bro:see:`SSH::Info` - -And a custom directive does the equivalent references: - -.. bro:see:: BroxygenExample::a_var BroxygenExample::ONE SSH::Info - -:Namespace: BroxygenExample -:Imports: :doc:`base/frameworks/notice `, :doc:`base/protocols/http `, :doc:`policy/frameworks/software/vulnerable.zeek ` - -Summary -~~~~~~~ -Redefinable Options -################### -==================================================================================== ======================================================= -:bro:id:`BroxygenExample::an_option`: :bro:type:`set` :bro:attr:`&redef` Add documentation for "an_option" here. -:bro:id:`BroxygenExample::option_with_init`: :bro:type:`interval` :bro:attr:`&redef` Default initialization will be generated automatically. -==================================================================================== ======================================================= - -State Variables -############### -======================================================================== ======================================================================== -:bro:id:`BroxygenExample::a_var`: :bro:type:`bool` Put some documentation for "a_var" here. -:bro:id:`BroxygenExample::summary_test`: :bro:type:`string` The first sentence for a particular identifier's summary text ends here. -:bro:id:`BroxygenExample::var_without_explicit_type`: :bro:type:`string` Types are inferred, that information is self-documenting. -======================================================================== ======================================================================== - -Types -##### -================================================================================= =========================================================== -:bro:type:`BroxygenExample::ComplexRecord`: :bro:type:`record` :bro:attr:`&redef` General documentation for a type "ComplexRecord" goes here. -:bro:type:`BroxygenExample::Info`: :bro:type:`record` An example record to be used with a logging stream. -:bro:type:`BroxygenExample::SimpleEnum`: :bro:type:`enum` Documentation for the "SimpleEnum" type goes here. -:bro:type:`BroxygenExample::SimpleRecord`: :bro:type:`record` General documentation for a type "SimpleRecord" goes here. -================================================================================= =========================================================== - -Redefinitions -############# -============================================================= ==================================================================== -:bro:type:`BroxygenExample::SimpleEnum`: :bro:type:`enum` Document the "SimpleEnum" redef here with any special info regarding - the *redef* itself. -:bro:type:`BroxygenExample::SimpleRecord`: :bro:type:`record` Document the record extension *redef* itself here. -:bro:type:`Log::ID`: :bro:type:`enum` -:bro:type:`Notice::Type`: :bro:type:`enum` -============================================================= ==================================================================== - -Events -###### -====================================================== ========================== -:bro:id:`BroxygenExample::an_event`: :bro:type:`event` Summarize "an_event" here. -====================================================== ========================== - -Functions -######### -=========================================================== ======================================= -:bro:id:`BroxygenExample::a_function`: :bro:type:`function` Summarize purpose of "a_function" here. -=========================================================== ======================================= - - -Detailed Interface -~~~~~~~~~~~~~~~~~~ -Redefinable Options -################### -.. bro:id:: BroxygenExample::an_option - - :Type: :bro:type:`set` [:bro:type:`addr`, :bro:type:`addr`, :bro:type:`string`] - :Attributes: :bro:attr:`&redef` - :Default: ``{}`` - - Add documentation for "an_option" here. - The type/attribute information is all generated automatically. - -.. bro:id:: BroxygenExample::option_with_init - - :Type: :bro:type:`interval` - :Attributes: :bro:attr:`&redef` - :Default: ``10.0 msecs`` - - Default initialization will be generated automatically. - More docs can be added here. - -State Variables -############### -.. bro:id:: BroxygenExample::a_var - - :Type: :bro:type:`bool` - - Put some documentation for "a_var" here. Any global/non-const that - isn't a function/event/hook is classified as a "state variable" - in the generated docs. - -.. bro:id:: BroxygenExample::summary_test - - :Type: :bro:type:`string` - - The first sentence for a particular identifier's summary text ends here. - And this second sentence doesn't show in the short description provided - by the table of all identifiers declared by this script. - -.. bro:id:: BroxygenExample::var_without_explicit_type - - :Type: :bro:type:`string` - :Default: ``"this works"`` - - Types are inferred, that information is self-documenting. - -Types -##### -.. bro:type:: BroxygenExample::ComplexRecord - - :Type: :bro:type:`record` - - field1: :bro:type:`count` - Counts something. - - field2: :bro:type:`bool` - Toggles something. - - field3: :bro:type:`BroxygenExample::SimpleRecord` - Broxygen automatically tracks types - and cross-references are automatically - inserted in to generated docs. - - msg: :bro:type:`string` :bro:attr:`&default` = ``"blah"`` :bro:attr:`&optional` - Attributes are self-documenting. - :Attributes: :bro:attr:`&redef` - - General documentation for a type "ComplexRecord" goes here. - -.. bro:type:: BroxygenExample::Info - - :Type: :bro:type:`record` - - ts: :bro:type:`time` :bro:attr:`&log` - - uid: :bro:type:`string` :bro:attr:`&log` - - status: :bro:type:`count` :bro:attr:`&log` :bro:attr:`&optional` - - An example record to be used with a logging stream. - Nothing special about it. If another script redefs this type - to add fields, the generated documentation will show all original - fields plus the extensions and the scripts which contributed to it - (provided they are also @load'ed). - -.. bro:type:: BroxygenExample::SimpleEnum - - :Type: :bro:type:`enum` - - .. bro:enum:: BroxygenExample::ONE BroxygenExample::SimpleEnum - - Documentation for particular enum values is added like this. - And can also span multiple lines. - - .. bro:enum:: BroxygenExample::TWO BroxygenExample::SimpleEnum - - Or this style is valid to document the preceding enum value. - - .. bro:enum:: BroxygenExample::THREE BroxygenExample::SimpleEnum - - .. bro:enum:: BroxygenExample::FOUR BroxygenExample::SimpleEnum - - And some documentation for "FOUR". - - .. bro:enum:: BroxygenExample::FIVE BroxygenExample::SimpleEnum - - Also "FIVE". - - Documentation for the "SimpleEnum" type goes here. - It can span multiple lines. - -.. bro:type:: BroxygenExample::SimpleRecord - - :Type: :bro:type:`record` - - field1: :bro:type:`count` - Counts something. - - field2: :bro:type:`bool` - Toggles something. - - field_ext: :bro:type:`string` :bro:attr:`&optional` - Document the extending field like this. - Or here, like this. - - General documentation for a type "SimpleRecord" goes here. - The way fields can be documented is similar to what's already seen - for enums. - -Events -###### -.. bro:id:: BroxygenExample::an_event - - :Type: :bro:type:`event` (name: :bro:type:`string`) - - Summarize "an_event" here. - Give more details about "an_event" here. - - BroxygenExample::a_function should not be confused as a parameter - in the generated docs, but it also doesn't generate a cross-reference - link. Use the see role instead: :bro:see:`BroxygenExample::a_function`. - - - :name: Describe the argument here. - -Functions -######### -.. bro:id:: BroxygenExample::a_function - - :Type: :bro:type:`function` (tag: :bro:type:`string`, msg: :bro:type:`string`) : :bro:type:`string` - - Summarize purpose of "a_function" here. - Give more details about "a_function" here. - Separating the documentation of the params/return values with - empty comments is optional, but improves readability of script. - - - :tag: Function arguments can be described - like this. - - - :msg: Another param. - - - :returns: Describe the return type here. - - diff --git a/testing/btest/Baseline/doc.broxygen.func-params/autogen-reST-func-params.rst b/testing/btest/Baseline/doc.broxygen.func-params/autogen-reST-func-params.rst deleted file mode 100644 index 06f196b73c..0000000000 --- a/testing/btest/Baseline/doc.broxygen.func-params/autogen-reST-func-params.rst +++ /dev/null @@ -1,30 +0,0 @@ -.. bro:id:: test_func_params_func - - :Type: :bro:type:`function` (i: :bro:type:`int`, j: :bro:type:`int`) : :bro:type:`string` - - This is a global function declaration. - - - :i: First param. - - :j: Second param. - - - :returns: A string. - -.. bro:type:: test_func_params_rec - - :Type: :bro:type:`record` - - field_func: :bro:type:`function` (i: :bro:type:`int`, j: :bro:type:`int`) : :bro:type:`string` - This is a record field function. - - - :i: First param. - - :j: Second param. - - - :returns: A string. - - diff --git a/testing/btest/Baseline/doc.broxygen.identifier/test.rst b/testing/btest/Baseline/doc.broxygen.identifier/test.rst deleted file mode 100644 index 0c7c44581d..0000000000 --- a/testing/btest/Baseline/doc.broxygen.identifier/test.rst +++ /dev/null @@ -1,230 +0,0 @@ -.. bro:id:: BroxygenExample::Broxygen_One - - :Type: :bro:type:`Notice::Type` - - Any number of this type of comment - will document "Broxygen_One". - -.. bro:id:: BroxygenExample::Broxygen_Two - - :Type: :bro:type:`Notice::Type` - - Any number of this type of comment - will document "BROXYGEN_TWO". - -.. bro:id:: BroxygenExample::Broxygen_Three - - :Type: :bro:type:`Notice::Type` - - -.. bro:id:: BroxygenExample::Broxygen_Four - - :Type: :bro:type:`Notice::Type` - - Omitting comments is fine, and so is mixing ``##`` and ``##<``, but - it's probably best to use only one style consistently. - -.. bro:id:: BroxygenExample::LOG - - :Type: :bro:type:`Log::ID` - - -.. bro:type:: BroxygenExample::SimpleEnum - - :Type: :bro:type:`enum` - - .. bro:enum:: BroxygenExample::ONE BroxygenExample::SimpleEnum - - Documentation for particular enum values is added like this. - And can also span multiple lines. - - .. bro:enum:: BroxygenExample::TWO BroxygenExample::SimpleEnum - - Or this style is valid to document the preceding enum value. - - .. bro:enum:: BroxygenExample::THREE BroxygenExample::SimpleEnum - - .. bro:enum:: BroxygenExample::FOUR BroxygenExample::SimpleEnum - - And some documentation for "FOUR". - - .. bro:enum:: BroxygenExample::FIVE BroxygenExample::SimpleEnum - - Also "FIVE". - - Documentation for the "SimpleEnum" type goes here. - It can span multiple lines. - -.. bro:id:: BroxygenExample::ONE - - :Type: :bro:type:`BroxygenExample::SimpleEnum` - - Documentation for particular enum values is added like this. - And can also span multiple lines. - -.. bro:id:: BroxygenExample::TWO - - :Type: :bro:type:`BroxygenExample::SimpleEnum` - - Or this style is valid to document the preceding enum value. - -.. bro:id:: BroxygenExample::THREE - - :Type: :bro:type:`BroxygenExample::SimpleEnum` - - -.. bro:id:: BroxygenExample::FOUR - - :Type: :bro:type:`BroxygenExample::SimpleEnum` - - And some documentation for "FOUR". - -.. bro:id:: BroxygenExample::FIVE - - :Type: :bro:type:`BroxygenExample::SimpleEnum` - - Also "FIVE". - -.. bro:type:: BroxygenExample::SimpleRecord - - :Type: :bro:type:`record` - - field1: :bro:type:`count` - Counts something. - - field2: :bro:type:`bool` - Toggles something. - - field_ext: :bro:type:`string` :bro:attr:`&optional` - Document the extending field like this. - Or here, like this. - - General documentation for a type "SimpleRecord" goes here. - The way fields can be documented is similar to what's already seen - for enums. - -.. bro:type:: BroxygenExample::ComplexRecord - - :Type: :bro:type:`record` - - field1: :bro:type:`count` - Counts something. - - field2: :bro:type:`bool` - Toggles something. - - field3: :bro:type:`BroxygenExample::SimpleRecord` - Broxygen automatically tracks types - and cross-references are automatically - inserted in to generated docs. - - msg: :bro:type:`string` :bro:attr:`&default` = ``"blah"`` :bro:attr:`&optional` - Attributes are self-documenting. - :Attributes: :bro:attr:`&redef` - - General documentation for a type "ComplexRecord" goes here. - -.. bro:type:: BroxygenExample::Info - - :Type: :bro:type:`record` - - ts: :bro:type:`time` :bro:attr:`&log` - - uid: :bro:type:`string` :bro:attr:`&log` - - status: :bro:type:`count` :bro:attr:`&log` :bro:attr:`&optional` - - An example record to be used with a logging stream. - Nothing special about it. If another script redefs this type - to add fields, the generated documentation will show all original - fields plus the extensions and the scripts which contributed to it - (provided they are also @load'ed). - -.. bro:id:: BroxygenExample::an_option - - :Type: :bro:type:`set` [:bro:type:`addr`, :bro:type:`addr`, :bro:type:`string`] - :Attributes: :bro:attr:`&redef` - :Default: ``{}`` - - Add documentation for "an_option" here. - The type/attribute information is all generated automatically. - -.. bro:id:: BroxygenExample::option_with_init - - :Type: :bro:type:`interval` - :Attributes: :bro:attr:`&redef` - :Default: ``10.0 msecs`` - - Default initialization will be generated automatically. - More docs can be added here. - -.. bro:id:: BroxygenExample::a_var - - :Type: :bro:type:`bool` - - Put some documentation for "a_var" here. Any global/non-const that - isn't a function/event/hook is classified as a "state variable" - in the generated docs. - -.. bro:id:: BroxygenExample::var_without_explicit_type - - :Type: :bro:type:`string` - :Default: ``"this works"`` - - Types are inferred, that information is self-documenting. - -.. bro:id:: BroxygenExample::summary_test - - :Type: :bro:type:`string` - - The first sentence for a particular identifier's summary text ends here. - And this second sentence doesn't show in the short description provided - by the table of all identifiers declared by this script. - -.. bro:id:: BroxygenExample::a_function - - :Type: :bro:type:`function` (tag: :bro:type:`string`, msg: :bro:type:`string`) : :bro:type:`string` - - Summarize purpose of "a_function" here. - Give more details about "a_function" here. - Separating the documentation of the params/return values with - empty comments is optional, but improves readability of script. - - - :tag: Function arguments can be described - like this. - - - :msg: Another param. - - - :returns: Describe the return type here. - -.. bro:id:: BroxygenExample::an_event - - :Type: :bro:type:`event` (name: :bro:type:`string`) - - Summarize "an_event" here. - Give more details about "an_event" here. - - BroxygenExample::a_function should not be confused as a parameter - in the generated docs, but it also doesn't generate a cross-reference - link. Use the see role instead: :bro:see:`BroxygenExample::a_function`. - - - :name: Describe the argument here. - -.. bro:id:: BroxygenExample::function_without_proto - - :Type: :bro:type:`function` (tag: :bro:type:`string`) : :bro:type:`string` - - -.. bro:type:: BroxygenExample::PrivateRecord - - :Type: :bro:type:`record` - - field1: :bro:type:`bool` - - field2: :bro:type:`count` - - diff --git a/testing/btest/Baseline/doc.broxygen.package_index/test.rst b/testing/btest/Baseline/doc.broxygen.package_index/test.rst deleted file mode 100644 index f551ab1cd3..0000000000 --- a/testing/btest/Baseline/doc.broxygen.package_index/test.rst +++ /dev/null @@ -1,7 +0,0 @@ -:doc:`broxygen ` - - This package is loaded during the process which automatically generates - reference documentation for all Bro scripts (i.e. "Broxygen"). Its only - purpose is to provide an easy way to load all known Bro scripts plus any - extra scripts needed or used by the documentation process. - diff --git a/testing/btest/Baseline/doc.broxygen.records/autogen-reST-records.rst b/testing/btest/Baseline/doc.broxygen.records/autogen-reST-records.rst deleted file mode 100644 index 60d80f6b07..0000000000 --- a/testing/btest/Baseline/doc.broxygen.records/autogen-reST-records.rst +++ /dev/null @@ -1,28 +0,0 @@ -.. bro:type:: TestRecord1 - - :Type: :bro:type:`record` - - field1: :bro:type:`bool` - - field2: :bro:type:`count` - - -.. bro:type:: TestRecord2 - - :Type: :bro:type:`record` - - A: :bro:type:`count` - document ``A`` - - B: :bro:type:`bool` - document ``B`` - - C: :bro:type:`TestRecord1` - and now ``C`` - is a declared type - - D: :bro:type:`set` [:bro:type:`count`, :bro:type:`bool`] - sets/tables should show the index types - - Here's the ways records and record fields can be documented. - diff --git a/testing/btest/Baseline/doc.broxygen.script_index/test.rst b/testing/btest/Baseline/doc.broxygen.script_index/test.rst deleted file mode 100644 index 30d849c2e0..0000000000 --- a/testing/btest/Baseline/doc.broxygen.script_index/test.rst +++ /dev/null @@ -1,5 +0,0 @@ -.. toctree:: - :maxdepth: 1 - - broxygen/__load__.zeek - broxygen/example.zeek diff --git a/testing/btest/Baseline/doc.broxygen.type-aliases/autogen-reST-type-aliases.rst b/testing/btest/Baseline/doc.broxygen.type-aliases/autogen-reST-type-aliases.rst deleted file mode 100644 index 3a26b8adc6..0000000000 --- a/testing/btest/Baseline/doc.broxygen.type-aliases/autogen-reST-type-aliases.rst +++ /dev/null @@ -1,44 +0,0 @@ -.. bro:type:: BroxygenTest::TypeAlias - - :Type: :bro:type:`bool` - - This is just an alias for a builtin type ``bool``. - -.. bro:type:: BroxygenTest::NotTypeAlias - - :Type: :bro:type:`bool` - - This type should get its own comments, not associated w/ TypeAlias. - -.. bro:type:: BroxygenTest::OtherTypeAlias - - :Type: :bro:type:`bool` - - This cross references ``bool`` in the description of its type - instead of ``TypeAlias`` just because it seems more useful -- - one doesn't have to click through the full type alias chain to - find out what the actual type is... - -.. bro:id:: BroxygenTest::a - - :Type: :bro:type:`BroxygenTest::TypeAlias` - - But this should reference a type of ``TypeAlias``. - -.. bro:id:: BroxygenTest::b - - :Type: :bro:type:`BroxygenTest::OtherTypeAlias` - - And this should reference a type of ``OtherTypeAlias``. - -.. bro:type:: BroxygenTest::MyRecord - - :Type: :bro:type:`record` - - f1: :bro:type:`BroxygenTest::TypeAlias` - - f2: :bro:type:`BroxygenTest::OtherTypeAlias` - - f3: :bro:type:`bool` - - diff --git a/testing/btest/Baseline/doc.broxygen.all_scripts/.stderr b/testing/btest/Baseline/doc.zeexygen.all_scripts/.stderr similarity index 100% rename from testing/btest/Baseline/doc.broxygen.all_scripts/.stderr rename to testing/btest/Baseline/doc.zeexygen.all_scripts/.stderr diff --git a/testing/btest/Baseline/doc.broxygen.all_scripts/.stdout b/testing/btest/Baseline/doc.zeexygen.all_scripts/.stdout similarity index 100% rename from testing/btest/Baseline/doc.broxygen.all_scripts/.stdout rename to testing/btest/Baseline/doc.zeexygen.all_scripts/.stdout diff --git a/testing/btest/Baseline/doc.broxygen.command_line/output b/testing/btest/Baseline/doc.zeexygen.command_line/output similarity index 100% rename from testing/btest/Baseline/doc.broxygen.command_line/output rename to testing/btest/Baseline/doc.zeexygen.command_line/output diff --git a/testing/btest/Baseline/doc.broxygen.comment_retrieval_bifs/out b/testing/btest/Baseline/doc.zeexygen.comment_retrieval_bifs/out similarity index 100% rename from testing/btest/Baseline/doc.broxygen.comment_retrieval_bifs/out rename to testing/btest/Baseline/doc.zeexygen.comment_retrieval_bifs/out diff --git a/testing/btest/Baseline/doc.broxygen.enums/autogen-reST-enums.rst b/testing/btest/Baseline/doc.zeexygen.enums/autogen-reST-enums.rst similarity index 51% rename from testing/btest/Baseline/doc.broxygen.enums/autogen-reST-enums.rst rename to testing/btest/Baseline/doc.zeexygen.enums/autogen-reST-enums.rst index c98d2792df..1cc82fbbe7 100644 --- a/testing/btest/Baseline/doc.broxygen.enums/autogen-reST-enums.rst +++ b/testing/btest/Baseline/doc.zeexygen.enums/autogen-reST-enums.rst @@ -1,47 +1,47 @@ -.. bro:type:: TestEnum1 +.. zeek:type:: TestEnum1 - :Type: :bro:type:`enum` + :Type: :zeek:type:`enum` - .. bro:enum:: ONE TestEnum1 + .. zeek:enum:: ONE TestEnum1 like this - .. bro:enum:: TWO TestEnum1 + .. zeek:enum:: TWO TestEnum1 or like this - .. bro:enum:: THREE TestEnum1 + .. zeek:enum:: THREE TestEnum1 multiple comments and even more comments - .. bro:enum:: FOUR TestEnum1 + .. zeek:enum:: FOUR TestEnum1 adding another value - .. bro:enum:: FIVE TestEnum1 + .. zeek:enum:: FIVE TestEnum1 adding another value There's tons of ways an enum can look... -.. bro:type:: TestEnum2 +.. zeek:type:: TestEnum2 - :Type: :bro:type:`enum` + :Type: :zeek:type:`enum` - .. bro:enum:: A TestEnum2 + .. zeek:enum:: A TestEnum2 like this - .. bro:enum:: B TestEnum2 + .. zeek:enum:: B TestEnum2 or like this - .. bro:enum:: C TestEnum2 + .. zeek:enum:: C TestEnum2 multiple comments @@ -50,10 +50,10 @@ The final comma is optional -.. bro:id:: TestEnumVal +.. zeek:id:: TestEnumVal - :Type: :bro:type:`TestEnum1` - :Attributes: :bro:attr:`&redef` + :Type: :zeek:type:`TestEnum1` + :Attributes: :zeek:attr:`&redef` :Default: ``ONE`` this should reference the TestEnum1 type and not a generic "enum" type diff --git a/testing/btest/Baseline/doc.zeexygen.example/example.rst b/testing/btest/Baseline/doc.zeexygen.example/example.rst new file mode 100644 index 0000000000..4ea8dfe0c3 --- /dev/null +++ b/testing/btest/Baseline/doc.zeexygen.example/example.rst @@ -0,0 +1,248 @@ +:tocdepth: 3 + +zeexygen/example.zeek +===================== +.. zeek:namespace:: ZeexygenExample + +This is an example script that demonstrates Zeexygen-style +documentation. It generally will make most sense when viewing +the script's raw source code and comparing to the HTML-rendered +version. + +Comments in the from ``##!`` are meant to summarize the script's +purpose. They are transferred directly in to the generated +`reStructuredText `_ +(reST) document associated with the script. + +.. tip:: You can embed directives and roles within ``##``-stylized comments. + +There's also a custom role to reference any identifier node in +the Zeek Sphinx domain that's good for "see alsos", e.g. + +See also: :zeek:see:`ZeexygenExample::a_var`, +:zeek:see:`ZeexygenExample::ONE`, :zeek:see:`SSH::Info` + +And a custom directive does the equivalent references: + +.. zeek:see:: ZeexygenExample::a_var ZeexygenExample::ONE SSH::Info + +:Namespace: ZeexygenExample +:Imports: :doc:`base/frameworks/notice `, :doc:`base/protocols/http `, :doc:`policy/frameworks/software/vulnerable.zeek ` + +Summary +~~~~~~~ +Redefinable Options +################### +======================================================================================= ======================================================= +:zeek:id:`ZeexygenExample::an_option`: :zeek:type:`set` :zeek:attr:`&redef` Add documentation for "an_option" here. +:zeek:id:`ZeexygenExample::option_with_init`: :zeek:type:`interval` :zeek:attr:`&redef` Default initialization will be generated automatically. +======================================================================================= ======================================================= + +State Variables +############### +========================================================================== ======================================================================== +:zeek:id:`ZeexygenExample::a_var`: :zeek:type:`bool` Put some documentation for "a_var" here. +:zeek:id:`ZeexygenExample::summary_test`: :zeek:type:`string` The first sentence for a particular identifier's summary text ends here. +:zeek:id:`ZeexygenExample::var_without_explicit_type`: :zeek:type:`string` Types are inferred, that information is self-documenting. +========================================================================== ======================================================================== + +Types +##### +==================================================================================== =========================================================== +:zeek:type:`ZeexygenExample::ComplexRecord`: :zeek:type:`record` :zeek:attr:`&redef` General documentation for a type "ComplexRecord" goes here. +:zeek:type:`ZeexygenExample::Info`: :zeek:type:`record` An example record to be used with a logging stream. +:zeek:type:`ZeexygenExample::SimpleEnum`: :zeek:type:`enum` Documentation for the "SimpleEnum" type goes here. +:zeek:type:`ZeexygenExample::SimpleRecord`: :zeek:type:`record` General documentation for a type "SimpleRecord" goes here. +==================================================================================== =========================================================== + +Redefinitions +############# +=============================================================== ==================================================================== +:zeek:type:`Log::ID`: :zeek:type:`enum` +:zeek:type:`Notice::Type`: :zeek:type:`enum` +:zeek:type:`ZeexygenExample::SimpleEnum`: :zeek:type:`enum` Document the "SimpleEnum" redef here with any special info regarding + the *redef* itself. +:zeek:type:`ZeexygenExample::SimpleRecord`: :zeek:type:`record` Document the record extension *redef* itself here. +=============================================================== ==================================================================== + +Events +###### +======================================================== ========================== +:zeek:id:`ZeexygenExample::an_event`: :zeek:type:`event` Summarize "an_event" here. +======================================================== ========================== + +Functions +######### +============================================================= ======================================= +:zeek:id:`ZeexygenExample::a_function`: :zeek:type:`function` Summarize purpose of "a_function" here. +============================================================= ======================================= + + +Detailed Interface +~~~~~~~~~~~~~~~~~~ +Redefinable Options +################### +.. zeek:id:: ZeexygenExample::an_option + + :Type: :zeek:type:`set` [:zeek:type:`addr`, :zeek:type:`addr`, :zeek:type:`string`] + :Attributes: :zeek:attr:`&redef` + :Default: ``{}`` + + Add documentation for "an_option" here. + The type/attribute information is all generated automatically. + +.. zeek:id:: ZeexygenExample::option_with_init + + :Type: :zeek:type:`interval` + :Attributes: :zeek:attr:`&redef` + :Default: ``10.0 msecs`` + + Default initialization will be generated automatically. + More docs can be added here. + +State Variables +############### +.. zeek:id:: ZeexygenExample::a_var + + :Type: :zeek:type:`bool` + + Put some documentation for "a_var" here. Any global/non-const that + isn't a function/event/hook is classified as a "state variable" + in the generated docs. + +.. zeek:id:: ZeexygenExample::summary_test + + :Type: :zeek:type:`string` + + The first sentence for a particular identifier's summary text ends here. + And this second sentence doesn't show in the short description provided + by the table of all identifiers declared by this script. + +.. zeek:id:: ZeexygenExample::var_without_explicit_type + + :Type: :zeek:type:`string` + :Default: ``"this works"`` + + Types are inferred, that information is self-documenting. + +Types +##### +.. zeek:type:: ZeexygenExample::ComplexRecord + + :Type: :zeek:type:`record` + + field1: :zeek:type:`count` + Counts something. + + field2: :zeek:type:`bool` + Toggles something. + + field3: :zeek:type:`ZeexygenExample::SimpleRecord` + Zeexygen automatically tracks types + and cross-references are automatically + inserted in to generated docs. + + msg: :zeek:type:`string` :zeek:attr:`&default` = ``"blah"`` :zeek:attr:`&optional` + Attributes are self-documenting. + :Attributes: :zeek:attr:`&redef` + + General documentation for a type "ComplexRecord" goes here. + +.. zeek:type:: ZeexygenExample::Info + + :Type: :zeek:type:`record` + + ts: :zeek:type:`time` :zeek:attr:`&log` + + uid: :zeek:type:`string` :zeek:attr:`&log` + + status: :zeek:type:`count` :zeek:attr:`&log` :zeek:attr:`&optional` + + An example record to be used with a logging stream. + Nothing special about it. If another script redefs this type + to add fields, the generated documentation will show all original + fields plus the extensions and the scripts which contributed to it + (provided they are also @load'ed). + +.. zeek:type:: ZeexygenExample::SimpleEnum + + :Type: :zeek:type:`enum` + + .. zeek:enum:: ZeexygenExample::ONE ZeexygenExample::SimpleEnum + + Documentation for particular enum values is added like this. + And can also span multiple lines. + + .. zeek:enum:: ZeexygenExample::TWO ZeexygenExample::SimpleEnum + + Or this style is valid to document the preceding enum value. + + .. zeek:enum:: ZeexygenExample::THREE ZeexygenExample::SimpleEnum + + .. zeek:enum:: ZeexygenExample::FOUR ZeexygenExample::SimpleEnum + + And some documentation for "FOUR". + + .. zeek:enum:: ZeexygenExample::FIVE ZeexygenExample::SimpleEnum + + Also "FIVE". + + Documentation for the "SimpleEnum" type goes here. + It can span multiple lines. + +.. zeek:type:: ZeexygenExample::SimpleRecord + + :Type: :zeek:type:`record` + + field1: :zeek:type:`count` + Counts something. + + field2: :zeek:type:`bool` + Toggles something. + + field_ext: :zeek:type:`string` :zeek:attr:`&optional` + Document the extending field like this. + Or here, like this. + + General documentation for a type "SimpleRecord" goes here. + The way fields can be documented is similar to what's already seen + for enums. + +Events +###### +.. zeek:id:: ZeexygenExample::an_event + + :Type: :zeek:type:`event` (name: :zeek:type:`string`) + + Summarize "an_event" here. + Give more details about "an_event" here. + + ZeexygenExample::a_function should not be confused as a parameter + in the generated docs, but it also doesn't generate a cross-reference + link. Use the see role instead: :zeek:see:`ZeexygenExample::a_function`. + + + :name: Describe the argument here. + +Functions +######### +.. zeek:id:: ZeexygenExample::a_function + + :Type: :zeek:type:`function` (tag: :zeek:type:`string`, msg: :zeek:type:`string`) : :zeek:type:`string` + + Summarize purpose of "a_function" here. + Give more details about "a_function" here. + Separating the documentation of the params/return values with + empty comments is optional, but improves readability of script. + + + :tag: Function arguments can be described + like this. + + + :msg: Another param. + + + :returns: Describe the return type here. + + diff --git a/testing/btest/Baseline/doc.zeexygen.func-params/autogen-reST-func-params.rst b/testing/btest/Baseline/doc.zeexygen.func-params/autogen-reST-func-params.rst new file mode 100644 index 0000000000..cd0b7871d4 --- /dev/null +++ b/testing/btest/Baseline/doc.zeexygen.func-params/autogen-reST-func-params.rst @@ -0,0 +1,30 @@ +.. zeek:id:: test_func_params_func + + :Type: :zeek:type:`function` (i: :zeek:type:`int`, j: :zeek:type:`int`) : :zeek:type:`string` + + This is a global function declaration. + + + :i: First param. + + :j: Second param. + + + :returns: A string. + +.. zeek:type:: test_func_params_rec + + :Type: :zeek:type:`record` + + field_func: :zeek:type:`function` (i: :zeek:type:`int`, j: :zeek:type:`int`) : :zeek:type:`string` + This is a record field function. + + + :i: First param. + + :j: Second param. + + + :returns: A string. + + diff --git a/testing/btest/Baseline/doc.zeexygen.identifier/test.rst b/testing/btest/Baseline/doc.zeexygen.identifier/test.rst new file mode 100644 index 0000000000..128e1c6a5f --- /dev/null +++ b/testing/btest/Baseline/doc.zeexygen.identifier/test.rst @@ -0,0 +1,230 @@ +.. zeek:id:: ZeexygenExample::Zeexygen_One + + :Type: :zeek:type:`Notice::Type` + + Any number of this type of comment + will document "Zeexygen_One". + +.. zeek:id:: ZeexygenExample::Zeexygen_Two + + :Type: :zeek:type:`Notice::Type` + + Any number of this type of comment + will document "ZEEXYGEN_TWO". + +.. zeek:id:: ZeexygenExample::Zeexygen_Three + + :Type: :zeek:type:`Notice::Type` + + +.. zeek:id:: ZeexygenExample::Zeexygen_Four + + :Type: :zeek:type:`Notice::Type` + + Omitting comments is fine, and so is mixing ``##`` and ``##<``, but + it's probably best to use only one style consistently. + +.. zeek:id:: ZeexygenExample::LOG + + :Type: :zeek:type:`Log::ID` + + +.. zeek:type:: ZeexygenExample::SimpleEnum + + :Type: :zeek:type:`enum` + + .. zeek:enum:: ZeexygenExample::ONE ZeexygenExample::SimpleEnum + + Documentation for particular enum values is added like this. + And can also span multiple lines. + + .. zeek:enum:: ZeexygenExample::TWO ZeexygenExample::SimpleEnum + + Or this style is valid to document the preceding enum value. + + .. zeek:enum:: ZeexygenExample::THREE ZeexygenExample::SimpleEnum + + .. zeek:enum:: ZeexygenExample::FOUR ZeexygenExample::SimpleEnum + + And some documentation for "FOUR". + + .. zeek:enum:: ZeexygenExample::FIVE ZeexygenExample::SimpleEnum + + Also "FIVE". + + Documentation for the "SimpleEnum" type goes here. + It can span multiple lines. + +.. zeek:id:: ZeexygenExample::ONE + + :Type: :zeek:type:`ZeexygenExample::SimpleEnum` + + Documentation for particular enum values is added like this. + And can also span multiple lines. + +.. zeek:id:: ZeexygenExample::TWO + + :Type: :zeek:type:`ZeexygenExample::SimpleEnum` + + Or this style is valid to document the preceding enum value. + +.. zeek:id:: ZeexygenExample::THREE + + :Type: :zeek:type:`ZeexygenExample::SimpleEnum` + + +.. zeek:id:: ZeexygenExample::FOUR + + :Type: :zeek:type:`ZeexygenExample::SimpleEnum` + + And some documentation for "FOUR". + +.. zeek:id:: ZeexygenExample::FIVE + + :Type: :zeek:type:`ZeexygenExample::SimpleEnum` + + Also "FIVE". + +.. zeek:type:: ZeexygenExample::SimpleRecord + + :Type: :zeek:type:`record` + + field1: :zeek:type:`count` + Counts something. + + field2: :zeek:type:`bool` + Toggles something. + + field_ext: :zeek:type:`string` :zeek:attr:`&optional` + Document the extending field like this. + Or here, like this. + + General documentation for a type "SimpleRecord" goes here. + The way fields can be documented is similar to what's already seen + for enums. + +.. zeek:type:: ZeexygenExample::ComplexRecord + + :Type: :zeek:type:`record` + + field1: :zeek:type:`count` + Counts something. + + field2: :zeek:type:`bool` + Toggles something. + + field3: :zeek:type:`ZeexygenExample::SimpleRecord` + Zeexygen automatically tracks types + and cross-references are automatically + inserted in to generated docs. + + msg: :zeek:type:`string` :zeek:attr:`&default` = ``"blah"`` :zeek:attr:`&optional` + Attributes are self-documenting. + :Attributes: :zeek:attr:`&redef` + + General documentation for a type "ComplexRecord" goes here. + +.. zeek:type:: ZeexygenExample::Info + + :Type: :zeek:type:`record` + + ts: :zeek:type:`time` :zeek:attr:`&log` + + uid: :zeek:type:`string` :zeek:attr:`&log` + + status: :zeek:type:`count` :zeek:attr:`&log` :zeek:attr:`&optional` + + An example record to be used with a logging stream. + Nothing special about it. If another script redefs this type + to add fields, the generated documentation will show all original + fields plus the extensions and the scripts which contributed to it + (provided they are also @load'ed). + +.. zeek:id:: ZeexygenExample::an_option + + :Type: :zeek:type:`set` [:zeek:type:`addr`, :zeek:type:`addr`, :zeek:type:`string`] + :Attributes: :zeek:attr:`&redef` + :Default: ``{}`` + + Add documentation for "an_option" here. + The type/attribute information is all generated automatically. + +.. zeek:id:: ZeexygenExample::option_with_init + + :Type: :zeek:type:`interval` + :Attributes: :zeek:attr:`&redef` + :Default: ``10.0 msecs`` + + Default initialization will be generated automatically. + More docs can be added here. + +.. zeek:id:: ZeexygenExample::a_var + + :Type: :zeek:type:`bool` + + Put some documentation for "a_var" here. Any global/non-const that + isn't a function/event/hook is classified as a "state variable" + in the generated docs. + +.. zeek:id:: ZeexygenExample::var_without_explicit_type + + :Type: :zeek:type:`string` + :Default: ``"this works"`` + + Types are inferred, that information is self-documenting. + +.. zeek:id:: ZeexygenExample::summary_test + + :Type: :zeek:type:`string` + + The first sentence for a particular identifier's summary text ends here. + And this second sentence doesn't show in the short description provided + by the table of all identifiers declared by this script. + +.. zeek:id:: ZeexygenExample::a_function + + :Type: :zeek:type:`function` (tag: :zeek:type:`string`, msg: :zeek:type:`string`) : :zeek:type:`string` + + Summarize purpose of "a_function" here. + Give more details about "a_function" here. + Separating the documentation of the params/return values with + empty comments is optional, but improves readability of script. + + + :tag: Function arguments can be described + like this. + + + :msg: Another param. + + + :returns: Describe the return type here. + +.. zeek:id:: ZeexygenExample::an_event + + :Type: :zeek:type:`event` (name: :zeek:type:`string`) + + Summarize "an_event" here. + Give more details about "an_event" here. + + ZeexygenExample::a_function should not be confused as a parameter + in the generated docs, but it also doesn't generate a cross-reference + link. Use the see role instead: :zeek:see:`ZeexygenExample::a_function`. + + + :name: Describe the argument here. + +.. zeek:id:: ZeexygenExample::function_without_proto + + :Type: :zeek:type:`function` (tag: :zeek:type:`string`) : :zeek:type:`string` + + +.. zeek:type:: ZeexygenExample::PrivateRecord + + :Type: :zeek:type:`record` + + field1: :zeek:type:`bool` + + field2: :zeek:type:`count` + + diff --git a/testing/btest/Baseline/doc.broxygen.package/test.rst b/testing/btest/Baseline/doc.zeexygen.package/test.rst similarity index 58% rename from testing/btest/Baseline/doc.broxygen.package/test.rst rename to testing/btest/Baseline/doc.zeexygen.package/test.rst index 7c1f32dd44..345b2b6847 100644 --- a/testing/btest/Baseline/doc.broxygen.package/test.rst +++ b/testing/btest/Baseline/doc.zeexygen.package/test.rst @@ -1,19 +1,19 @@ :orphan: -Package: broxygen +Package: zeexygen ================= This package is loaded during the process which automatically generates -reference documentation for all Bro scripts (i.e. "Broxygen"). Its only -purpose is to provide an easy way to load all known Bro scripts plus any +reference documentation for all Zeek scripts (i.e. "Zeexygen"). Its only +purpose is to provide an easy way to load all known Zeek scripts plus any extra scripts needed or used by the documentation process. -:doc:`/scripts/broxygen/__load__.zeek` +:doc:`/scripts/zeexygen/__load__.zeek` -:doc:`/scripts/broxygen/example.zeek` +:doc:`/scripts/zeexygen/example.zeek` - This is an example script that demonstrates Broxygen-style + This is an example script that demonstrates Zeexygen-style documentation. It generally will make most sense when viewing the script's raw source code and comparing to the HTML-rendered version. @@ -26,12 +26,12 @@ extra scripts needed or used by the documentation process. .. tip:: You can embed directives and roles within ``##``-stylized comments. There's also a custom role to reference any identifier node in - the Bro Sphinx domain that's good for "see alsos", e.g. + the Zeek Sphinx domain that's good for "see alsos", e.g. - See also: :bro:see:`BroxygenExample::a_var`, - :bro:see:`BroxygenExample::ONE`, :bro:see:`SSH::Info` + See also: :zeek:see:`ZeexygenExample::a_var`, + :zeek:see:`ZeexygenExample::ONE`, :zeek:see:`SSH::Info` And a custom directive does the equivalent references: - .. bro:see:: BroxygenExample::a_var BroxygenExample::ONE SSH::Info + .. zeek:see:: ZeexygenExample::a_var ZeexygenExample::ONE SSH::Info diff --git a/testing/btest/Baseline/doc.zeexygen.package_index/test.rst b/testing/btest/Baseline/doc.zeexygen.package_index/test.rst new file mode 100644 index 0000000000..4a854e9736 --- /dev/null +++ b/testing/btest/Baseline/doc.zeexygen.package_index/test.rst @@ -0,0 +1,7 @@ +:doc:`zeexygen ` + + This package is loaded during the process which automatically generates + reference documentation for all Zeek scripts (i.e. "Zeexygen"). Its only + purpose is to provide an easy way to load all known Zeek scripts plus any + extra scripts needed or used by the documentation process. + diff --git a/testing/btest/Baseline/doc.zeexygen.records/autogen-reST-records.rst b/testing/btest/Baseline/doc.zeexygen.records/autogen-reST-records.rst new file mode 100644 index 0000000000..a9b671623a --- /dev/null +++ b/testing/btest/Baseline/doc.zeexygen.records/autogen-reST-records.rst @@ -0,0 +1,28 @@ +.. zeek:type:: TestRecord1 + + :Type: :zeek:type:`record` + + field1: :zeek:type:`bool` + + field2: :zeek:type:`count` + + +.. zeek:type:: TestRecord2 + + :Type: :zeek:type:`record` + + A: :zeek:type:`count` + document ``A`` + + B: :zeek:type:`bool` + document ``B`` + + C: :zeek:type:`TestRecord1` + and now ``C`` + is a declared type + + D: :zeek:type:`set` [:zeek:type:`count`, :zeek:type:`bool`] + sets/tables should show the index types + + Here's the ways records and record fields can be documented. + diff --git a/testing/btest/Baseline/doc.zeexygen.script_index/test.rst b/testing/btest/Baseline/doc.zeexygen.script_index/test.rst new file mode 100644 index 0000000000..eab6c439b2 --- /dev/null +++ b/testing/btest/Baseline/doc.zeexygen.script_index/test.rst @@ -0,0 +1,5 @@ +.. toctree:: + :maxdepth: 1 + + zeexygen/__load__.zeek + zeexygen/example.zeek diff --git a/testing/btest/Baseline/doc.broxygen.script_summary/test.rst b/testing/btest/Baseline/doc.zeexygen.script_summary/test.rst similarity index 64% rename from testing/btest/Baseline/doc.broxygen.script_summary/test.rst rename to testing/btest/Baseline/doc.zeexygen.script_summary/test.rst index 509f2c9286..3dd189ca77 100644 --- a/testing/btest/Baseline/doc.broxygen.script_summary/test.rst +++ b/testing/btest/Baseline/doc.zeexygen.script_summary/test.rst @@ -1,5 +1,5 @@ -:doc:`/scripts/broxygen/example.zeek` - This is an example script that demonstrates Broxygen-style +:doc:`/scripts/zeexygen/example.zeek` + This is an example script that demonstrates Zeexygen-style documentation. It generally will make most sense when viewing the script's raw source code and comparing to the HTML-rendered version. @@ -12,12 +12,12 @@ .. tip:: You can embed directives and roles within ``##``-stylized comments. There's also a custom role to reference any identifier node in - the Bro Sphinx domain that's good for "see alsos", e.g. + the Zeek Sphinx domain that's good for "see alsos", e.g. - See also: :bro:see:`BroxygenExample::a_var`, - :bro:see:`BroxygenExample::ONE`, :bro:see:`SSH::Info` + See also: :zeek:see:`ZeexygenExample::a_var`, + :zeek:see:`ZeexygenExample::ONE`, :zeek:see:`SSH::Info` And a custom directive does the equivalent references: - .. bro:see:: BroxygenExample::a_var BroxygenExample::ONE SSH::Info + .. zeek:see:: ZeexygenExample::a_var ZeexygenExample::ONE SSH::Info diff --git a/testing/btest/Baseline/doc.zeexygen.type-aliases/autogen-reST-type-aliases.rst b/testing/btest/Baseline/doc.zeexygen.type-aliases/autogen-reST-type-aliases.rst new file mode 100644 index 0000000000..7f60859a5a --- /dev/null +++ b/testing/btest/Baseline/doc.zeexygen.type-aliases/autogen-reST-type-aliases.rst @@ -0,0 +1,44 @@ +.. zeek:type:: ZeexygenTest::TypeAlias + + :Type: :zeek:type:`bool` + + This is just an alias for a builtin type ``bool``. + +.. zeek:type:: ZeexygenTest::NotTypeAlias + + :Type: :zeek:type:`bool` + + This type should get its own comments, not associated w/ TypeAlias. + +.. zeek:type:: ZeexygenTest::OtherTypeAlias + + :Type: :zeek:type:`bool` + + This cross references ``bool`` in the description of its type + instead of ``TypeAlias`` just because it seems more useful -- + one doesn't have to click through the full type alias chain to + find out what the actual type is... + +.. zeek:id:: ZeexygenTest::a + + :Type: :zeek:type:`ZeexygenTest::TypeAlias` + + But this should reference a type of ``TypeAlias``. + +.. zeek:id:: ZeexygenTest::b + + :Type: :zeek:type:`ZeexygenTest::OtherTypeAlias` + + And this should reference a type of ``OtherTypeAlias``. + +.. zeek:type:: ZeexygenTest::MyRecord + + :Type: :zeek:type:`record` + + f1: :zeek:type:`ZeexygenTest::TypeAlias` + + f2: :zeek:type:`ZeexygenTest::OtherTypeAlias` + + f3: :zeek:type:`bool` + + diff --git a/testing/btest/Baseline/doc.broxygen.vectors/autogen-reST-vectors.rst b/testing/btest/Baseline/doc.zeexygen.vectors/autogen-reST-vectors.rst similarity index 50% rename from testing/btest/Baseline/doc.broxygen.vectors/autogen-reST-vectors.rst rename to testing/btest/Baseline/doc.zeexygen.vectors/autogen-reST-vectors.rst index 37eabb9419..48b7204b60 100644 --- a/testing/btest/Baseline/doc.broxygen.vectors/autogen-reST-vectors.rst +++ b/testing/btest/Baseline/doc.zeexygen.vectors/autogen-reST-vectors.rst @@ -1,6 +1,6 @@ -.. bro:id:: test_vector0 +.. zeek:id:: test_vector0 - :Type: :bro:type:`vector` of :bro:type:`string` + :Type: :zeek:type:`vector` of :zeek:type:`string` :Default: :: @@ -9,9 +9,9 @@ Yield type is documented/cross-referenced for primitize types. -.. bro:id:: test_vector1 +.. zeek:id:: test_vector1 - :Type: :bro:type:`vector` of :bro:type:`TestRecord` + :Type: :zeek:type:`vector` of :zeek:type:`TestRecord` :Default: :: @@ -20,9 +20,9 @@ Yield type is documented/cross-referenced for composite types. -.. bro:id:: test_vector2 +.. zeek:id:: test_vector2 - :Type: :bro:type:`vector` of :bro:type:`vector` of :bro:type:`TestRecord` + :Type: :zeek:type:`vector` of :zeek:type:`vector` of :zeek:type:`TestRecord` :Default: :: diff --git a/testing/btest/Baseline/plugins.hooks/output b/testing/btest/Baseline/plugins.hooks/output index 27edb2b682..aa27d73819 100644 --- a/testing/btest/Baseline/plugins.hooks/output +++ b/testing/btest/Baseline/plugins.hooks/output @@ -277,7 +277,7 @@ 0.000000 MetaHookPost CallFunction(Log::__create_stream, , (Weird::LOG, [columns=Weird::Info, ev=Weird::log_weird, path=weird])) -> 0.000000 MetaHookPost CallFunction(Log::__create_stream, , (X509::LOG, [columns=X509::Info, ev=X509::log_x509, path=x509])) -> 0.000000 MetaHookPost CallFunction(Log::__create_stream, , (mysql::LOG, [columns=MySQL::Info, ev=MySQL::log_mysql, path=mysql])) -> -0.000000 MetaHookPost CallFunction(Log::__write, , (PacketFilter::LOG, [ts=1555694513.545387, node=bro, filter=ip or not ip, init=T, success=T])) -> +0.000000 MetaHookPost CallFunction(Log::__write, , (PacketFilter::LOG, [ts=1555986109.036092, node=bro, filter=ip or not ip, init=T, success=T])) -> 0.000000 MetaHookPost CallFunction(Log::add_default_filter, , (Broker::LOG)) -> 0.000000 MetaHookPost CallFunction(Log::add_default_filter, , (Cluster::LOG)) -> 0.000000 MetaHookPost CallFunction(Log::add_default_filter, , (Config::LOG)) -> @@ -462,7 +462,7 @@ 0.000000 MetaHookPost CallFunction(Log::create_stream, , (Weird::LOG, [columns=Weird::Info, ev=Weird::log_weird, path=weird])) -> 0.000000 MetaHookPost CallFunction(Log::create_stream, , (X509::LOG, [columns=X509::Info, ev=X509::log_x509, path=x509])) -> 0.000000 MetaHookPost CallFunction(Log::create_stream, , (mysql::LOG, [columns=MySQL::Info, ev=MySQL::log_mysql, path=mysql])) -> -0.000000 MetaHookPost CallFunction(Log::write, , (PacketFilter::LOG, [ts=1555694513.545387, node=bro, filter=ip or not ip, init=T, success=T])) -> +0.000000 MetaHookPost CallFunction(Log::write, , (PacketFilter::LOG, [ts=1555986109.036092, node=bro, filter=ip or not ip, init=T, success=T])) -> 0.000000 MetaHookPost CallFunction(NetControl::check_plugins, , ()) -> 0.000000 MetaHookPost CallFunction(NetControl::init, , ()) -> 0.000000 MetaHookPost CallFunction(Notice::want_pp, , ()) -> @@ -707,7 +707,6 @@ 0.000000 MetaHookPost LoadFile(0, .<...>/bloom-filter.bif.zeek) -> -1 0.000000 MetaHookPost LoadFile(0, .<...>/bro.bif.zeek) -> -1 0.000000 MetaHookPost LoadFile(0, .<...>/broker.zeek) -> -1 -0.000000 MetaHookPost LoadFile(0, .<...>/broxygen.bif.zeek) -> -1 0.000000 MetaHookPost LoadFile(0, .<...>/cardinality-counter.bif.zeek) -> -1 0.000000 MetaHookPost LoadFile(0, .<...>/catch-and-release.zeek) -> -1 0.000000 MetaHookPost LoadFile(0, .<...>/comm.bif.zeek) -> -1 @@ -786,6 +785,7 @@ 0.000000 MetaHookPost LoadFile(0, .<...>/utils.zeek) -> -1 0.000000 MetaHookPost LoadFile(0, .<...>/variance.zeek) -> -1 0.000000 MetaHookPost LoadFile(0, .<...>/weird.zeek) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/zeexygen.bif.zeek) -> -1 0.000000 MetaHookPost LoadFile(0, <...>/__load__.zeek) -> -1 0.000000 MetaHookPost LoadFile(0, <...>/__preload__.zeek) -> -1 0.000000 MetaHookPost LoadFile(0, <...>/hooks.zeek) -> -1 @@ -1180,7 +1180,7 @@ 0.000000 MetaHookPre CallFunction(Log::__create_stream, , (Weird::LOG, [columns=Weird::Info, ev=Weird::log_weird, path=weird])) 0.000000 MetaHookPre CallFunction(Log::__create_stream, , (X509::LOG, [columns=X509::Info, ev=X509::log_x509, path=x509])) 0.000000 MetaHookPre CallFunction(Log::__create_stream, , (mysql::LOG, [columns=MySQL::Info, ev=MySQL::log_mysql, path=mysql])) -0.000000 MetaHookPre CallFunction(Log::__write, , (PacketFilter::LOG, [ts=1555694513.545387, node=bro, filter=ip or not ip, init=T, success=T])) +0.000000 MetaHookPre CallFunction(Log::__write, , (PacketFilter::LOG, [ts=1555986109.036092, node=bro, filter=ip or not ip, init=T, success=T])) 0.000000 MetaHookPre CallFunction(Log::add_default_filter, , (Broker::LOG)) 0.000000 MetaHookPre CallFunction(Log::add_default_filter, , (Cluster::LOG)) 0.000000 MetaHookPre CallFunction(Log::add_default_filter, , (Config::LOG)) @@ -1365,7 +1365,7 @@ 0.000000 MetaHookPre CallFunction(Log::create_stream, , (Weird::LOG, [columns=Weird::Info, ev=Weird::log_weird, path=weird])) 0.000000 MetaHookPre CallFunction(Log::create_stream, , (X509::LOG, [columns=X509::Info, ev=X509::log_x509, path=x509])) 0.000000 MetaHookPre CallFunction(Log::create_stream, , (mysql::LOG, [columns=MySQL::Info, ev=MySQL::log_mysql, path=mysql])) -0.000000 MetaHookPre CallFunction(Log::write, , (PacketFilter::LOG, [ts=1555694513.545387, node=bro, filter=ip or not ip, init=T, success=T])) +0.000000 MetaHookPre CallFunction(Log::write, , (PacketFilter::LOG, [ts=1555986109.036092, node=bro, filter=ip or not ip, init=T, success=T])) 0.000000 MetaHookPre CallFunction(NetControl::check_plugins, , ()) 0.000000 MetaHookPre CallFunction(NetControl::init, , ()) 0.000000 MetaHookPre CallFunction(Notice::want_pp, , ()) @@ -1610,7 +1610,6 @@ 0.000000 MetaHookPre LoadFile(0, .<...>/bloom-filter.bif.zeek) 0.000000 MetaHookPre LoadFile(0, .<...>/bro.bif.zeek) 0.000000 MetaHookPre LoadFile(0, .<...>/broker.zeek) -0.000000 MetaHookPre LoadFile(0, .<...>/broxygen.bif.zeek) 0.000000 MetaHookPre LoadFile(0, .<...>/cardinality-counter.bif.zeek) 0.000000 MetaHookPre LoadFile(0, .<...>/catch-and-release.zeek) 0.000000 MetaHookPre LoadFile(0, .<...>/comm.bif.zeek) @@ -1689,6 +1688,7 @@ 0.000000 MetaHookPre LoadFile(0, .<...>/utils.zeek) 0.000000 MetaHookPre LoadFile(0, .<...>/variance.zeek) 0.000000 MetaHookPre LoadFile(0, .<...>/weird.zeek) +0.000000 MetaHookPre LoadFile(0, .<...>/zeexygen.bif.zeek) 0.000000 MetaHookPre LoadFile(0, <...>/__load__.zeek) 0.000000 MetaHookPre LoadFile(0, <...>/__preload__.zeek) 0.000000 MetaHookPre LoadFile(0, <...>/hooks.zeek) @@ -2082,7 +2082,7 @@ 0.000000 | HookCallFunction Log::__create_stream(Weird::LOG, [columns=Weird::Info, ev=Weird::log_weird, path=weird]) 0.000000 | HookCallFunction Log::__create_stream(X509::LOG, [columns=X509::Info, ev=X509::log_x509, path=x509]) 0.000000 | HookCallFunction Log::__create_stream(mysql::LOG, [columns=MySQL::Info, ev=MySQL::log_mysql, path=mysql]) -0.000000 | HookCallFunction Log::__write(PacketFilter::LOG, [ts=1555694513.545387, node=bro, filter=ip or not ip, init=T, success=T]) +0.000000 | HookCallFunction Log::__write(PacketFilter::LOG, [ts=1555986109.036092, node=bro, filter=ip or not ip, init=T, success=T]) 0.000000 | HookCallFunction Log::add_default_filter(Broker::LOG) 0.000000 | HookCallFunction Log::add_default_filter(Cluster::LOG) 0.000000 | HookCallFunction Log::add_default_filter(Config::LOG) @@ -2267,7 +2267,7 @@ 0.000000 | HookCallFunction Log::create_stream(Weird::LOG, [columns=Weird::Info, ev=Weird::log_weird, path=weird]) 0.000000 | HookCallFunction Log::create_stream(X509::LOG, [columns=X509::Info, ev=X509::log_x509, path=x509]) 0.000000 | HookCallFunction Log::create_stream(mysql::LOG, [columns=MySQL::Info, ev=MySQL::log_mysql, path=mysql]) -0.000000 | HookCallFunction Log::write(PacketFilter::LOG, [ts=1555694513.545387, node=bro, filter=ip or not ip, init=T, success=T]) +0.000000 | HookCallFunction Log::write(PacketFilter::LOG, [ts=1555986109.036092, node=bro, filter=ip or not ip, init=T, success=T]) 0.000000 | HookCallFunction NetControl::check_plugins() 0.000000 | HookCallFunction NetControl::init() 0.000000 | HookCallFunction Notice::want_pp() @@ -2514,7 +2514,6 @@ 0.000000 | HookLoadFile .<...>/bloom-filter.bif.zeek 0.000000 | HookLoadFile .<...>/bro.bif.zeek 0.000000 | HookLoadFile .<...>/broker.zeek -0.000000 | HookLoadFile .<...>/broxygen.bif.zeek 0.000000 | HookLoadFile .<...>/cardinality-counter.bif.zeek 0.000000 | HookLoadFile .<...>/catch-and-release.zeek 0.000000 | HookLoadFile .<...>/comm.bif.zeek @@ -2600,6 +2599,7 @@ 0.000000 | HookLoadFile .<...>/variance.zeek 0.000000 | HookLoadFile .<...>/video.sig 0.000000 | HookLoadFile .<...>/weird.zeek +0.000000 | HookLoadFile .<...>/zeexygen.bif.zeek 0.000000 | HookLoadFile <...>/__load__.zeek 0.000000 | HookLoadFile <...>/__preload__.zeek 0.000000 | HookLoadFile <...>/hooks.zeek @@ -2702,7 +2702,7 @@ 0.000000 | HookLoadFile base<...>/x509 0.000000 | HookLoadFile base<...>/xmpp 0.000000 | HookLogInit packet_filter 1/1 {ts (time), node (string), filter (string), init (bool), success (bool)} -0.000000 | HookLogWrite packet_filter [ts=1555694513.545387, node=bro, filter=ip or not ip, init=T, success=T] +0.000000 | HookLogWrite packet_filter [ts=1555986109.036092, node=bro, filter=ip or not ip, init=T, success=T] 0.000000 | HookQueueEvent NetControl::init() 0.000000 | HookQueueEvent filter_change_tracking() 0.000000 | HookQueueEvent zeek_init() diff --git a/testing/btest/coverage/broxygen.sh b/testing/btest/coverage/broxygen.sh index eee4575738..4dd12f27fe 100644 --- a/testing/btest/coverage/broxygen.sh +++ b/testing/btest/coverage/broxygen.sh @@ -1,12 +1,12 @@ -# This check piggy-backs on the test-all-policy.bro test, assuming that every +# This check piggy-backs on the test-all-policy.zeek test, assuming that every # loadable script is referenced there. The only additional check here is -# that the broxygen package should even load scripts that are commented -# out in test-all-policy.bro because the broxygen package is only loaded +# that the zeexygen package should even load scripts that are commented +# out in test-all-policy.zeek because the zeexygen package is only loaded # when generated documentation and will terminate has soon as zeek_init -# is handled, even if a script will e.g. put Bro into listen mode or otherwise +# is handled, even if a script will e.g. put Zeek into listen mode or otherwise # cause it to not terminate after scripts are parsed. -# @TEST-EXEC: bash %INPUT $DIST/scripts/test-all-policy.bro $DIST/scripts/broxygen/__load__.bro +# @TEST-EXEC: bash %INPUT $DIST/scripts/test-all-policy.zeek $DIST/scripts/zeexygen/__load__.zeek error_count=0 @@ -22,10 +22,10 @@ if [ $# -ne 2 ]; then fi all_loads=$(egrep "#[[:space:]]*@load.*" $1 | sed 's/#[[:space:]]*@load[[:space:]]*//g') -broxygen_loads=$(egrep "@load.*" $2 | sed 's/@load[[:space:]]*//g') +zeexygen_loads=$(egrep "@load.*" $2 | sed 's/@load[[:space:]]*//g') for f in $all_loads; do - echo "$broxygen_loads" | grep -q $f || error_msg "$f not loaded in broxygen/__load__.bro" + echo "$zeexygen_loads" | grep -q $f || error_msg "$f not loaded in zeexygen/__load__.zeek" done if [ $error_count -gt 0 ]; then diff --git a/testing/btest/coverage/sphinx-broxygen-docs.sh b/testing/btest/coverage/sphinx-broxygen-docs.sh index ab194cb027..d508a8361f 100644 --- a/testing/btest/coverage/sphinx-broxygen-docs.sh +++ b/testing/btest/coverage/sphinx-broxygen-docs.sh @@ -1,11 +1,11 @@ -# This script checks whether the reST docs generated by broxygen are stale. +# This script checks whether the reST docs generated by zeexygen are stale. # If this test fails when testing the master branch, then simply run: # -# testing/scripts/gen-broxygen-docs.sh +# testing/scripts/gen-zeexygen-docs.sh # # and then commit the changes. # -# @TEST-EXEC: bash $SCRIPTS/gen-broxygen-docs.sh ./doc +# @TEST-EXEC: bash $SCRIPTS/gen-zeexygen-docs.sh ./doc # @TEST-EXEC: bash %INPUT if [ -n "$TRAVIS_PULL_REQUEST" ]; then @@ -33,7 +33,7 @@ function check_diff echo "If this fails in the master branch or when merging to master," 1>&2 echo "re-run the following command:" 1>&2 echo "" 1>&2 - echo " $SCRIPTS/gen-broxygen-docs.sh" 1>&2 + echo " $SCRIPTS/gen-zeexygen-docs.sh" 1>&2 echo "" 1>&2 echo "Then commit/push the changes in the zeek-docs repo" 1>&2 echo "(the doc/ directory in the zeek repo)." 1>&2 diff --git a/testing/btest/doc/broxygen/example.zeek b/testing/btest/doc/broxygen/example.zeek deleted file mode 100644 index 7a7d30c92a..0000000000 --- a/testing/btest/doc/broxygen/example.zeek +++ /dev/null @@ -1,8 +0,0 @@ -# @TEST-EXEC: unset BRO_DISABLE_BROXYGEN; bro -X broxygen.config %INPUT -# @TEST-EXEC: btest-diff example.rst - -@TEST-START-FILE broxygen.config -script broxygen/example.zeek example.rst -@TEST-END-FILE - -@load broxygen/example diff --git a/testing/btest/doc/broxygen/identifier.zeek b/testing/btest/doc/broxygen/identifier.zeek deleted file mode 100644 index ae49d812a0..0000000000 --- a/testing/btest/doc/broxygen/identifier.zeek +++ /dev/null @@ -1,9 +0,0 @@ -# @TEST-PORT: BROKER_PORT -# @TEST-EXEC: unset BRO_DISABLE_BROXYGEN; bro -b -X broxygen.config %INPUT Broker::default_port=$BROKER_PORT -# @TEST-EXEC: btest-diff test.rst - -@TEST-START-FILE broxygen.config -identifier BroxygenExample::* test.rst -@TEST-END-FILE - -@load broxygen diff --git a/testing/btest/doc/broxygen/package.zeek b/testing/btest/doc/broxygen/package.zeek deleted file mode 100644 index 6a9957804a..0000000000 --- a/testing/btest/doc/broxygen/package.zeek +++ /dev/null @@ -1,9 +0,0 @@ -# @TEST-PORT: BROKER_PORT -# @TEST-EXEC: unset BRO_DISABLE_BROXYGEN; bro -b -X broxygen.config %INPUT Broker::default_port=$BROKER_PORT -# @TEST-EXEC: btest-diff test.rst - -@TEST-START-FILE broxygen.config -package broxygen test.rst -@TEST-END-FILE - -@load broxygen diff --git a/testing/btest/doc/broxygen/package_index.zeek b/testing/btest/doc/broxygen/package_index.zeek deleted file mode 100644 index 49c367aa48..0000000000 --- a/testing/btest/doc/broxygen/package_index.zeek +++ /dev/null @@ -1,9 +0,0 @@ -# @TEST-PORT: BROKER_PORT -# @TEST-EXEC: unset BRO_DISABLE_BROXYGEN; bro -b -X broxygen.config %INPUT Broker::default_port=$BROKER_PORT -# @TEST-EXEC: btest-diff test.rst - -@TEST-START-FILE broxygen.config -package_index broxygen test.rst -@TEST-END-FILE - -@load broxygen diff --git a/testing/btest/doc/broxygen/script_index.zeek b/testing/btest/doc/broxygen/script_index.zeek deleted file mode 100644 index ab257ad35d..0000000000 --- a/testing/btest/doc/broxygen/script_index.zeek +++ /dev/null @@ -1,9 +0,0 @@ -# @TEST-PORT: BROKER_PORT -# @TEST-EXEC: unset BRO_DISABLE_BROXYGEN; bro -b -X broxygen.config %INPUT Broker::default_port=$BROKER_PORT -# @TEST-EXEC: btest-diff test.rst - -@TEST-START-FILE broxygen.config -script_index broxygen/* test.rst -@TEST-END-FILE - -@load broxygen diff --git a/testing/btest/doc/broxygen/script_summary.zeek b/testing/btest/doc/broxygen/script_summary.zeek deleted file mode 100644 index 6ea5e95576..0000000000 --- a/testing/btest/doc/broxygen/script_summary.zeek +++ /dev/null @@ -1,9 +0,0 @@ -# @TEST-PORT: BROKER_PORT -# @TEST-EXEC: unset BRO_DISABLE_BROXYGEN; bro -b -X broxygen.config %INPUT Broker::default_port=$BROKER_PORT -# @TEST-EXEC: btest-diff test.rst - -@TEST-START-FILE broxygen.config -script_summary broxygen/example.zeek test.rst -@TEST-END-FILE - -@load broxygen diff --git a/testing/btest/doc/broxygen/command_line.zeek b/testing/btest/doc/zeexygen/command_line.zeek similarity index 100% rename from testing/btest/doc/broxygen/command_line.zeek rename to testing/btest/doc/zeexygen/command_line.zeek diff --git a/testing/btest/doc/broxygen/comment_retrieval_bifs.zeek b/testing/btest/doc/zeexygen/comment_retrieval_bifs.zeek similarity index 100% rename from testing/btest/doc/broxygen/comment_retrieval_bifs.zeek rename to testing/btest/doc/zeexygen/comment_retrieval_bifs.zeek diff --git a/testing/btest/doc/broxygen/enums.zeek b/testing/btest/doc/zeexygen/enums.zeek similarity index 89% rename from testing/btest/doc/broxygen/enums.zeek rename to testing/btest/doc/zeexygen/enums.zeek index 8fbdb11ab6..a385a36a6c 100644 --- a/testing/btest/doc/broxygen/enums.zeek +++ b/testing/btest/doc/zeexygen/enums.zeek @@ -1,7 +1,7 @@ -# @TEST-EXEC: unset BRO_DISABLE_BROXYGEN; bro -b -X broxygen.config %INPUT +# @TEST-EXEC: unset BRO_DISABLE_BROXYGEN; bro -b -X zeexygen.config %INPUT # @TEST-EXEC: btest-diff autogen-reST-enums.rst -@TEST-START-FILE broxygen.config +@TEST-START-FILE zeexygen.config identifier TestEnum* autogen-reST-enums.rst @TEST-END-FILE diff --git a/testing/btest/doc/zeexygen/example.zeek b/testing/btest/doc/zeexygen/example.zeek new file mode 100644 index 0000000000..53179dac39 --- /dev/null +++ b/testing/btest/doc/zeexygen/example.zeek @@ -0,0 +1,8 @@ +# @TEST-EXEC: unset BRO_DISABLE_BROXYGEN; bro -X zeexygen.config %INPUT +# @TEST-EXEC: btest-diff example.rst + +@TEST-START-FILE zeexygen.config +script zeexygen/example.zeek example.rst +@TEST-END-FILE + +@load zeexygen/example diff --git a/testing/btest/doc/broxygen/func-params.zeek b/testing/btest/doc/zeexygen/func-params.zeek similarity index 83% rename from testing/btest/doc/broxygen/func-params.zeek rename to testing/btest/doc/zeexygen/func-params.zeek index e53ca475f1..5facba3e05 100644 --- a/testing/btest/doc/broxygen/func-params.zeek +++ b/testing/btest/doc/zeexygen/func-params.zeek @@ -1,7 +1,7 @@ -# @TEST-EXEC: unset BRO_DISABLE_BROXYGEN; bro -b -X broxygen.config %INPUT +# @TEST-EXEC: unset BRO_DISABLE_BROXYGEN; bro -b -X zeexygen.config %INPUT # @TEST-EXEC: btest-diff autogen-reST-func-params.rst -@TEST-START-FILE broxygen.config +@TEST-START-FILE zeexygen.config identifier test_func_params* autogen-reST-func-params.rst @TEST-END-FILE diff --git a/testing/btest/doc/zeexygen/identifier.zeek b/testing/btest/doc/zeexygen/identifier.zeek new file mode 100644 index 0000000000..38a4f274ad --- /dev/null +++ b/testing/btest/doc/zeexygen/identifier.zeek @@ -0,0 +1,9 @@ +# @TEST-PORT: BROKER_PORT +# @TEST-EXEC: unset BRO_DISABLE_BROXYGEN; bro -b -X zeexygen.config %INPUT Broker::default_port=$BROKER_PORT +# @TEST-EXEC: btest-diff test.rst + +@TEST-START-FILE zeexygen.config +identifier ZeexygenExample::* test.rst +@TEST-END-FILE + +@load zeexygen diff --git a/testing/btest/doc/zeexygen/package.zeek b/testing/btest/doc/zeexygen/package.zeek new file mode 100644 index 0000000000..7038b5b50a --- /dev/null +++ b/testing/btest/doc/zeexygen/package.zeek @@ -0,0 +1,9 @@ +# @TEST-PORT: BROKER_PORT +# @TEST-EXEC: unset BRO_DISABLE_BROXYGEN; bro -b -X zeexygen.config %INPUT Broker::default_port=$BROKER_PORT +# @TEST-EXEC: btest-diff test.rst + +@TEST-START-FILE zeexygen.config +package zeexygen test.rst +@TEST-END-FILE + +@load zeexygen diff --git a/testing/btest/doc/zeexygen/package_index.zeek b/testing/btest/doc/zeexygen/package_index.zeek new file mode 100644 index 0000000000..3a0c92ca71 --- /dev/null +++ b/testing/btest/doc/zeexygen/package_index.zeek @@ -0,0 +1,9 @@ +# @TEST-PORT: BROKER_PORT +# @TEST-EXEC: unset BRO_DISABLE_BROXYGEN; bro -b -X zeexygen.config %INPUT Broker::default_port=$BROKER_PORT +# @TEST-EXEC: btest-diff test.rst + +@TEST-START-FILE zeexygen.config +package_index zeexygen test.rst +@TEST-END-FILE + +@load zeexygen diff --git a/testing/btest/doc/broxygen/records.zeek b/testing/btest/doc/zeexygen/records.zeek similarity index 84% rename from testing/btest/doc/broxygen/records.zeek rename to testing/btest/doc/zeexygen/records.zeek index fbaa957a9f..0c1f668df9 100644 --- a/testing/btest/doc/broxygen/records.zeek +++ b/testing/btest/doc/zeexygen/records.zeek @@ -1,7 +1,7 @@ -# @TEST-EXEC: unset BRO_DISABLE_BROXYGEN; bro -b -X broxygen.config %INPUT +# @TEST-EXEC: unset BRO_DISABLE_BROXYGEN; bro -b -X zeexygen.config %INPUT # @TEST-EXEC: btest-diff autogen-reST-records.rst -@TEST-START-FILE broxygen.config +@TEST-START-FILE zeexygen.config identifier TestRecord* autogen-reST-records.rst @TEST-END-FILE diff --git a/testing/btest/doc/zeexygen/script_index.zeek b/testing/btest/doc/zeexygen/script_index.zeek new file mode 100644 index 0000000000..f92513d632 --- /dev/null +++ b/testing/btest/doc/zeexygen/script_index.zeek @@ -0,0 +1,9 @@ +# @TEST-PORT: BROKER_PORT +# @TEST-EXEC: unset BRO_DISABLE_BROXYGEN; bro -b -X zeexygen.config %INPUT Broker::default_port=$BROKER_PORT +# @TEST-EXEC: btest-diff test.rst + +@TEST-START-FILE zeexygen.config +script_index zeexygen/* test.rst +@TEST-END-FILE + +@load zeexygen diff --git a/testing/btest/doc/zeexygen/script_summary.zeek b/testing/btest/doc/zeexygen/script_summary.zeek new file mode 100644 index 0000000000..9378417f08 --- /dev/null +++ b/testing/btest/doc/zeexygen/script_summary.zeek @@ -0,0 +1,9 @@ +# @TEST-PORT: BROKER_PORT +# @TEST-EXEC: unset BRO_DISABLE_BROXYGEN; bro -b -X zeexygen.config %INPUT Broker::default_port=$BROKER_PORT +# @TEST-EXEC: btest-diff test.rst + +@TEST-START-FILE zeexygen.config +script_summary zeexygen/example.zeek test.rst +@TEST-END-FILE + +@load zeexygen diff --git a/testing/btest/doc/broxygen/type-aliases.zeek b/testing/btest/doc/zeexygen/type-aliases.zeek similarity index 81% rename from testing/btest/doc/broxygen/type-aliases.zeek rename to testing/btest/doc/zeexygen/type-aliases.zeek index 0971327c2b..40a6e24417 100644 --- a/testing/btest/doc/broxygen/type-aliases.zeek +++ b/testing/btest/doc/zeexygen/type-aliases.zeek @@ -1,11 +1,11 @@ -# @TEST-EXEC: unset BRO_DISABLE_BROXYGEN; bro -b -X broxygen.config %INPUT +# @TEST-EXEC: unset BRO_DISABLE_BROXYGEN; bro -b -X zeexygen.config %INPUT # @TEST-EXEC: btest-diff autogen-reST-type-aliases.rst -@TEST-START-FILE broxygen.config -identifier BroxygenTest::* autogen-reST-type-aliases.rst +@TEST-START-FILE zeexygen.config +identifier ZeexygenTest::* autogen-reST-type-aliases.rst @TEST-END-FILE -module BroxygenTest; +module ZeexygenTest; export { ## This is just an alias for a builtin type ``bool``. diff --git a/testing/btest/doc/broxygen/vectors.zeek b/testing/btest/doc/zeexygen/vectors.zeek similarity index 83% rename from testing/btest/doc/broxygen/vectors.zeek rename to testing/btest/doc/zeexygen/vectors.zeek index 7c18225357..8a16a58149 100644 --- a/testing/btest/doc/broxygen/vectors.zeek +++ b/testing/btest/doc/zeexygen/vectors.zeek @@ -1,7 +1,7 @@ -# @TEST-EXEC: unset BRO_DISABLE_BROXYGEN; bro -b -X broxygen.config %INPUT +# @TEST-EXEC: unset BRO_DISABLE_BROXYGEN; bro -b -X zeexygen.config %INPUT # @TEST-EXEC: btest-diff autogen-reST-vectors.rst -@TEST-START-FILE broxygen.config +@TEST-START-FILE zeexygen.config identifier test_vector* autogen-reST-vectors.rst @TEST-END-FILE diff --git a/testing/scripts/gen-broxygen-docs.sh b/testing/scripts/gen-zeexygen-docs.sh similarity index 81% rename from testing/scripts/gen-broxygen-docs.sh rename to testing/scripts/gen-zeexygen-docs.sh index 11f1cb066e..66287b01aa 100755 --- a/testing/scripts/gen-broxygen-docs.sh +++ b/testing/scripts/gen-zeexygen-docs.sh @@ -11,9 +11,9 @@ unset BRO_DEFAULT_CONNECT_RETRY dir="$( cd "$( dirname "$0" )" && pwd )" source_dir="$( cd $dir/../.. && pwd )" build_dir=$source_dir/build -conf_file=$build_dir/broxygen-test.conf +conf_file=$build_dir/zeexygen-test.conf output_dir=$source_dir/doc -bro_error_file=$build_dir/broxygen-test-stderr.txt +zeek_error_file=$build_dir/zeexygen-test-stderr.txt if [ -n "$1" ]; then output_dir=$1 @@ -28,13 +28,13 @@ cd $build_dir . bro-path-dev.sh export BRO_SEED_FILE=$source_dir/testing/btest/random.seed -function run_bro +function run_zeek { - ZEEK_ALLOW_INIT_ERRORS=1 bro -X $conf_file broxygen >/dev/null 2>$bro_error_file + ZEEK_ALLOW_INIT_ERRORS=1 bro -X $conf_file zeexygen >/dev/null 2>$zeek_error_file if [ $? -ne 0 ]; then - echo "Failed running bro with broxygen config file $conf_file" - echo "See stderr in $bro_error_file" + echo "Failed running zeek with zeexygen config file $conf_file" + echo "See stderr in $zeek_error_file" exit 1 fi } @@ -43,7 +43,7 @@ scripts_output_dir=$output_dir/scripts rm -rf $scripts_output_dir printf "script\t*\t$scripts_output_dir/" > $conf_file echo "Generating $scripts_output_dir/" -run_bro +run_zeek script_ref_dir=$output_dir/script-reference mkdir -p $script_ref_dir @@ -52,7 +52,7 @@ function generate_index { echo "Generating $script_ref_dir/$2" printf "$1\t*\t$script_ref_dir/$2\n" > $conf_file - run_bro + run_zeek } generate_index "script_index" "autogenerated-script-index.rst" From 85acdc14e43a9f69b04e60f74bc10515afb3af1b Mon Sep 17 00:00:00 2001 From: Vern Paxson Date: Tue, 23 Apr 2019 16:40:58 -0700 Subject: [PATCH 84/88] expose some TCP analyzer utility functions for use by derived classes --- src/analyzer/protocol/tcp/TCP.cc | 8 ++++---- src/analyzer/protocol/tcp/TCP.h | 8 ++++++++ 2 files changed, 12 insertions(+), 4 deletions(-) diff --git a/src/analyzer/protocol/tcp/TCP.cc b/src/analyzer/protocol/tcp/TCP.cc index 1f5309a1b9..7c9c3b09a2 100644 --- a/src/analyzer/protocol/tcp/TCP.cc +++ b/src/analyzer/protocol/tcp/TCP.cc @@ -1019,9 +1019,9 @@ void TCP_Analyzer::CheckPIA_FirstPacket(int is_orig, const IP_Hdr* ip) } } -static uint64 get_relative_seq(const TCP_Endpoint* endpoint, - uint32 cur_base, uint32 last, uint32 wraps, - bool* underflow = 0) +uint64 TCP_Analyzer::get_relative_seq(const TCP_Endpoint* endpoint, + uint32 cur_base, uint32 last, + uint32 wraps, bool* underflow) { int32 delta = seq_delta(cur_base, last); @@ -1052,7 +1052,7 @@ static uint64 get_relative_seq(const TCP_Endpoint* endpoint, return endpoint->ToRelativeSeqSpace(cur_base, wraps); } -static int get_segment_len(int payload_len, TCP_Flags flags) +int TCP_Analyzer::get_segment_len(int payload_len, TCP_Flags flags) { int seg_len = payload_len; diff --git a/src/analyzer/protocol/tcp/TCP.h b/src/analyzer/protocol/tcp/TCP.h index 69f3482ae0..c699abf62c 100644 --- a/src/analyzer/protocol/tcp/TCP.h +++ b/src/analyzer/protocol/tcp/TCP.h @@ -174,6 +174,14 @@ protected: const u_char* option, TCP_Analyzer* analyzer, bool is_orig, void* cookie); + // A couple of handle utility functions that we make available + // to any derived analyzers. + static uint64 get_relative_seq(const TCP_Endpoint* endpoint, + uint32 cur_base, uint32 last, + uint32 wraps, bool* underflow = 0); + + static int get_segment_len(int payload_len, TCP_Flags flags); + private: TCP_Endpoint* orig; TCP_Endpoint* resp; From 05b4d2a26c792dfd136eedbe703753a0d2322886 Mon Sep 17 00:00:00 2001 From: Jon Siwek Date: Thu, 25 Apr 2019 10:22:11 -0700 Subject: [PATCH 85/88] Add Zeexygen cross-reference links for some events --- CHANGES | 4 ++++ VERSION | 2 +- doc | 2 +- src/event.bif | 12 +++--------- 4 files changed, 9 insertions(+), 11 deletions(-) diff --git a/CHANGES b/CHANGES index 40ebd17464..87f5e1b2ce 100644 --- a/CHANGES +++ b/CHANGES @@ -1,4 +1,8 @@ +2.6-246 | 2019-04-25 10:22:11 -0700 + + * Add Zeexygen cross-reference links for some events (Jon Siwek, Corelight) + 2.6-245 | 2019-04-23 18:42:02 -0700 * Expose TCP analyzer utility functions to derived classes (Vern Paxson, Corelight) diff --git a/VERSION b/VERSION index c6645ac507..b439e78817 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -2.6-245 +2.6-246 diff --git a/doc b/doc index dc37959938..07b9bd4f59 160000 --- a/doc +++ b/doc @@ -1 +1 @@ -Subproject commit dc37959938b9a70a642e7be48693d5c5fd3d5e80 +Subproject commit 07b9bd4f59d6656b3488a17329d58f67cd797fcd diff --git a/src/event.bif b/src/event.bif index 3932618188..3505c686a5 100644 --- a/src/event.bif +++ b/src/event.bif @@ -48,9 +48,7 @@ ## event zeek_init%(%); -## Deprecated synonym for ``zeek_init``. -## -## .. zeek:see: zeek_init +## Deprecated synonym for :zeek:see:`zeek_init`. event bro_init%(%) &deprecated; ## Generated at Zeek termination time. The event engine generates this event when @@ -66,9 +64,7 @@ event bro_init%(%) &deprecated; ## is not generated. event zeek_done%(%); -## Deprecated synonym for ``zeek_done``. -## -## .. zeek:see: zeek_done +## Deprecated synonym for :zeek:see:`zeek_done`. event bro_done%(%) &deprecated; ## Generated for every new connection. This event is raised with the first @@ -876,9 +872,7 @@ event reporter_error%(t: time, msg: string, location: string%) &error_handler; ## recursively for each ``@load``. event zeek_script_loaded%(path: string, level: count%); -## Deprecated synonym for ``zeek_script_loaded``. -## -## .. zeek:see: zeek_script_loaded +## Deprecated synonym for :zeek:see:`zeek_script_loaded`. event bro_script_loaded%(path: string, level: count%) &deprecated; ## Generated each time Bro's script interpreter opens a file. This event is From a93e9317d5d3537214b39f1929003f40adda0df1 Mon Sep 17 00:00:00 2001 From: Jon Siwek Date: Thu, 25 Apr 2019 12:00:21 -0700 Subject: [PATCH 86/88] Updating submodule(s). [nomail] --- doc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc b/doc index 07b9bd4f59..073bb08473 160000 --- a/doc +++ b/doc @@ -1 +1 @@ -Subproject commit 07b9bd4f59d6656b3488a17329d58f67cd797fcd +Subproject commit 073bb08473b8172b8bb175e0702204f15f522392 From cc83b8ce8ec5133a5111df6f2351755349e79c6b Mon Sep 17 00:00:00 2001 From: Jon Siwek Date: Fri, 26 Apr 2019 09:43:57 -0700 Subject: [PATCH 87/88] Updating submodule(s). [nomail] --- aux/bifcl | 2 +- aux/binpac | 2 +- aux/broccoli | 2 +- aux/broctl | 2 +- aux/broker | 2 +- aux/zeek-aux | 2 +- cmake | 2 +- 7 files changed, 7 insertions(+), 7 deletions(-) diff --git a/aux/bifcl b/aux/bifcl index 1dea95dd78..1b5375e9f8 160000 --- a/aux/bifcl +++ b/aux/bifcl @@ -1 +1 @@ -Subproject commit 1dea95dd7819cb6b80291d5830e2b7d04b14abd0 +Subproject commit 1b5375e9f81ecec59f983e6abe86300c6bbbcb8f diff --git a/aux/binpac b/aux/binpac index f648419d79..04c7e27a22 160000 --- a/aux/binpac +++ b/aux/binpac @@ -1 +1 @@ -Subproject commit f648419d796f8ab9f36991062ae790174e084aee +Subproject commit 04c7e27a22491a91ee309877253da0922d0822bc diff --git a/aux/broccoli b/aux/broccoli index 0ec42e5f54..8668422406 160000 --- a/aux/broccoli +++ b/aux/broccoli @@ -1 +1 @@ -Subproject commit 0ec42e5f54b7f0a65e35213d709ae19499526647 +Subproject commit 8668422406cb74f4f0c574a0c9b6365a21f3e81a diff --git a/aux/broctl b/aux/broctl index 5698525ae4..39ae4a469d 160000 --- a/aux/broctl +++ b/aux/broctl @@ -1 +1 @@ -Subproject commit 5698525ae41c397c18eba1d5350cca18fa081665 +Subproject commit 39ae4a469d6ae86c12b49020b361da4fcab24b5b diff --git a/aux/broker b/aux/broker index 1ab04b7bd8..56408c5582 160000 --- a/aux/broker +++ b/aux/broker @@ -1 +1 @@ -Subproject commit 1ab04b7bd893f65c1339b2ac92596dca6ed66412 +Subproject commit 56408c5582c80db6774c8b25642149dfb542345a diff --git a/aux/zeek-aux b/aux/zeek-aux index 0ec8103a69..ba482418c4 160000 --- a/aux/zeek-aux +++ b/aux/zeek-aux @@ -1 +1 @@ -Subproject commit 0ec8103a698ae71ff23d4dfa9e38b624c22ae718 +Subproject commit ba482418c4e16551fd7b9128a4082348ef2842f0 diff --git a/cmake b/cmake index 8554b602ee..5521da04df 160000 --- a/cmake +++ b/cmake @@ -1 +1 @@ -Subproject commit 8554b602eed13076484fdac18fbdd934b061bed7 +Subproject commit 5521da04df0190e3362e4c5164df5c2c8884dd2c From 49908ac865ad2c556677718e951eee71a85bd8f4 Mon Sep 17 00:00:00 2001 From: Jon Siwek Date: Fri, 26 Apr 2019 19:26:44 -0700 Subject: [PATCH 88/88] Fix parsing of hybrid IPv6-IPv4 addr literals with no zero compression --- CHANGES | 4 ++++ VERSION | 2 +- src/scan.l | 2 +- testing/btest/language/addr.zeek | 1 + 4 files changed, 7 insertions(+), 2 deletions(-) diff --git a/CHANGES b/CHANGES index 87f5e1b2ce..18e2d85a74 100644 --- a/CHANGES +++ b/CHANGES @@ -1,4 +1,8 @@ +2.6-249 | 2019-04-26 19:26:44 -0700 + + * Fix parsing of hybrid IPv6-IPv4 addr literals with no zero compression (Jon Siwek, Corelight) + 2.6-246 | 2019-04-25 10:22:11 -0700 * Add Zeexygen cross-reference links for some events (Jon Siwek, Corelight) diff --git a/VERSION b/VERSION index b439e78817..acde488fd3 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -2.6-246 +2.6-249 diff --git a/src/scan.l b/src/scan.l index 0b9a019cc8..4da90394e7 100644 --- a/src/scan.l +++ b/src/scan.l @@ -152,7 +152,7 @@ D [0-9]+ HEX [0-9a-fA-F]+ IDCOMPONENT [A-Za-z_][A-Za-z_0-9]* ID {IDCOMPONENT}(::{IDCOMPONENT})* -IP6 ("["({HEX}:){7}{HEX}"]")|("["0x{HEX}({HEX}|:)*"::"({HEX}|:)*"]")|("["({HEX}|:)*"::"({HEX}|:)*"]")|("["({HEX}|:)*"::"({HEX}|:)*({D}"."){3}{D}"]") +IP6 ("["({HEX}:){7}{HEX}"]")|("["0x{HEX}({HEX}|:)*"::"({HEX}|:)*"]")|("["({HEX}|:)*"::"({HEX}|:)*"]")|("["({HEX}:){6}({D}"."){3}{D}"]")|("["({HEX}|:)*"::"({HEX}|:)*({D}"."){3}{D}"]") FILE [^ \t\n]+ PREFIX [^ \t\n]+ FLOAT (({D}*"."?{D})|({D}"."?{D}*))([eE][-+]?{D})? diff --git a/testing/btest/language/addr.zeek b/testing/btest/language/addr.zeek index dff376ec4a..8829c20da2 100644 --- a/testing/btest/language/addr.zeek +++ b/testing/btest/language/addr.zeek @@ -31,6 +31,7 @@ event zeek_init() local b6: addr = [aaaa:bbbb:cccc:dddd:eeee:ffff:1111:2222]; local b7: addr = [AAAA:BBBB:CCCC:DDDD:EEEE:FFFF:1111:2222]; local b8 = [a::b]; + local b9 = [2001:db8:0:0:0:FFFF:192.168.0.5]; test_case( "IPv6 address inequality", b1 != b2 ); test_case( "IPv6 address equality", b1 == b5 );