update master and merge into this branch

src/Attr.cc

@@ -51,7 +51,7 @@ void Attr::Describe(ODesc* d) const
 
 void Attr::DescribeReST(ODesc* d) const
 	{
-	d->Add(":bro:attr:`");
+	d->Add(":zeek:attr:`");
 	AddTag(d);
 	d->Add("`");
 
@@ -64,14 +64,14 @@ void Attr::DescribeReST(ODesc* d) const
 
 		if ( expr->Tag() == EXPR_NAME )
 			{
-			d->Add(":bro:see:`");
+			d->Add(":zeek:see:`");
 			expr->Describe(d);
 			d->Add("`");
 			}
 
 		else if ( expr->Type()->Tag() == TYPE_FUNC )
 			{
-			d->Add(":bro:type:`");
+			d->Add(":zeek:type:`");
 			d->Add(expr->Type()->AsFuncType()->FlavorString());
 			d->Add("`");
 			}

src/CMakeLists.txt

@@ -143,7 +143,7 @@ set(bro_PLUGIN_LIBS CACHE INTERNAL "plugin libraries" FORCE)
 
 add_subdirectory(analyzer)
 add_subdirectory(broker)
-add_subdirectory(broxygen)
+add_subdirectory(zeexygen)
 add_subdirectory(file_analysis)
 add_subdirectory(input)
 add_subdirectory(iosource)
@@ -319,6 +319,7 @@ set(bro_SRCS
     UID.cc
     Val.cc
     Var.cc
+    WeirdState.cc
     bsd-getopt-long.c
     bro_inet_ntop.c
     cq.c
@@ -385,17 +386,17 @@ add_dependencies(generate_outputs_stage2b generate_outputs_stage1)
 add_custom_target(generate_outputs)
 add_dependencies(generate_outputs generate_outputs_stage2a generate_outputs_stage2b)
 
-# Build __load__.bro files for standard *.bif.bro.
+# Build __load__.zeek files for standard *.bif.zeek.
 bro_bif_create_loader(bif_loader "${bro_BASE_BIF_SCRIPTS}")
 add_dependencies(bif_loader ${bro_SUBDIRS})
 add_dependencies(bro bif_loader)
 
-# Build __load__.bro files for plugins/*.bif.bro.
+# Build __load__.zeek files for plugins/*.bif.zeek.
 bro_bif_create_loader(bif_loader_plugins "${bro_PLUGIN_BIF_SCRIPTS}")
 add_dependencies(bif_loader_plugins ${bro_SUBDIRS})
 add_dependencies(bro bif_loader_plugins)
 
-# Install *.bif.bro.
+# Install *.bif.zeek.
 install(DIRECTORY ${CMAKE_BINARY_DIR}/scripts/base/bif DESTINATION ${BRO_SCRIPT_INSTALL_PATH}/base)
 
 # Create plugin directory at install time.

src/Conn.cc

@@ -1075,27 +1075,5 @@ void Connection::CheckFlowLabel(bool is_orig, uint32 flow_label)
 bool Connection::PermitWeird(const char* name, uint64 threshold, uint64 rate,
                              double duration)
 	{
-	auto& state = weird_state[name];
-	++state.count;
-
-	if ( state.count <= threshold )
-		return true;
-
-	if ( state.count == threshold + 1)
-		state.sampling_start_time = network_time;
-	else
-		{
-		if ( network_time > state.sampling_start_time + duration )
-			{
-			state.sampling_start_time = 0;
-			state.count = 1;
-			return true;
-			}
-		}
-
-	auto num_above_threshold = state.count - threshold;
-	if ( rate )
-		return num_above_threshold % rate == 0;
-	else
-		return false;
+	return ::PermitWeird(weird_state, name, threshold, rate, duration);
 	}

src/Conn.h

@@ -17,6 +17,7 @@
 #include "IPAddr.h"
 #include "TunnelEncapsulation.h"
 #include "UID.h"
+#include "WeirdState.h"
 
 #include "analyzer/Tag.h"
 #include "analyzer/Analyzer.h"
@@ -345,14 +346,7 @@ protected:
 	analyzer::pia::PIA* primary_PIA;
 
 	Bro::UID uid;	// Globally unique connection ID.
-
-	struct WeirdState {
-		WeirdState() { count = 0; sampling_start_time = 0; }
-		uint64 count = 0;
-		double sampling_start_time = 0;
-	};
-
-	std::unordered_map<std::string, WeirdState> weird_state;
+	WeirdStateMap weird_state;
 };
 
 class ConnectionTimer : public Timer {

src/Debug.cc

@@ -348,7 +348,7 @@ vector<ParseLocationRec> parse_location_string(const string& s)
 			if ( ! sscanf(line_string.c_str(), "%d", &plr.line) )
 				plr.type = plrUnknown;
 
-			string path(find_file(filename, bro_path(), "bro"));
+			string path(find_script_file(filename, bro_path()));
 
 			if ( path.empty() )
 				{

src/DebugLogger.cc

@@ -18,7 +18,7 @@ DebugLogger::Stream DebugLogger::streams[NUM_DBGS] = {
 	{ "dpd", 0, false }, { "tm", 0, false },
 	{ "logging", 0, false }, {"input", 0, false },
 	{ "threading", 0, false }, { "file_analysis", 0, false },
-	{ "plugins", 0, false }, { "broxygen", 0, false },
+	{ "plugins", 0, false }, { "zeexygen", 0, false },
 	{ "pktio", 0, false }, { "broker", 0, false },
 	{ "scripts", 0, false}
 };

src/DebugLogger.h

@@ -30,7 +30,7 @@ enum DebugStream {
 	DBG_THREADING,	// Threading system
 	DBG_FILE_ANALYSIS,	// File analysis
 	DBG_PLUGINS,	// Plugin system
-	DBG_BROXYGEN,	// Broxygen
+	DBG_ZEEXYGEN,	// Zeexygen
 	DBG_PKTIO,	// Packet sources and dumpers.
 	DBG_BROKER,	// Broker communication
 	DBG_SCRIPTS,	// Script initialization

src/Dict.cc

@@ -17,6 +17,10 @@
 // is prime.
 #define PRIME_THRESH 1000
 
+// Default number of hash buckets in dictionary.  The dictionary will
+// increase the size of the hash table as needed.
+#define DEFAULT_DICT_SIZE 16
+
 class DictEntry {
 public:
 	DictEntry(void* k, int l, hash_t h, void* val)
@@ -53,7 +57,7 @@ public:
 
 Dictionary::Dictionary(dict_order ordering, int initial_size)
 	{
-	Init(initial_size);
+	tbl = 0;
 	tbl2 = 0;
 
 	if ( ordering == ORDERED )
@@ -61,14 +65,17 @@ Dictionary::Dictionary(dict_order ordering, int initial_size)
 	else
 		order = 0;
 
-	SetDensityThresh(DEFAULT_DENSITY_THRESH);
-
 	delete_func = 0;
 	tbl_next_ind = 0;
 
 	cumulative_entries = 0;
+	num_buckets = num_entries = max_num_entries = thresh_entries = 0;
+	den_thresh = 0;
 	num_buckets2 = num_entries2 = max_num_entries2 = thresh_entries2 = 0;
 	den_thresh2 = 0;
+
+	if ( initial_size > 0 )
+		Init(initial_size);
 	}
 
 Dictionary::~Dictionary()
@@ -80,12 +87,15 @@ Dictionary::~Dictionary()
 void Dictionary::Clear()
 	{
 	DeInit();
-	Init(2);
+	tbl = 0;
 	tbl2 = 0;
 	}
 
 void Dictionary::DeInit()
 	{
+	if ( ! tbl )
+		return;
+
 	for ( int i = 0; i < num_buckets; ++i )
 		if ( tbl[i] )
 			{
@@ -127,6 +137,9 @@ void Dictionary::DeInit()
 
 void* Dictionary::Lookup(const void* key, int key_size, hash_t hash) const
 	{
+	if ( ! tbl && ! tbl2 )
+		return 0;
+
 	hash_t h;
 	PList(DictEntry)* chain;
 
@@ -155,6 +168,9 @@ void* Dictionary::Lookup(const void* key, int key_size, hash_t hash) const
 void* Dictionary::Insert(void* key, int key_size, hash_t hash, void* val,
 				int copy_key)
 	{
+	if ( ! tbl )
+		Init(DEFAULT_DICT_SIZE);
+
 	DictEntry* new_entry = new DictEntry(key, key_size, hash, val);
 	void* old_val = Insert(new_entry, copy_key);
 
@@ -179,6 +195,9 @@ void* Dictionary::Insert(void* key, int key_size, hash_t hash, void* val,
 void* Dictionary::Remove(const void* key, int key_size, hash_t hash,
 				bool dont_delete)
 	{
+	if ( ! tbl && ! tbl2 )
+		return 0;
+
 	hash_t h;
 	PList(DictEntry)* chain;
 	int* num_entries_ptr;
@@ -280,6 +299,14 @@ void Dictionary::StopIteration(IterCookie* cookie) const
 
 void* Dictionary::NextEntry(HashKey*& h, IterCookie*& cookie, int return_hash) const
 	{
+	if ( ! tbl && ! tbl2 )
+		{
+		const_cast<PList(IterCookie)*>(&cookies)->remove(cookie);
+		delete cookie;
+		cookie = 0;
+		return 0;
+		}
+
 	// If there are any inserted entries, return them first.
 	// That keeps the list small and helps avoiding searching
 	// a large list when deleting an entry.
@@ -366,6 +393,7 @@ void Dictionary::Init(int size)
 		tbl[i] = 0;
 
 	max_num_entries = num_entries = 0;
+	SetDensityThresh(DEFAULT_DENSITY_THRESH);
 	}
 
 void Dictionary::Init2(int size)
@@ -382,6 +410,9 @@ void Dictionary::Init2(int size)
 // private
 void* Dictionary::Insert(DictEntry* new_entry, int copy_key)
 	{
+	if ( ! tbl )
+		Init(DEFAULT_DICT_SIZE);
+
 	PList(DictEntry)** ttbl;
 	int* num_entries_ptr;
 	int* max_num_entries_ptr;
@@ -568,6 +599,9 @@ unsigned int Dictionary::MemoryAllocation() const
 	{
 	int size = padded_sizeof(*this);
 
+	if ( ! tbl )
+		return size;
+
 	for ( int i = 0; i < num_buckets; ++i )
 		if ( tbl[i] )
 			{

src/Dict.h

@@ -13,10 +13,6 @@ class IterCookie;
 declare(PList,DictEntry);
 declare(PList,IterCookie);
 
-// Default number of hash buckets in dictionary.  The dictionary will
-// increase the size of the hash table as needed.
-#define DEFAULT_DICT_SIZE 16
-
 // Type indicating whether the dictionary should keep track of the order
 // of insertions.
 typedef enum { ORDERED, UNORDERED } dict_order;
@@ -30,7 +26,7 @@ extern void generic_delete_func(void*);
 class Dictionary {
 public:
 	explicit Dictionary(dict_order ordering = UNORDERED,
-			int initial_size = DEFAULT_DICT_SIZE);
+			int initial_size = 0);
 	virtual ~Dictionary();
 
 	// Member functions for looking up a key, inserting/changing its
@@ -196,7 +192,7 @@ private:
 class PDict(type) : public Dictionary {	\
 public:	\
 	explicit PDict(type)(dict_order ordering = UNORDERED,	\
-			int initial_size = DEFAULT_DICT_SIZE) :	\
+			int initial_size = 0) :	\
 		Dictionary(ordering, initial_size) {}	\
 	type* Lookup(const char* key) const	\
 		{	\

src/Expr.cc

@@ -1382,7 +1382,7 @@ SizeExpr::SizeExpr(Expr* arg_op) : UnaryExpr(EXPR_SIZE, arg_op)
 		return;
 
 	if ( op->Type()->InternalType() == TYPE_INTERNAL_DOUBLE )
-		SetType(op->Type()->Ref());
+		SetType(base_type(TYPE_DOUBLE));
 	else
 		SetType(base_type(TYPE_COUNT));
 	}
@@ -2337,7 +2337,13 @@ CondExpr::CondExpr(Expr* arg_op1, Expr* arg_op2, Expr* arg_op3)
 			ExprError("operands must be of the same type");
 
 		else
-			SetType(op2->Type()->Ref());
+			{
+			if ( IsRecord(bt2) && IsRecord(bt3) &&
+			     ! same_type(op2->Type(), op3->Type()) )
+				ExprError("operands must be of the same type");
+			else
+				SetType(op2->Type()->Ref());
+			}
 		}
 	}
 

src/ID.cc

@@ -14,7 +14,7 @@
 #include "PersistenceSerializer.h"
 #include "Scope.h"
 #include "Traverse.h"
-#include "broxygen/Manager.h"
+#include "zeexygen/Manager.h"
 
 ID::ID(const char* arg_name, IDScope arg_scope, bool arg_is_export)
 	{
@@ -651,9 +651,9 @@ void ID::DescribeExtended(ODesc* d) const
 void ID::DescribeReSTShort(ODesc* d) const
 	{
 	if ( is_type )
-		d->Add(":bro:type:`");
+		d->Add(":zeek:type:`");
 	else
-		d->Add(":bro:id:`");
+		d->Add(":zeek:id:`");
 
 	d->Add(name);
 	d->Add("`");
@@ -661,7 +661,7 @@ void ID::DescribeReSTShort(ODesc* d) const
 	if ( type )
 		{
 		d->Add(": ");
-		d->Add(":bro:type:`");
+		d->Add(":zeek:type:`");
 
 		if ( ! is_type && ! type->GetName().empty() )
 			d->Add(type->GetName().c_str());
@@ -682,7 +682,7 @@ void ID::DescribeReSTShort(ODesc* d) const
 				if ( is_type )
 					d->Add(type_name(t));
 				else
-					d->Add(broxygen_mgr->GetEnumTypeName(Name()).c_str());
+					d->Add(zeexygen_mgr->GetEnumTypeName(Name()).c_str());
 				break;
 
 			default:
@@ -706,18 +706,18 @@ void ID::DescribeReST(ODesc* d, bool roles_only) const
 	if ( roles_only )
 		{
 		if ( is_type )
-			d->Add(":bro:type:`");
+			d->Add(":zeek:type:`");
 		else
-			d->Add(":bro:id:`");
+			d->Add(":zeek:id:`");
 		d->Add(name);
 		d->Add("`");
 		}
 	else
 		{
 		if ( is_type )
-			d->Add(".. bro:type:: ");
+			d->Add(".. zeek:type:: ");
 		else
-			d->Add(".. bro:id:: ");
+			d->Add(".. zeek:id:: ");
 		d->Add(name);
 		}
 
@@ -730,7 +730,7 @@ void ID::DescribeReST(ODesc* d, bool roles_only) const
 
 		if ( ! is_type && ! type->GetName().empty() )
 			{
-			d->Add(":bro:type:`");
+			d->Add(":zeek:type:`");
 			d->Add(type->GetName());
 			d->Add("`");
 			}

src/IP.cc

@@ -288,7 +288,7 @@ RecordVal* IPv6_Hdr::BuildRecordVal(VectorVal* chain) const
 			}
 
 		default:
-			reporter->Weird(fmt("unknown_mobility_type_%d", mob->ip6mob_type));
+			reporter->Weird("unknown_mobility_type");
 			break;
 		}
 
@@ -553,7 +553,7 @@ void IPv6_Hdr_Chain::ProcessRoutingHeader(const struct ip6_rthdr* r, uint16 len)
 #endif
 
 	default:
-		reporter->Weird(fmt("unknown_routing_type_%d", r->ip6r_type));
+		reporter->Weird(SrcAddr(), DstAddr(), "unknown_routing_type");
 		break;
 	}
 	}

src/List.cc

@@ -6,33 +6,27 @@
 #include "List.h"
 #include "util.h"
 
-static const int DEFAULT_CHUNK_SIZE = 10;
+#define DEFAULT_LIST_SIZE 10
+#define GROWTH_FACTOR 2
 
 BaseList::BaseList(int size)
 	{
-	chunk_size = DEFAULT_CHUNK_SIZE;
+	num_entries = 0;
+	max_entries = 0;
+	entry = 0;
 
-	if ( size < 0 )
-		{
-		num_entries = max_entries = 0;
-		entry = 0;
-		}
-	else
-		{
-		if ( size > 0 )
-			chunk_size = size;
+	if ( size <= 0 )
+		return;
 
-		num_entries = 0;
-		entry = (ent *) safe_malloc(chunk_size * sizeof(ent));
-		max_entries = chunk_size;
-		}
+	max_entries = size;
+
+	entry = (ent *) safe_malloc(max_entries * sizeof(ent));
 	}
 
 
 BaseList::BaseList(BaseList& b)
 	{
 	max_entries = b.max_entries;
-	chunk_size = b.chunk_size;
 	num_entries = b.num_entries;
 
 	if ( max_entries )
@@ -58,7 +52,6 @@ void BaseList::operator=(BaseList& b)
 		free(entry);
 
 	max_entries = b.max_entries;
-	chunk_size = b.chunk_size;
 	num_entries = b.num_entries;
 
 	if ( max_entries )
@@ -73,10 +66,7 @@ void BaseList::operator=(BaseList& b)
 void BaseList::insert(ent a)
 	{
 	if ( num_entries == max_entries )
-		{
-		resize(max_entries + chunk_size);	// make more room
-		chunk_size *= 2;
-		}
+		resize(max_entries ? max_entries * GROWTH_FACTOR : DEFAULT_LIST_SIZE);
 
 	for ( int i = num_entries; i > 0; --i )
 		entry[i] = entry[i-1];	// move all pointers up one
@@ -94,10 +84,7 @@ void BaseList::sortedinsert(ent a, list_cmp_func cmp_func)
 
 	// First append element.
 	if ( num_entries == max_entries )
-		{
-		resize(max_entries + chunk_size);
-		chunk_size *= 2;
-		}
+		resize(max_entries ? max_entries * GROWTH_FACTOR : DEFAULT_LIST_SIZE);
 
 	entry[num_entries++] = a;
 
@@ -141,10 +128,7 @@ ent BaseList::remove_nth(int n)
 void BaseList::append(ent a)
 	{
 	if ( num_entries == max_entries )
-		{
-		resize(max_entries + chunk_size);	// make more room
-		chunk_size *= 2;
-		}
+		resize(max_entries ? max_entries * GROWTH_FACTOR : DEFAULT_LIST_SIZE);
 
 	entry[num_entries++] = a;
 	}
@@ -168,7 +152,6 @@ void BaseList::clear()
 		}
 
 	num_entries = max_entries = 0;
-	chunk_size = DEFAULT_CHUNK_SIZE;
 	}
 
 ent BaseList::replace(int ent_index, ent new_ent)

src/List.h

@@ -11,7 +11,7 @@
 //	element up, and resizing the list, which involves getting new space
 //	and moving the data.  Resizing occurs automatically when inserting
 //	more elements than the list can currently hold.  Automatic
-//	resizing is done one "chunk_size" of elements at a time and
+//	resizing is done by growing by GROWTH_FACTOR at a time and
 //	always increases the size of the list.  Resizing to zero
 //	(or to less than the current value of num_entries)
 //	will decrease the size of the list to the current number of
@@ -32,7 +32,6 @@ public:
 
 	void clear();		// remove all entries
 	int length() const	{ return num_entries; }
-	int chunk() const	{ return chunk_size; }
 	int max() const		{ return max_entries; }
 	int resize(int = 0);	// 0 => size to fit current number of entries
 
@@ -79,7 +78,6 @@ protected:
 	void operator=(BaseList&);
 
 	ent* entry;
-	int chunk_size;		// increase size by this amount when necessary
 	int max_entries;
 	int num_entries;
 	};

src/Net.cc

@@ -188,7 +188,7 @@ void net_init(name_list& interfaces, name_list& readfiles,
 	else
 		// have_pending_timers = 1, possibly.  We don't set
 		// that here, though, because at this point we don't know
-		// whether the user's bro_init() event will indeed set
+		// whether the user's zeek_init() event will indeed set
 		// a timer.
 		reading_traces = reading_live = 0;
 

src/OSFinger.cc

@@ -295,7 +295,7 @@ void OSFingerprint::load_config(const char* file)
   char buf[MAXLINE];
   char* p;
 
-  FILE* c = open_file(find_file(file, bro_path(), "osf"));
+  FILE* c = open_file(find_file(file, bro_path(), ".osf"));
 
   if (!c)
     {

src/Reporter.cc

@@ -13,6 +13,7 @@
 #include "Timer.h"
 #include "plugin/Plugin.h"
 #include "plugin/Manager.h"
+#include "file_analysis/File.h"
 
 #ifdef SYSLOG_INT
 extern "C" {
@@ -213,12 +214,14 @@ void Reporter::Syslog(const char* fmt, ...)
 	va_end(ap);
 	}
 
-void Reporter::WeirdHelper(EventHandlerPtr event, Val* conn_val, const char* addl, const char* fmt_name, ...)
+void Reporter::WeirdHelper(EventHandlerPtr event, Val* conn_val, file_analysis::File* f, const char* addl, const char* fmt_name, ...)
 	{
 	val_list* vl = new val_list(1);
 
 	if ( conn_val )
 		vl->append(conn_val);
+	else if ( f )
+		vl->append(f->GetVal()->Ref());
 
 	if ( addl )
 		vl->append(new StringVal(addl));
@@ -339,7 +342,21 @@ void Reporter::Weird(const char* name)
 			return;
 		}
 
-	WeirdHelper(net_weird, 0, 0, "%s", name);
+	WeirdHelper(net_weird, 0, 0, 0, "%s", name);
+	}
+
+void Reporter::Weird(file_analysis::File* f, const char* name, const char* addl)
+	{
+	UpdateWeirdStats(name);
+
+	if ( ! WeirdOnSamplingWhiteList(name) )
+		{
+		if ( ! f->PermitWeird(name, weird_sampling_threshold,
+		                      weird_sampling_rate, weird_sampling_duration) )
+			return;
+		}
+
+	WeirdHelper(file_weird, 0, f, addl, "%s", name);
 	}
 
 void Reporter::Weird(Connection* conn, const char* name, const char* addl)
@@ -353,7 +370,7 @@ void Reporter::Weird(Connection* conn, const char* name, const char* addl)
 			return;
 		}
 
-	WeirdHelper(conn_weird, conn->BuildConnVal(), addl, "%s", name);
+	WeirdHelper(conn_weird, conn->BuildConnVal(), 0, addl, "%s", name);
 	}
 
 void Reporter::Weird(const IPAddr& orig, const IPAddr& resp, const char* name)

src/Reporter.h

@@ -17,6 +17,7 @@
 #include "IPAddr.h"
 
 namespace analyzer { class Analyzer; }
+namespace file_analysis { class File; }
 class Connection;
 class Location;
 class Reporter;
@@ -84,6 +85,7 @@ public:
 	// Report a traffic weirdness, i.e., an unexpected protocol situation
 	// that may lead to incorrectly processing a connnection.
 	void Weird(const char* name);	// Raises net_weird().
+	void Weird(file_analysis::File* f, const char* name, const char* addl = "");	// Raises file_weird().
 	void Weird(Connection* conn, const char* name, const char* addl = "");	// Raises conn_weird().
 	void Weird(const IPAddr& orig, const IPAddr& resp, const char* name);	// Raises flow_weird().
 
@@ -238,7 +240,7 @@ private:
 
 	// The order if addl, name needs to be like that since fmt_name can
 	// contain format specifiers
-	void WeirdHelper(EventHandlerPtr event, Val* conn_val, const char* addl, const char* fmt_name, ...) __attribute__((format(printf, 5, 6)));;
+	void WeirdHelper(EventHandlerPtr event, Val* conn_val, file_analysis::File* f, const char* addl, const char* fmt_name, ...) __attribute__((format(printf, 6, 7)));;
 	void WeirdFlowHelper(const IPAddr& orig, const IPAddr& resp, const char* fmt_name, ...) __attribute__((format(printf, 4, 5)));;
 	void UpdateWeirdStats(const char* name);
 	inline bool WeirdOnSamplingWhiteList(const char* name)

src/RuleMatcher.cc

@@ -235,7 +235,7 @@ bool RuleMatcher::ReadFiles(const name_list& files)
 
 	for ( int i = 0; i < files.length(); ++i )
 		{
-		rules_in = open_file(find_file(files[i], bro_path(), "sig"));
+		rules_in = open_file(find_file(files[i], bro_path(), ".sig"));
 
 		if ( ! rules_in )
 			{

src/Sessions.cc

@@ -537,8 +537,7 @@ void NetSessions::DoNextPacket(double t, const Packet* pkt, const IP_Hdr* ip_hdr
 
 		if ( gre_version != 0 && gre_version != 1 )
 			{
-			Weird(fmt("unknown_gre_version_%d", gre_version), ip_hdr,
-			      encapsulation);
+			Weird("unknown_gre_version", ip_hdr, encapsulation);
 			return;
 			}
 
@@ -613,8 +612,7 @@ void NetSessions::DoNextPacket(double t, const Packet* pkt, const IP_Hdr* ip_hdr
 			else
 				{
 				// Not IPv4/IPv6 payload.
-				Weird(fmt("unknown_gre_protocol_%" PRIu16, proto_typ), ip_hdr,
-				      encapsulation);
+				Weird("unknown_gre_protocol", ip_hdr, encapsulation);
 				return;
 				}
 
@@ -747,7 +745,7 @@ void NetSessions::DoNextPacket(double t, const Packet* pkt, const IP_Hdr* ip_hdr
 		}
 
 	default:
-		Weird(fmt("unknown_protocol_%d", proto), pkt, encapsulation);
+		Weird("unknown_protocol", pkt, encapsulation);
 		return;
 	}
 

src/Stmt.cc

@@ -1421,12 +1421,38 @@ ForStmt::ForStmt(id_list* arg_loop_vars, Expr* loop_expr)
 		e->Error("target to iterate over must be a table, set, vector, or string");
 	}
 
+ForStmt::ForStmt(id_list* arg_loop_vars, Expr* loop_expr, ID* val_var)
+	: ForStmt(arg_loop_vars, loop_expr)
+	{
+	value_var = val_var;
+
+	if ( e->Type()->IsTable() )
+		{
+		BroType* yield_type = e->Type()->AsTableType()->YieldType();
+
+		// Verify value_vars type if its already been defined
+		if ( value_var->Type() )
+			{
+			if ( ! same_type(value_var->Type(), yield_type) )
+				value_var->Type()->Error("type clash in iteration", yield_type);
+			}
+		else
+			{
+			delete add_local(value_var, yield_type->Ref(), INIT_NONE,
+			                 0, 0, VAR_REGULAR);
+			}
+		}
+	else
+		e->Error("key value for loops only support iteration over tables");
+	}
+
 ForStmt::~ForStmt()
 	{
 	loop_over_list(*loop_vars, i)
 		Unref((*loop_vars)[i]);
 	delete loop_vars;
 
+	Unref(value_var);
 	Unref(body);
 	}
 
@@ -1443,12 +1469,16 @@ Val* ForStmt::DoExec(Frame* f, Val* v, stmt_flow_type& flow) const
 			return 0;
 
 		HashKey* k;
+		TableEntryVal* current_tev;
 		IterCookie* c = loop_vals->InitForIteration();
-		while ( loop_vals->NextEntry(k, c) )
+		while ( (current_tev = loop_vals->NextEntry(k, c)) )
 			{
 			ListVal* ind_lv = tv->RecoverIndex(k);
 			delete k;
 
+			if ( value_var )
+				f->SetElement(value_var->Offset(), current_tev->Value()->Ref());
+
 			for ( int i = 0; i < ind_lv->Length(); i++ )
 				f->SetElement((*loop_vars)[i]->Offset(), ind_lv->Index(i)->Ref());
 			Unref(ind_lv);

src/Stmt.h

@@ -337,6 +337,8 @@ protected:
 class ForStmt : public ExprStmt {
 public:
 	ForStmt(id_list* loop_vars, Expr* loop_expr);
+	// Special constructor for key value for loop.
+	ForStmt(id_list* loop_vars, Expr* loop_expr, ID* val_var);
 	~ForStmt() override;
 
 	void AddBody(Stmt* arg_body)	{ body = arg_body; }
@@ -361,6 +363,9 @@ protected:
 
 	id_list* loop_vars;
 	Stmt* body;
+	// Stores the value variable being used for a key value for loop.
+	// Always set to nullptr unless special constructor is called.
+	ID* value_var = nullptr;
 };
 
 class NextStmt : public Stmt {

src/TunnelEncapsulation.h

@@ -94,6 +94,14 @@ public:
 			  ((ec1.src_addr == ec2.src_addr && ec1.dst_addr == ec2.dst_addr) ||
 			   (ec1.src_addr == ec2.dst_addr && ec1.dst_addr == ec2.src_addr));
 
+		if ( ec1.type == BifEnum::Tunnel::VXLAN )
+			// Reversing endpoints is still same tunnel, destination port is
+			// always the same.
+			return ec1.dst_port == ec2.dst_port &&
+			       ec1.uid == ec2.uid && ec1.proto == ec2.proto &&
+			  ((ec1.src_addr == ec2.src_addr && ec1.dst_addr == ec2.dst_addr) ||
+			   (ec1.src_addr == ec2.dst_addr && ec1.dst_addr == ec2.src_addr));
+
 		return ec1.src_addr == ec2.src_addr && ec1.dst_addr == ec2.dst_addr &&
 		       ec1.src_port == ec2.src_port && ec1.dst_port == ec2.dst_port &&
 		       ec1.uid == ec2.uid && ec1.proto == ec2.proto;

src/Type.cc

@@ -8,8 +8,8 @@
 #include "Scope.h"
 #include "Serializer.h"
 #include "Reporter.h"
-#include "broxygen/Manager.h"
-#include "broxygen/utils.h"
+#include "zeexygen/Manager.h"
+#include "zeexygen/utils.h"
 
 #include <string>
 #include <list>
@@ -190,7 +190,7 @@ void BroType::Describe(ODesc* d) const
 
 void BroType::DescribeReST(ODesc* d, bool roles_only) const
 	{
-	d->Add(fmt(":bro:type:`%s`", type_name(Tag())));
+	d->Add(fmt(":zeek:type:`%s`", type_name(Tag())));
 	}
 
 void BroType::SetError()
@@ -478,7 +478,7 @@ void IndexType::Describe(ODesc* d) const
 
 void IndexType::DescribeReST(ODesc* d, bool roles_only) const
 	{
-	d->Add(":bro:type:`");
+	d->Add(":zeek:type:`");
 
 	if ( IsSet() )
 		d->Add("set");
@@ -497,7 +497,7 @@ void IndexType::DescribeReST(ODesc* d, bool roles_only) const
 
 		if ( ! t->GetName().empty() )
 			{
-			d->Add(":bro:type:`");
+			d->Add(":zeek:type:`");
 			d->Add(t->GetName());
 			d->Add("`");
 			}
@@ -513,7 +513,7 @@ void IndexType::DescribeReST(ODesc* d, bool roles_only) const
 
 		if ( ! yield_type->GetName().empty() )
 			{
-			d->Add(":bro:type:`");
+			d->Add(":zeek:type:`");
 			d->Add(yield_type->GetName());
 			d->Add("`");
 			}
@@ -800,7 +800,7 @@ void FuncType::Describe(ODesc* d) const
 
 void FuncType::DescribeReST(ODesc* d, bool roles_only) const
 	{
-	d->Add(":bro:type:`");
+	d->Add(":zeek:type:`");
 	d->Add(FlavorString());
 	d->Add("`");
 	d->Add(" (");
@@ -813,7 +813,7 @@ void FuncType::DescribeReST(ODesc* d, bool roles_only) const
 
 		if ( ! yield->GetName().empty() )
 			{
-			d->Add(":bro:type:`");
+			d->Add(":zeek:type:`");
 			d->Add(yield->GetName());
 			d->Add("`");
 			}
@@ -957,7 +957,7 @@ void TypeDecl::DescribeReST(ODesc* d, bool roles_only) const
 
 	if ( ! type->GetName().empty() )
 		{
-		d->Add(":bro:type:`");
+		d->Add(":zeek:type:`");
 		d->Add(type->GetName());
 		d->Add("`");
 		}
@@ -1073,7 +1073,7 @@ void RecordType::Describe(ODesc* d) const
 void RecordType::DescribeReST(ODesc* d, bool roles_only) const
 	{
 	d->PushType(this);
-	d->Add(":bro:type:`record`");
+	d->Add(":zeek:type:`record`");
 
 	if ( num_fields == 0 )
 		return;
@@ -1197,8 +1197,8 @@ void RecordType::DescribeFieldsReST(ODesc* d, bool func_args) const
 		if ( func_args )
 			continue;
 
-		using broxygen::IdentifierInfo;
-		IdentifierInfo* doc = broxygen_mgr->GetIdentifierInfo(GetName());
+		using zeexygen::IdentifierInfo;
+		IdentifierInfo* doc = zeexygen_mgr->GetIdentifierInfo(GetName());
 
 		if ( ! doc )
 			{
@@ -1217,7 +1217,7 @@ void RecordType::DescribeFieldsReST(ODesc* d, bool func_args) const
 		     field_from_script != type_from_script )
 			{
 			d->PushIndent();
-			d->Add(broxygen::redef_indication(field_from_script).c_str());
+			d->Add(zeexygen::redef_indication(field_from_script).c_str());
 			d->PopIndent();
 			}
 
@@ -1237,7 +1237,7 @@ void RecordType::DescribeFieldsReST(ODesc* d, bool func_args) const
 				{
 				string s = cmnts[i];
 
-				if ( broxygen::prettify_params(s) )
+				if ( zeexygen::prettify_params(s) )
 					d->NL();
 
 				d->Add(s.c_str());
@@ -1405,7 +1405,7 @@ void OpaqueType::Describe(ODesc* d) const
 
 void OpaqueType::DescribeReST(ODesc* d, bool roles_only) const
 	{
-	d->Add(fmt(":bro:type:`%s` of %s", type_name(Tag()), name.c_str()));
+	d->Add(fmt(":zeek:type:`%s` of %s", type_name(Tag()), name.c_str()));
 	}
 
 IMPLEMENT_SERIAL(OpaqueType, SER_OPAQUE_TYPE);
@@ -1505,12 +1505,12 @@ void EnumType::CheckAndAddName(const string& module_name, const char* name,
 		if ( deprecated )
 			id->MakeDeprecated();
 
-		broxygen_mgr->Identifier(id);
+		zeexygen_mgr->Identifier(id);
 		}
 	else
 		{
 		// We allow double-definitions if matching exactly. This is so that
-		// we can define an enum both in a *.bif and *.bro for avoiding
+		// we can define an enum both in a *.bif and *.zeek for avoiding
 		// cyclic dependencies.
 		string fullname = make_full_var_name(module_name.c_str(), name);
 		if ( id->Name() != fullname
@@ -1597,7 +1597,7 @@ EnumVal* EnumType::GetVal(bro_int_t i)
 
 void EnumType::DescribeReST(ODesc* d, bool roles_only) const
 	{
-	d->Add(":bro:type:`enum`");
+	d->Add(":zeek:type:`enum`");
 
 	// Create temporary, reverse name map so that enums can be documented
 	// in ascending order of their actual integral value instead of by name.
@@ -1614,12 +1614,12 @@ void EnumType::DescribeReST(ODesc* d, bool roles_only) const
 		d->PushIndent();
 
 		if ( roles_only )
-			d->Add(fmt(":bro:enum:`%s`", it->second.c_str()));
+			d->Add(fmt(":zeek:enum:`%s`", it->second.c_str()));
 		else
-			d->Add(fmt(".. bro:enum:: %s %s", it->second.c_str(), GetName().c_str()));
+			d->Add(fmt(".. zeek:enum:: %s %s", it->second.c_str(), GetName().c_str()));
 
-		using broxygen::IdentifierInfo;
-		IdentifierInfo* doc = broxygen_mgr->GetIdentifierInfo(it->second);
+		using zeexygen::IdentifierInfo;
+		IdentifierInfo* doc = zeexygen_mgr->GetIdentifierInfo(it->second);
 
 		if ( ! doc )
 			{
@@ -1634,7 +1634,7 @@ void EnumType::DescribeReST(ODesc* d, bool roles_only) const
 		if ( doc->GetDeclaringScript() )
 			enum_from_script = doc->GetDeclaringScript()->Name();
 
-		IdentifierInfo* type_doc = broxygen_mgr->GetIdentifierInfo(GetName());
+		IdentifierInfo* type_doc = zeexygen_mgr->GetIdentifierInfo(GetName());
 
 		if ( type_doc && type_doc->GetDeclaringScript() )
 			type_from_script = type_doc->GetDeclaringScript()->Name();
@@ -1644,7 +1644,7 @@ void EnumType::DescribeReST(ODesc* d, bool roles_only) const
 			{
 			d->NL();
 			d->PushIndent();
-			d->Add(broxygen::redef_indication(enum_from_script).c_str());
+			d->Add(zeexygen::redef_indication(enum_from_script).c_str());
 			d->PopIndent();
 			}
 
@@ -1818,12 +1818,12 @@ void VectorType::Describe(ODesc* d) const
 
 void VectorType::DescribeReST(ODesc* d, bool roles_only) const
 	{
-	d->Add(fmt(":bro:type:`%s` of ", type_name(Tag())));
+	d->Add(fmt(":zeek:type:`%s` of ", type_name(Tag())));
 
 	if ( yield_type->GetName().empty() )
 		yield_type->DescribeReST(d, roles_only);
 	else
-		d->Add(fmt(":bro:type:`%s`", yield_type->GetName().c_str()));
+		d->Add(fmt(":zeek:type:`%s`", yield_type->GetName().c_str()));
 	}
 
 BroType* base_type_no_ref(TypeTag tag)

src/Val.cc

@@ -425,7 +425,7 @@ Val* Val::SizeVal() const
 		return val_mgr->GetCount(val.uint_val);
 
 	case TYPE_INTERNAL_DOUBLE:
-		return new Val(fabs(val.double_val), type->Tag());
+		return new Val(fabs(val.double_val), TYPE_DOUBLE);
 
 	case TYPE_INTERNAL_OTHER:
 		if ( type->Tag() == TYPE_FUNC )
@@ -2319,7 +2319,7 @@ void TableVal::DoExpire(double t)
 		if ( v->ExpireAccessTime() == 0 )
 			{
 			// This happens when we insert val while network_time
-			// hasn't been initialized yet (e.g. in bro_init()), and
+			// hasn't been initialized yet (e.g. in zeek_init()), and
 			// also when bro_start_network_time hasn't been initialized
 			// (e.g. before first packet).  The expire_access_time is
 			// correct, so we just need to wait.

src/WeirdState.cc

@@ -0,0 +1,30 @@
+#include "WeirdState.h"
+#include "Net.h"
+
+bool PermitWeird(WeirdStateMap& wsm, const char* name, uint64_t threshold,
+                 uint64_t rate, double duration)
+    {
+	auto& state = wsm[name];
+	++state.count;
+
+	if ( state.count <= threshold )
+		return true;
+
+	if ( state.count == threshold + 1)
+		state.sampling_start_time = network_time;
+	else
+		{
+		if ( network_time > state.sampling_start_time + duration )
+			{
+			state.sampling_start_time = 0;
+			state.count = 1;
+			return true;
+			}
+		}
+
+	auto num_above_threshold = state.count - threshold;
+	if ( rate )
+		return num_above_threshold % rate == 0;
+	else
+		return false;
+    }

src/WeirdState.h

@@ -0,0 +1,21 @@
+// See the file "COPYING" in the main distribution directory for copyright.
+
+#ifndef WEIRDSTATE_H
+#define WEIRDSTATE_H
+
+#include <string>
+#include <unordered_map>
+
+struct WeirdState {
+	WeirdState() { count = 0; sampling_start_time = 0; }
+	uint64_t count = 0;
+	double sampling_start_time = 0;
+};
+
+using WeirdStateMap = std::unordered_map<std::string, WeirdState>;
+
+bool PermitWeird(WeirdStateMap& wsm, const char* name, uint64_t threshold,
+                 uint64_t rate, double duration);
+
+#endif // WEIRDSTATE_H
+

src/analyzer/Analyzer.cc

@@ -223,7 +223,7 @@ void Analyzer::NextPacket(int len, const u_char* data, bool is_orig, uint64 seq,
 			}
 		catch ( binpac::Exception const &e )
 			{
-			Weird(e.c_msg());
+			ProtocolViolation(fmt("Binpac exception: %s", e.c_msg()));
 			}
 		}
 	}
@@ -246,7 +246,7 @@ void Analyzer::NextStream(int len, const u_char* data, bool is_orig)
 			}
 		catch ( binpac::Exception const &e )
 			{
-			Weird(e.c_msg());
+			ProtocolViolation(fmt("Binpac exception: %s", e.c_msg()));
 			}
 		}
 	}
@@ -269,7 +269,7 @@ void Analyzer::NextUndelivered(uint64 seq, int len, bool is_orig)
 			}
 		catch ( binpac::Exception const &e )
 			{
-			Weird(e.c_msg());
+			ProtocolViolation(fmt("Binpac exception: %s", e.c_msg()));
 			}
 		}
 	}

src/analyzer/Manager.cc

@@ -96,12 +96,24 @@ void Manager::InitPreScript()
 
 void Manager::InitPostScript()
 	{
+	auto id = global_scope()->Lookup("Tunnel::vxlan_ports");
+
+	if ( ! (id && id->ID_Val()) )
+		reporter->FatalError("Tunnel::vxlan_ports not defined");
+
+	auto table_val = id->ID_Val()->AsTableVal();
+	auto port_list = table_val->ConvertToPureList();
+
+	for ( auto i = 0; i < port_list->Length(); ++i )
+		vxlan_ports.emplace_back(port_list->Index(i)->AsPortVal()->Port());
+
+	Unref(port_list);
 	}
 
 void Manager::DumpDebug()
 	{
 #ifdef DEBUG
-	DBG_LOG(DBG_ANALYZER, "Available analyzers after bro_init():");
+	DBG_LOG(DBG_ANALYZER, "Available analyzers after zeek_init():");
 	list<Component*> all_analyzers = GetComponents();
 	for ( list<Component*>::const_iterator i = all_analyzers.begin(); i != all_analyzers.end(); ++i )
 		DBG_LOG(DBG_ANALYZER, "    %s (%s)", (*i)->Name().c_str(),

src/analyzer/Manager.h

@@ -22,6 +22,7 @@
 #define ANALYZER_MANAGER_H
 
 #include <queue>
+#include <vector>
 
 #include "Analyzer.h"
 #include "Component.h"
@@ -77,10 +78,10 @@ public:
 
 	/**
 	 * Dumps out the state of all registered analyzers to the \c analyzer
-	 * debug stream. Should be called only after any \c bro_init events
+	 * debug stream. Should be called only after any \c zeek_init events
 	 * have executed to ensure that any of their changes are applied.
 	 */
-	void DumpDebug(); // Called after bro_init() events.
+	void DumpDebug(); // Called after zeek_init() events.
 
 	/**
 	 * Enables an analyzer type. Only enabled analyzers will be
@@ -335,6 +336,12 @@ public:
 	void ScheduleAnalyzer(const IPAddr& orig, const IPAddr& resp, PortVal* resp_p,
 			      Val* analyzer, double timeout);
 
+	/**
+	 * @return the UDP port numbers to be associated with VXLAN traffic.
+	 */
+	const std::vector<uint16>& GetVxlanPorts() const
+		{ return vxlan_ports; }
+
 private:
 	typedef set<Tag> tag_set;
 	typedef map<uint32, tag_set*> analyzer_map_by_port;
@@ -390,6 +397,7 @@ private:
 
 	conns_map conns;
 	conns_queue conns_by_timeout;
+	std::vector<uint16> vxlan_ports;
 };
 
 }

src/analyzer/protocol/CMakeLists.txt

@@ -47,5 +47,6 @@ add_subdirectory(syslog)
 add_subdirectory(tcp)
 add_subdirectory(teredo)
 add_subdirectory(udp)
+add_subdirectory(vxlan)
 add_subdirectory(xmpp)
 add_subdirectory(zip)

src/analyzer/protocol/arp/events.bif

@@ -15,7 +15,7 @@
 ##
 ## THA: The target hardware address.
 ##
-## .. bro:see:: arp_reply  bad_arp
+## .. zeek:see:: arp_reply  bad_arp
 event arp_request%(mac_src: string, mac_dst: string, SPA: addr, SHA: string,
 			TPA: addr, THA: string%);
 
@@ -36,7 +36,7 @@ event arp_request%(mac_src: string, mac_dst: string, SPA: addr, SHA: string,
 ##
 ## THA: The target hardware address.
 ##
-## .. bro:see::  arp_request bad_arp
+## .. zeek:see::  arp_request bad_arp
 event arp_reply%(mac_src: string, mac_dst: string, SPA: addr, SHA: string,
 			TPA: addr, THA: string%);
 
@@ -54,7 +54,7 @@ event arp_reply%(mac_src: string, mac_dst: string, SPA: addr, SHA: string,
 ##
 ## explanation: A short description of why the ARP packet is considered "bad".
 ##
-## .. bro:see:: arp_reply arp_request
+## .. zeek:see:: arp_reply arp_request
 ##
 ## .. todo:: Bro's current default configuration does not activate the protocol
 ##    analyzer that generates this event; the corresponding script has not yet

src/analyzer/protocol/bittorrent/BitTorrent.cc

@@ -126,6 +126,4 @@ void BitTorrent_Analyzer::DeliverWeird(const char* msg, bool orig)
 		vl->append(new StringVal(msg));
 		ConnectionEvent(bittorrent_peer_weird, vl);
 		}
-	else
-		Weird(msg);
 	}

src/analyzer/protocol/bittorrent/BitTorrentTracker.cc

@@ -253,8 +253,6 @@ void BitTorrentTracker_Analyzer::DeliverWeird(const char* msg, bool orig)
 		vl->append(new StringVal(msg));
 		ConnectionEvent(bt_tracker_weird, vl);
 		}
-	else
-		Weird(msg);
 	}
 
 bool BitTorrentTracker_Analyzer::ParseRequest(char* line)
@@ -326,8 +324,11 @@ bool BitTorrentTracker_Analyzer::ParseRequest(char* line)
 
 	case BTT_REQ_DONE:
 		if ( *line )
-			DeliverWeird(fmt("Got post request data: %s\n", line),
-					true);
+			{
+			auto msg = fmt("Got post request data: %s\n", line);
+			Weird("bittorrent_tracker_data_post_request", msg);
+			DeliverWeird(msg, true);
+			}
 		break;
 
 	default:

src/analyzer/protocol/bittorrent/bittorrent-analyzer.pac

@@ -40,7 +40,6 @@ flow BitTorrent_Flow(is_orig: bool) {
 		if ( pstrlen != 19 ||
 		     memcmp("BitTorrent protocol", pstr.begin(), 19) )
 			{
-			connection()->bro_analyzer()->Weird(fmt("BitTorrent: invalid handshake (pstrlen: %hhu, pstr: %.*s)", pstrlen, 19, pstr.begin()));
 			throw Exception("invalid handshake");
 			}
 

src/analyzer/protocol/bittorrent/events.bif

@@ -3,7 +3,7 @@
 ## See `Wikipedia <http://en.wikipedia.org/wiki/BitTorrent_(protocol)>`__ for
 ## more information about the BitTorrent protocol.
 ##
-## .. bro:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke
+## .. zeek:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke
 ##    bittorrent_peer_have bittorrent_peer_interested bittorrent_peer_keep_alive
 ##    bittorrent_peer_not_interested bittorrent_peer_piece bittorrent_peer_port
 ##    bittorrent_peer_request bittorrent_peer_unchoke bittorrent_peer_unknown
@@ -16,7 +16,7 @@ event bittorrent_peer_handshake%(c: connection, is_orig: bool,
 ## See `Wikipedia <http://en.wikipedia.org/wiki/BitTorrent_(protocol)>`__ for
 ## more information about the BitTorrent protocol.
 ##
-## .. bro:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke
+## .. zeek:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke
 ##    bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_interested
 ##    bittorrent_peer_not_interested bittorrent_peer_piece bittorrent_peer_port
 ##    bittorrent_peer_request bittorrent_peer_unchoke bittorrent_peer_unknown
@@ -28,7 +28,7 @@ event bittorrent_peer_keep_alive%(c: connection, is_orig: bool%);
 ## See `Wikipedia <http://en.wikipedia.org/wiki/BitTorrent_(protocol)>`__ for
 ## more information about the BitTorrent protocol.
 ##
-## .. bro:see:: bittorrent_peer_bitfield bittorrent_peer_cancel
+## .. zeek:see:: bittorrent_peer_bitfield bittorrent_peer_cancel
 ##    bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_interested
 ##    bittorrent_peer_keep_alive bittorrent_peer_not_interested bittorrent_peer_piece
 ##    bittorrent_peer_port bittorrent_peer_request bittorrent_peer_unchoke
@@ -40,7 +40,7 @@ event bittorrent_peer_choke%(c: connection, is_orig: bool%);
 ## See `Wikipedia <http://en.wikipedia.org/wiki/BitTorrent_(protocol)>`__ for
 ## more information about the BitTorrent protocol.
 ##
-## .. bro:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke
+## .. zeek:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke
 ##    bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_interested
 ##    bittorrent_peer_keep_alive bittorrent_peer_not_interested bittorrent_peer_piece
 ##    bittorrent_peer_port bittorrent_peer_request
@@ -52,7 +52,7 @@ event bittorrent_peer_unchoke%(c: connection, is_orig: bool%);
 ## See `Wikipedia <http://en.wikipedia.org/wiki/BitTorrent_(protocol)>`__ for
 ## more information about the BitTorrent protocol.
 ##
-## .. bro:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke
+## .. zeek:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke
 ##    bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_keep_alive
 ##    bittorrent_peer_not_interested bittorrent_peer_piece bittorrent_peer_port
 ##    bittorrent_peer_request bittorrent_peer_unchoke bittorrent_peer_unknown
@@ -64,7 +64,7 @@ event bittorrent_peer_interested%(c: connection, is_orig: bool%);
 ## See `Wikipedia <http://en.wikipedia.org/wiki/BitTorrent_(protocol)>`__ for
 ## more information about the BitTorrent protocol.
 ##
-## .. bro:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke
+## .. zeek:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke
 ##    bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_interested
 ##    bittorrent_peer_keep_alive  bittorrent_peer_piece bittorrent_peer_port
 ##    bittorrent_peer_request bittorrent_peer_unchoke bittorrent_peer_unknown
@@ -76,7 +76,7 @@ event bittorrent_peer_not_interested%(c: connection, is_orig: bool%);
 ## See `Wikipedia <http://en.wikipedia.org/wiki/BitTorrent_(protocol)>`__ for
 ## more information about the BitTorrent protocol.
 ##
-## .. bro:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke
+## .. zeek:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke
 ##    bittorrent_peer_handshake  bittorrent_peer_interested bittorrent_peer_keep_alive
 ##    bittorrent_peer_not_interested bittorrent_peer_piece bittorrent_peer_port
 ##    bittorrent_peer_request bittorrent_peer_unchoke bittorrent_peer_unknown
@@ -88,7 +88,7 @@ event bittorrent_peer_have%(c: connection, is_orig: bool, piece_index: count%);
 ## See `Wikipedia <http://en.wikipedia.org/wiki/BitTorrent_(protocol)>`__ for
 ## more information about the BitTorrent protocol.
 ##
-## .. bro:see::  bittorrent_peer_cancel bittorrent_peer_choke bittorrent_peer_handshake
+## .. zeek:see::  bittorrent_peer_cancel bittorrent_peer_choke bittorrent_peer_handshake
 ##    bittorrent_peer_have bittorrent_peer_interested bittorrent_peer_keep_alive
 ##    bittorrent_peer_not_interested bittorrent_peer_piece bittorrent_peer_port
 ##    bittorrent_peer_request bittorrent_peer_unchoke bittorrent_peer_unknown
@@ -100,7 +100,7 @@ event bittorrent_peer_bitfield%(c: connection, is_orig: bool, bitfield: string%)
 ## See `Wikipedia <http://en.wikipedia.org/wiki/BitTorrent_(protocol)>`__ for
 ## more information about the BitTorrent protocol.
 ##
-## .. bro:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke
+## .. zeek:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke
 ##    bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_interested
 ##    bittorrent_peer_keep_alive bittorrent_peer_not_interested bittorrent_peer_piece
 ##    bittorrent_peer_port  bittorrent_peer_unchoke bittorrent_peer_unknown
@@ -113,7 +113,7 @@ event bittorrent_peer_request%(c: connection, is_orig: bool, index: count,
 ## See `Wikipedia <http://en.wikipedia.org/wiki/BitTorrent_(protocol)>`__ for
 ## more information about the BitTorrent protocol.
 ##
-## .. bro:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke
+## .. zeek:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke
 ##    bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_interested
 ##    bittorrent_peer_keep_alive bittorrent_peer_not_interested bittorrent_peer_port
 ##    bittorrent_peer_request bittorrent_peer_unchoke bittorrent_peer_unknown
@@ -126,7 +126,7 @@ event bittorrent_peer_piece%(c: connection, is_orig: bool, index: count,
 ## See `Wikipedia <http://en.wikipedia.org/wiki/BitTorrent_(protocol)>`__ for
 ## more information about the BitTorrent protocol.
 ##
-## .. bro:see:: bittorrent_peer_bitfield  bittorrent_peer_choke
+## .. zeek:see:: bittorrent_peer_bitfield  bittorrent_peer_choke
 ##    bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_interested
 ##    bittorrent_peer_keep_alive bittorrent_peer_not_interested bittorrent_peer_piece
 ##    bittorrent_peer_port bittorrent_peer_request bittorrent_peer_unchoke
@@ -139,7 +139,7 @@ event bittorrent_peer_cancel%(c: connection, is_orig: bool, index: count,
 ## See `Wikipedia <http://en.wikipedia.org/wiki/BitTorrent_(protocol)>`__ for
 ## more information about the BitTorrent protocol.
 ##
-## .. bro:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke
+## .. zeek:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke
 ##    bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_interested
 ##    bittorrent_peer_keep_alive bittorrent_peer_not_interested bittorrent_peer_piece
 ##    bittorrent_peer_request bittorrent_peer_unchoke bittorrent_peer_unknown
@@ -151,7 +151,7 @@ event bittorrent_peer_port%(c: connection, is_orig: bool, listen_port: port%);
 ## See `Wikipedia <http://en.wikipedia.org/wiki/BitTorrent_(protocol)>`__ for
 ## more information about the BitTorrent protocol.
 ##
-## .. bro:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke
+## .. zeek:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke
 ##    bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_interested
 ##    bittorrent_peer_keep_alive bittorrent_peer_not_interested bittorrent_peer_piece
 ##    bittorrent_peer_port bittorrent_peer_request bittorrent_peer_unchoke
@@ -164,7 +164,7 @@ event bittorrent_peer_unknown%(c: connection, is_orig: bool, message_id: count,
 ## See `Wikipedia <http://en.wikipedia.org/wiki/BitTorrent_(protocol)>`__ for
 ## more information about the BitTorrent protocol.
 ##
-## .. bro:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke
+## .. zeek:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke
 ##    bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_interested
 ##    bittorrent_peer_keep_alive bittorrent_peer_not_interested bittorrent_peer_piece
 ##    bittorrent_peer_port bittorrent_peer_request bittorrent_peer_unchoke
@@ -176,7 +176,7 @@ event bittorrent_peer_weird%(c: connection, is_orig: bool, msg: string%);
 ## See `Wikipedia <http://en.wikipedia.org/wiki/BitTorrent_(protocol)>`__ for
 ## more information about the BitTorrent protocol.
 ##
-## .. bro:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke
+## .. zeek:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke
 ##    bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_interested
 ##    bittorrent_peer_keep_alive bittorrent_peer_not_interested bittorrent_peer_piece
 ##    bittorrent_peer_port bittorrent_peer_request bittorrent_peer_unchoke
@@ -189,7 +189,7 @@ event bt_tracker_request%(c: connection, uri: string,
 ## See `Wikipedia <http://en.wikipedia.org/wiki/BitTorrent_(protocol)>`__ for
 ## more information about the BitTorrent protocol.
 ##
-## .. bro:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke
+## .. zeek:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke
 ##    bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_interested
 ##    bittorrent_peer_keep_alive bittorrent_peer_not_interested bittorrent_peer_piece
 ##    bittorrent_peer_port bittorrent_peer_request bittorrent_peer_unchoke
@@ -204,7 +204,7 @@ event bt_tracker_response%(c: connection, status: count,
 ## See `Wikipedia <http://en.wikipedia.org/wiki/BitTorrent_(protocol)>`__ for
 ## more information about the BitTorrent protocol.
 ##
-## .. bro:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke
+## .. zeek:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke
 ##    bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_interested
 ##    bittorrent_peer_keep_alive bittorrent_peer_not_interested bittorrent_peer_piece
 ##    bittorrent_peer_port bittorrent_peer_request bittorrent_peer_unchoke
@@ -217,7 +217,7 @@ event bt_tracker_response_not_ok%(c: connection, status: count,
 ## See `Wikipedia <http://en.wikipedia.org/wiki/BitTorrent_(protocol)>`__ for
 ## more information about the BitTorrent protocol.
 ##
-## .. bro:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke
+## .. zeek:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke
 ##    bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_interested
 ##    bittorrent_peer_keep_alive bittorrent_peer_not_interested bittorrent_peer_piece
 ##    bittorrent_peer_port bittorrent_peer_request bittorrent_peer_unchoke

src/analyzer/protocol/conn-size/events.bif

@@ -8,7 +8,7 @@
 ##
 ## is_orig: true if the threshold was crossed by the originator of the connection
 ##
-## .. bro:see:: set_current_conn_packets_threshold set_current_conn_bytes_threshold conn_packets_threshold_crossed
+## .. zeek:see:: set_current_conn_packets_threshold set_current_conn_bytes_threshold conn_packets_threshold_crossed
 ##              get_current_conn_bytes_threshold get_current_conn_packets_threshold
 event conn_bytes_threshold_crossed%(c: connection, threshold: count, is_orig: bool%);
 
@@ -22,6 +22,6 @@ event conn_bytes_threshold_crossed%(c: connection, threshold: count, is_orig: bo
 ##
 ## is_orig: true if the threshold was crossed by the originator of the connection
 ##
-## .. bro:see:: set_current_conn_packets_threshold set_current_conn_bytes_threshold conn_bytes_threshold_crossed
+## .. zeek:see:: set_current_conn_packets_threshold set_current_conn_bytes_threshold conn_bytes_threshold_crossed
 ##              get_current_conn_bytes_threshold get_current_conn_packets_threshold
 event conn_packets_threshold_crossed%(c: connection, threshold: count, is_orig: bool%);

src/analyzer/protocol/conn-size/functions.bif

@@ -26,7 +26,7 @@ static analyzer::Analyzer* GetConnsizeAnalyzer(Val* cid)
 ##
 ## is_orig: If true, threshold is set for bytes from originator, otherwhise for bytes from responder.
 ##
-## .. bro:see:: set_current_conn_packets_threshold conn_bytes_threshold_crossed conn_packets_threshold_crossed
+## .. zeek:see:: set_current_conn_packets_threshold conn_bytes_threshold_crossed conn_packets_threshold_crossed
 ##              get_current_conn_bytes_threshold get_current_conn_packets_threshold
 function set_current_conn_bytes_threshold%(cid: conn_id, threshold: count, is_orig: bool%): bool
 	%{
@@ -49,7 +49,7 @@ function set_current_conn_bytes_threshold%(cid: conn_id, threshold: count, is_or
 ##
 ## is_orig: If true, threshold is set for packets from originator, otherwhise for packets from responder.
 ##
-## .. bro:see:: set_current_conn_bytes_threshold conn_bytes_threshold_crossed conn_packets_threshold_crossed
+## .. zeek:see:: set_current_conn_bytes_threshold conn_bytes_threshold_crossed conn_packets_threshold_crossed
 ##              get_current_conn_bytes_threshold get_current_conn_packets_threshold
 function set_current_conn_packets_threshold%(cid: conn_id, threshold: count, is_orig: bool%): bool
 	%{
@@ -70,7 +70,7 @@ function set_current_conn_packets_threshold%(cid: conn_id, threshold: count, is_
 ##
 ## Returns: 0 if no threshold is set or the threshold in bytes
 ##
-## .. bro:see:: set_current_conn_packets_threshold conn_bytes_threshold_crossed conn_packets_threshold_crossed
+## .. zeek:see:: set_current_conn_packets_threshold conn_bytes_threshold_crossed conn_packets_threshold_crossed
 ##              get_current_conn_packets_threshold
 function get_current_conn_bytes_threshold%(cid: conn_id, is_orig: bool%): count
 	%{
@@ -89,7 +89,7 @@ function get_current_conn_bytes_threshold%(cid: conn_id, is_orig: bool%): count
 ##
 ## Returns: 0 if no threshold is set or the threshold in packets
 ##
-## .. bro:see:: set_current_conn_packets_threshold conn_bytes_threshold_crossed conn_packets_threshold_crossed
+## .. zeek:see:: set_current_conn_packets_threshold conn_bytes_threshold_crossed conn_packets_threshold_crossed
 ##              get_current_conn_bytes_threshold
 function get_current_conn_packets_threshold%(cid: conn_id, is_orig: bool%): count
 	%{

src/analyzer/protocol/dce-rpc/dce_rpc-auth.pac

@@ -43,7 +43,7 @@ refine connection DCE_RPC_Conn += {
 					ntlm->DeliverStream(${auth.blob}.length(), ${auth.blob}.begin(), is_orig);
 				break;
 			default:
-				bro_analyzer()->Weird(fmt("unknown_dce_rpc_auth_type_%d",${auth.type}));
+				bro_analyzer()->Weird("unknown_dce_rpc_auth_type", fmt("%d", ${auth.type}));
 				break;
 			}
 

src/analyzer/protocol/dce-rpc/events.bif

@@ -12,7 +12,7 @@
 ##
 ## ptype: Enum representation of the prodecure type of the message.
 ##
-## .. bro:see:: dce_rpc_bind dce_rpc_bind_ack dce_rpc_request dce_rpc_response
+## .. zeek:see:: dce_rpc_bind dce_rpc_bind_ack dce_rpc_request dce_rpc_response
 event dce_rpc_message%(c: connection, is_orig: bool, fid: count, ptype_id: count, ptype: DCE_RPC::PType%);
 
 ## Generated for every :abbr:`DCE-RPC (Distributed Computing Environment/Remote Procedure Calls)` bind request message.
@@ -33,7 +33,7 @@ event dce_rpc_message%(c: connection, is_orig: bool, fid: count, ptype_id: count
 ##
 ## ver_minor: The minor version of the endpoint being requested.
 ##
-## .. bro:see:: dce_rpc_message dce_rpc_bind_ack dce_rpc_request dce_rpc_response
+## .. zeek:see:: dce_rpc_message dce_rpc_bind_ack dce_rpc_request dce_rpc_response
 event dce_rpc_bind%(c: connection, fid: count, ctx_id: count, uuid: string, ver_major: count, ver_minor: count%);
 
 ## Generated for every :abbr:`DCE-RPC (Distributed Computing Environment/Remote Procedure Calls)` alter context request message.
@@ -54,7 +54,7 @@ event dce_rpc_bind%(c: connection, fid: count, ctx_id: count, uuid: string, ver_
 ##
 ## ver_minor: The minor version of the endpoint being requested.
 ##
-## .. bro:see:: dce_rpc_message dce_rpc_bind dce_rpc_bind_ack dce_rpc_request dce_rpc_response dce_rpc_alter_context_resp
+## .. zeek:see:: dce_rpc_message dce_rpc_bind dce_rpc_bind_ack dce_rpc_request dce_rpc_response dce_rpc_alter_context_resp
 event dce_rpc_alter_context%(c: connection, fid: count, ctx_id: count, uuid: string, ver_major: count, ver_minor: count%);
 
 ## Generated for every :abbr:`DCE-RPC (Distributed Computing Environment/Remote Procedure Calls)` bind request ack message.
@@ -67,7 +67,7 @@ event dce_rpc_alter_context%(c: connection, fid: count, ctx_id: count, uuid: str
 ##
 ## sec_addr: Secondary address for the ack.
 ##
-## .. bro:see:: dce_rpc_message dce_rpc_bind dce_rpc_request dce_rpc_response
+## .. zeek:see:: dce_rpc_message dce_rpc_bind dce_rpc_request dce_rpc_response
 event dce_rpc_bind_ack%(c: connection, fid: count, sec_addr: string%);
 
 ## Generated for every :abbr:`DCE-RPC (Distributed Computing Environment/Remote Procedure Calls)` alter context response message.
@@ -78,7 +78,7 @@ event dce_rpc_bind_ack%(c: connection, fid: count, sec_addr: string%);
 ##      message. Zero will be used if the :abbr:`DCE-RPC (Distributed Computing Environment/Remote Procedure Calls)` was
 ##      not transported over a pipe.
 ##
-## .. bro:see:: dce_rpc_message dce_rpc_bind dce_rpc_bind_ack dce_rpc_request dce_rpc_response dce_rpc_alter_context
+## .. zeek:see:: dce_rpc_message dce_rpc_bind dce_rpc_bind_ack dce_rpc_request dce_rpc_response dce_rpc_alter_context
 event dce_rpc_alter_context_resp%(c: connection, fid: count%);
 
 ## Generated for every :abbr:`DCE-RPC (Distributed Computing Environment/Remote Procedure Calls)` request message.
@@ -95,7 +95,7 @@ event dce_rpc_alter_context_resp%(c: connection, fid: count%);
 ##
 ## stub_len: Length of the data for the request.
 ##
-## .. bro:see:: dce_rpc_message dce_rpc_bind dce_rpc_bind_ack dce_rpc_response
+## .. zeek:see:: dce_rpc_message dce_rpc_bind dce_rpc_bind_ack dce_rpc_response
 event dce_rpc_request%(c: connection, fid: count, ctx_id: count, opnum: count, stub_len: count%);
 
 ## Generated for every :abbr:`DCE-RPC (Distributed Computing Environment/Remote Procedure Calls)` response message.
@@ -112,5 +112,5 @@ event dce_rpc_request%(c: connection, fid: count, ctx_id: count, opnum: count, s
 ##
 ## stub_len: Length of the data for the response.
 ##
-## .. bro:see:: dce_rpc_message dce_rpc_bind dce_rpc_bind_ack dce_rpc_request
+## .. zeek:see:: dce_rpc_message dce_rpc_bind dce_rpc_bind_ack dce_rpc_request
 event dce_rpc_response%(c: connection, fid: count, ctx_id: count, opnum: count, stub_len: count%);

src/analyzer/protocol/dnp3/dnp3-protocol.pac

@@ -73,7 +73,7 @@ type DNP3_Response = record {
 		default -> unknown: Debug_Byte;
 	};
 } &byteorder = bigendian
-  &length= 9 + addin_header.len - 5 - 1'
+  &length= 9 + addin_header.len - 5 - 1;
 
 type DNP3_Application_Request_Header = record {
 	empty: bytestring &length = 0; # Work-around BinPAC problem.
@@ -117,7 +117,7 @@ type Response_Objects(function_code: uint8) = record {
 		0x0301 -> diwoflag: Response_Data_Object(function_code, object_header.qualifier_field, object_header.object_type_field )[ ( object_header.number_of_item / 8 ) + 1*( object_header.number_of_item > ( (object_header.number_of_item / 8)*8 ) ) ];
 		0x0a01 -> bowoflag: Response_Data_Object(function_code, object_header.qualifier_field, object_header.object_type_field )[ ( object_header.number_of_item / 8 ) + 1*( object_header.number_of_item > ( (object_header.number_of_item / 8)*8 ) )];
 		0x0c03 -> bocmd_PM: Response_Data_Object(function_code, object_header.qualifier_field, object_header.object_type_field )[ ( object_header.number_of_item / 8 ) + 1*( object_header.number_of_item > ( (object_header.number_of_item / 8)*8 ) )];
-		default -> ojbects: Response_Data_Object(function_code, object_header.qualifier_field, object_header.object_type_field )[ object_header.number_of_item];
+		default -> objects: Response_Data_Object(function_code, object_header.qualifier_field, object_header.object_type_field )[ object_header.number_of_item];
 	};
 };
 

src/analyzer/protocol/dns/events.bif

@@ -13,7 +13,7 @@
 ##
 ## len: The length of the message's raw representation (i.e., the DNS payload).
 ##
-## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl
+## .. zeek:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl
 ##    dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply
 ##    dns_SRV_reply dns_TSIG_addl dns_TXT_reply dns_WKS_reply dns_end
 ##    dns_full_request dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name
@@ -40,7 +40,7 @@ event dns_message%(c: connection, is_orig: bool, msg: dns_msg, len: count%);
 ##
 ## qclass: The queried resource record class.
 ##
-## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl
+## .. zeek:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl
 ##    dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply
 ##    dns_SRV_reply dns_TSIG_addl dns_TXT_reply dns_WKS_reply dns_end
 ##    dns_full_request dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name
@@ -69,7 +69,7 @@ event dns_request%(c: connection, msg: dns_msg, query: string, qtype: count, qcl
 ##
 ## qclass: The queried resource record class.
 ##
-## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl
+## .. zeek:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl
 ##    dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply
 ##    dns_SRV_reply dns_TSIG_addl dns_TXT_reply dns_WKS_reply dns_end
 ##    dns_full_request dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name
@@ -95,7 +95,7 @@ event dns_rejected%(c: connection, msg: dns_msg, query: string, qtype: count, qc
 ##
 ## qclass: The queried resource record class.
 ##
-## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl
+## .. zeek:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl
 ##    dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply
 ##    dns_SRV_reply dns_TSIG_addl dns_TXT_reply dns_WKS_reply dns_end
 ##    dns_full_request dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name
@@ -121,7 +121,7 @@ event dns_query_reply%(c: connection, msg: dns_msg, query: string,
 ##
 ## a: The address returned by the reply.
 ##
-## .. bro:see:: dns_AAAA_reply dns_A6_reply dns_CNAME_reply dns_EDNS_addl dns_HINFO_reply
+## .. zeek:see:: dns_AAAA_reply dns_A6_reply dns_CNAME_reply dns_EDNS_addl dns_HINFO_reply
 ##    dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply dns_SRV_reply
 ##    dns_TSIG_addl dns_TXT_reply dns_WKS_reply dns_end dns_full_request
 ##    dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name
@@ -146,7 +146,7 @@ event dns_A_reply%(c: connection, msg: dns_msg, ans: dns_answer, a: addr%);
 ##
 ## a: The address returned by the reply.
 ##
-## .. bro:see::  dns_A_reply dns_A6_reply dns_CNAME_reply dns_EDNS_addl dns_HINFO_reply dns_MX_reply
+## .. zeek:see::  dns_A_reply dns_A6_reply dns_CNAME_reply dns_EDNS_addl dns_HINFO_reply dns_MX_reply
 ##    dns_NS_reply dns_PTR_reply dns_SOA_reply dns_SRV_reply dns_TSIG_addl
 ##    dns_TXT_reply dns_WKS_reply dns_end dns_full_request dns_mapping_altered
 ##    dns_mapping_lost_name dns_mapping_new_name dns_mapping_unverified
@@ -171,7 +171,7 @@ event dns_AAAA_reply%(c: connection, msg: dns_msg, ans: dns_answer, a: addr%);
 ##
 ## a: The address returned by the reply.
 ##
-## .. bro:see::  dns_A_reply dns_AAAA_reply dns_CNAME_reply dns_EDNS_addl dns_HINFO_reply dns_MX_reply
+## .. zeek:see::  dns_A_reply dns_AAAA_reply dns_CNAME_reply dns_EDNS_addl dns_HINFO_reply dns_MX_reply
 ##    dns_NS_reply dns_PTR_reply dns_SOA_reply dns_SRV_reply dns_TSIG_addl
 ##    dns_TXT_reply dns_WKS_reply dns_end dns_full_request dns_mapping_altered
 ##    dns_mapping_lost_name dns_mapping_new_name dns_mapping_unverified
@@ -196,7 +196,7 @@ event dns_A6_reply%(c: connection, msg: dns_msg, ans: dns_answer, a: addr%);
 ##
 ## name: The name returned by the reply.
 ##
-## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl
+## .. zeek:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl
 ##    dns_HINFO_reply dns_MX_reply  dns_PTR_reply dns_SOA_reply dns_SRV_reply
 ##    dns_TSIG_addl dns_TXT_reply dns_WKS_reply dns_end dns_full_request
 ##    dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name
@@ -221,7 +221,7 @@ event dns_NS_reply%(c: connection, msg: dns_msg, ans: dns_answer, name: string%)
 ##
 ## name: The name returned by the reply.
 ##
-## .. bro:see:: dns_AAAA_reply dns_A_reply  dns_EDNS_addl dns_HINFO_reply dns_MX_reply
+## .. zeek:see:: dns_AAAA_reply dns_A_reply  dns_EDNS_addl dns_HINFO_reply dns_MX_reply
 ##    dns_NS_reply dns_PTR_reply dns_SOA_reply dns_SRV_reply dns_TSIG_addl
 ##    dns_TXT_reply dns_WKS_reply dns_end dns_full_request dns_mapping_altered
 ##    dns_mapping_lost_name dns_mapping_new_name dns_mapping_unverified
@@ -246,7 +246,7 @@ event dns_CNAME_reply%(c: connection, msg: dns_msg, ans: dns_answer, name: strin
 ##
 ## name: The name returned by the reply.
 ##
-## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl
+## .. zeek:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl
 ##    dns_HINFO_reply dns_MX_reply dns_NS_reply  dns_SOA_reply dns_SRV_reply
 ##    dns_TSIG_addl dns_TXT_reply dns_WKS_reply dns_end dns_full_request
 ##    dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name
@@ -271,7 +271,7 @@ event dns_PTR_reply%(c: connection, msg: dns_msg, ans: dns_answer, name: string%
 ##
 ## soa: The parsed SOA value.
 ##
-## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl
+## .. zeek:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl
 ##    dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SRV_reply
 ##    dns_TSIG_addl dns_TXT_reply dns_WKS_reply dns_end dns_full_request
 ##    dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name
@@ -294,7 +294,7 @@ event dns_SOA_reply%(c: connection, msg: dns_msg, ans: dns_answer, soa: dns_soa%
 ##
 ## ans: The type-independent part of the parsed answer record.
 ##
-## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl
+## .. zeek:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl
 ##    dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply
 ##    dns_SRV_reply dns_TSIG_addl dns_TXT_reply  dns_end dns_full_request
 ##    dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name
@@ -317,7 +317,7 @@ event dns_WKS_reply%(c: connection, msg: dns_msg, ans: dns_answer%);
 ##
 ## ans: The type-independent part of the parsed answer record.
 ##
-## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl dns_MX_reply
+## .. zeek:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl dns_MX_reply
 ##    dns_NS_reply dns_PTR_reply dns_SOA_reply dns_SRV_reply dns_TSIG_addl
 ##    dns_TXT_reply dns_WKS_reply dns_end dns_full_request dns_mapping_altered
 ##    dns_mapping_lost_name dns_mapping_new_name dns_mapping_unverified
@@ -344,7 +344,7 @@ event dns_HINFO_reply%(c: connection, msg: dns_msg, ans: dns_answer%);
 ##
 ## preference: The preference for *name* specified by the reply.
 ##
-## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl
+## .. zeek:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl
 ##    dns_HINFO_reply  dns_NS_reply dns_PTR_reply dns_SOA_reply dns_SRV_reply
 ##    dns_TSIG_addl dns_TXT_reply dns_WKS_reply dns_end dns_full_request
 ##    dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name
@@ -369,7 +369,7 @@ event dns_MX_reply%(c: connection, msg: dns_msg, ans: dns_answer, name: string,
 ##
 ## strs: The textual information returned by the reply.
 ##
-## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl
+## .. zeek:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl
 ##    dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply
 ##    dns_SRV_reply dns_TSIG_addl  dns_WKS_reply dns_end dns_full_request
 ##    dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name
@@ -423,7 +423,7 @@ event dns_CAA_reply%(c: connection, msg: dns_msg, ans: dns_answer, flags: count,
 ## p: Port of the SRV response -- the TCP or UDP port on which the
 ##    service is to be found.
 ##
-## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl
+## .. zeek:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl
 ##    dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply
 ##    dns_TSIG_addl dns_TXT_reply dns_WKS_reply dns_end dns_full_request
 ##    dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name
@@ -442,7 +442,7 @@ event dns_SRV_reply%(c: connection, msg: dns_msg, ans: dns_answer, target: strin
 ##
 ## ans: The type-independent part of the parsed answer record.
 ##
-## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl
+## .. zeek:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl
 ##    dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply
 ##    dns_TSIG_addl dns_TXT_reply dns_WKS_reply dns_SRV_reply dns_end
 event dns_unknown_reply%(c: connection, msg: dns_msg, ans: dns_answer%);
@@ -461,7 +461,7 @@ event dns_unknown_reply%(c: connection, msg: dns_msg, ans: dns_answer%);
 ##
 ## ans: The parsed EDNS reply.
 ##
-## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_HINFO_reply dns_MX_reply
+## .. zeek:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_HINFO_reply dns_MX_reply
 ##    dns_NS_reply dns_PTR_reply dns_SOA_reply dns_SRV_reply dns_TSIG_addl
 ##    dns_TXT_reply dns_WKS_reply dns_end dns_full_request dns_mapping_altered
 ##    dns_mapping_lost_name dns_mapping_new_name dns_mapping_unverified
@@ -484,7 +484,7 @@ event dns_EDNS_addl%(c: connection, msg: dns_msg, ans: dns_edns_additional%);
 ##
 ## ans: The parsed TSIG reply.
 ##
-## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl
+## .. zeek:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl
 ##    dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply
 ##    dns_SRV_reply  dns_TXT_reply dns_WKS_reply dns_end dns_full_request
 ##    dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name
@@ -573,7 +573,7 @@ event dns_DS%(c: connection, msg: dns_msg, ans: dns_answer, ds: dns_ds_rr%);
 ##
 ## msg: The parsed DNS message header.
 ##
-## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl
+## .. zeek:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl
 ##    dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply
 ##    dns_SRV_reply dns_TSIG_addl dns_TXT_reply dns_WKS_reply dns_full_request
 ##    dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name

src/analyzer/protocol/finger/events.bif

@@ -11,7 +11,7 @@
 ##
 ## hostname: The request's host name.
 ##
-## .. bro:see:: finger_reply
+## .. zeek:see:: finger_reply
 ##
 ## .. todo:: Bro's current default configuration does not activate the protocol
 ##    analyzer that generates this event; the corresponding script has not yet
@@ -28,7 +28,7 @@ event finger_request%(c: connection, full: bool, username: string, hostname: str
 ##
 ## reply_line: The reply as returned by the server
 ##
-## .. bro:see:: finger_request
+## .. zeek:see:: finger_request
 ##
 ## .. todo:: Bro's current default configuration does not activate the protocol
 ##    analyzer that generates this event; the corresponding script has not yet

src/analyzer/protocol/ftp/events.bif

@@ -9,7 +9,7 @@
 ##
 ## arg: The arguments going with the command.
 ##
-## .. bro:see:: ftp_reply fmt_ftp_port parse_eftp_port
+## .. zeek:see:: ftp_reply fmt_ftp_port parse_eftp_port
 ##    parse_ftp_epsv parse_ftp_pasv parse_ftp_port
 event ftp_request%(c: connection, command: string, arg: string%);
 
@@ -29,7 +29,7 @@ event ftp_request%(c: connection, command: string, arg: string%);
 ##            to reassemble the pieces before processing the response any
 ##            further.
 ##
-## .. bro:see:: ftp_request fmt_ftp_port parse_eftp_port
+## .. zeek:see:: ftp_request fmt_ftp_port parse_eftp_port
 ##    parse_ftp_epsv parse_ftp_pasv parse_ftp_port
 event ftp_reply%(c: connection, code: count, msg: string, cont_resp: bool%);
 

src/analyzer/protocol/ftp/functions.bif

@@ -117,20 +117,20 @@ static Val* parse_eftp(const char* line)
 %%}
 
 ## Converts a string representation of the FTP PORT command to an
-## :bro:type:`ftp_port`.
+## :zeek:type:`ftp_port`.
 ##
 ## s: The string of the FTP PORT command, e.g., ``"10,0,0,1,4,31"``.
 ##
 ## Returns: The FTP PORT, e.g., ``[h=10.0.0.1, p=1055/tcp, valid=T]``.
 ##
-## .. bro:see:: parse_eftp_port parse_ftp_pasv parse_ftp_epsv fmt_ftp_port
+## .. zeek:see:: parse_eftp_port parse_ftp_pasv parse_ftp_epsv fmt_ftp_port
 function parse_ftp_port%(s: string%): ftp_port
 	%{
 	return parse_port(s->CheckString());
 	%}
 
 ## Converts a string representation of the FTP EPRT command (see :rfc:`2428`)
-## to an :bro:type:`ftp_port`.  The format is
+## to an :zeek:type:`ftp_port`.  The format is
 ## ``"EPRT<space><d><net-prt><d><net-addr><d><tcp-port><d>"``,
 ## where ``<d>`` is a delimiter in the ASCII range 33-126 (usually ``|``).
 ##
@@ -138,19 +138,19 @@ function parse_ftp_port%(s: string%): ftp_port
 ##
 ## Returns: The FTP PORT, e.g., ``[h=10.0.0.1, p=1055/tcp, valid=T]``.
 ##
-## .. bro:see:: parse_ftp_port parse_ftp_pasv parse_ftp_epsv fmt_ftp_port
+## .. zeek:see:: parse_ftp_port parse_ftp_pasv parse_ftp_epsv fmt_ftp_port
 function parse_eftp_port%(s: string%): ftp_port
 	%{
 	return parse_eftp(s->CheckString());
 	%}
 
-## Converts the result of the FTP PASV command to an :bro:type:`ftp_port`.
+## Converts the result of the FTP PASV command to an :zeek:type:`ftp_port`.
 ##
 ## str: The string containing the result of the FTP PASV command.
 ##
 ## Returns: The FTP PORT, e.g., ``[h=10.0.0.1, p=1055/tcp, valid=T]``.
 ##
-## .. bro:see:: parse_ftp_port parse_eftp_port parse_ftp_epsv fmt_ftp_port
+## .. zeek:see:: parse_ftp_port parse_eftp_port parse_ftp_epsv fmt_ftp_port
 function parse_ftp_pasv%(str: string%): ftp_port
 	%{
 	const char* s = str->CheckString();
@@ -170,14 +170,14 @@ function parse_ftp_pasv%(str: string%): ftp_port
 	%}
 
 ## Converts the result of the FTP EPSV command (see :rfc:`2428`) to an
-## :bro:type:`ftp_port`.  The format is ``"<text> (<d><d><d><tcp-port><d>)"``,
+## :zeek:type:`ftp_port`.  The format is ``"<text> (<d><d><d><tcp-port><d>)"``,
 ## where ``<d>`` is a delimiter in the ASCII range 33-126 (usually ``|``).
 ##
 ## str: The string containing the result of the FTP EPSV command.
 ##
 ## Returns: The FTP PORT, e.g., ``[h=10.0.0.1, p=1055/tcp, valid=T]``.
 ##
-## .. bro:see:: parse_ftp_port parse_eftp_port parse_ftp_pasv fmt_ftp_port
+## .. zeek:see:: parse_ftp_port parse_eftp_port parse_ftp_pasv fmt_ftp_port
 function parse_ftp_epsv%(str: string%): ftp_port
 	%{
 	const char* s = str->CheckString();
@@ -196,7 +196,7 @@ function parse_ftp_epsv%(str: string%): ftp_port
 ##
 ## Returns: The FTP PORT string.
 ##
-## .. bro:see:: parse_ftp_port parse_eftp_port parse_ftp_pasv parse_ftp_epsv
+## .. zeek:see:: parse_ftp_port parse_eftp_port parse_ftp_pasv parse_ftp_epsv
 function fmt_ftp_port%(a: addr, p: port%): string
 	%{
 	const uint32* addr;

src/analyzer/protocol/gnutella/events.bif

@@ -3,7 +3,7 @@
 ## See `Wikipedia <http://en.wikipedia.org/wiki/Gnutella>`__ for more
 ## information about the Gnutella protocol.
 ##
-## .. bro:see::  gnutella_binary_msg gnutella_establish gnutella_http_notify
+## .. zeek:see::  gnutella_binary_msg gnutella_establish gnutella_http_notify
 ##    gnutella_not_establish gnutella_partial_binary_msg gnutella_signature_found
 ##
 ##
@@ -18,7 +18,7 @@ event gnutella_text_msg%(c: connection, orig: bool, headers: string%);
 ## See `Wikipedia <http://en.wikipedia.org/wiki/Gnutella>`__ for more
 ## information about the Gnutella protocol.
 ##
-## .. bro:see:: gnutella_establish gnutella_http_notify gnutella_not_establish
+## .. zeek:see:: gnutella_establish gnutella_http_notify gnutella_not_establish
 ##    gnutella_partial_binary_msg gnutella_signature_found gnutella_text_msg
 ##
 ## .. todo:: Bro's current default configuration does not activate the protocol
@@ -35,7 +35,7 @@ event gnutella_binary_msg%(c: connection, orig: bool, msg_type: count,
 ## See `Wikipedia <http://en.wikipedia.org/wiki/Gnutella>`__ for more
 ## information about the Gnutella protocol.
 ##
-## .. bro:see:: gnutella_binary_msg gnutella_establish gnutella_http_notify
+## .. zeek:see:: gnutella_binary_msg gnutella_establish gnutella_http_notify
 ##    gnutella_not_establish  gnutella_signature_found gnutella_text_msg
 ##
 ## .. todo:: Bro's current default configuration does not activate the protocol
@@ -50,7 +50,7 @@ event gnutella_partial_binary_msg%(c: connection, orig: bool,
 ## See `Wikipedia <http://en.wikipedia.org/wiki/Gnutella>`__ for more
 ## information about the Gnutella protocol.
 ##
-## .. bro:see:: gnutella_binary_msg  gnutella_http_notify gnutella_not_establish
+## .. zeek:see:: gnutella_binary_msg  gnutella_http_notify gnutella_not_establish
 ##    gnutella_partial_binary_msg gnutella_signature_found gnutella_text_msg
 ##
 ## .. todo:: Bro's current default configuration does not activate the protocol
@@ -64,7 +64,7 @@ event gnutella_establish%(c: connection%);
 ## See `Wikipedia <http://en.wikipedia.org/wiki/Gnutella>`__ for more
 ## information about the Gnutella protocol.
 ##
-## .. bro:see:: gnutella_binary_msg gnutella_establish gnutella_http_notify
+## .. zeek:see:: gnutella_binary_msg gnutella_establish gnutella_http_notify
 ##    gnutella_partial_binary_msg gnutella_signature_found gnutella_text_msg
 ##
 ## .. todo:: Bro's current default configuration does not activate the protocol
@@ -78,7 +78,7 @@ event gnutella_not_establish%(c: connection%);
 ## See `Wikipedia <http://en.wikipedia.org/wiki/Gnutella>`__ for more
 ## information about the Gnutella protocol.
 ##
-## .. bro:see:: gnutella_binary_msg gnutella_establish gnutella_not_establish
+## .. zeek:see:: gnutella_binary_msg gnutella_establish gnutella_not_establish
 ##    gnutella_partial_binary_msg gnutella_signature_found gnutella_text_msg
 ##
 ## .. todo:: Bro's current default configuration does not activate the protocol

src/analyzer/protocol/gtpv1/gtpv1-analyzer.pac

@@ -319,7 +319,7 @@ void CreatePDP_Request(const BroAnalyzer& a, const GTPv1_Header* pdu)
 			rv->Assign(21, BuildPrivateExt(ie));
 			break;
 		default:
-			a->Weird(fmt("gtp_invalid_info_element_%d", (*v)[i]->type()));
+			a->Weird("gtp_invalid_info_element", fmt("%d", (*v)[i]->type()));
 			break;
 		}
 		}
@@ -388,7 +388,7 @@ void CreatePDP_Response(const BroAnalyzer& a, const GTPv1_Header* pdu)
 			rv->Assign(12, BuildPrivateExt(ie));
 			break;
 		default:
-			a->Weird(fmt("gtp_invalid_info_element_%d", (*v)[i]->type()));
+			a->Weird("gtp_invalid_info_element", fmt("%d", (*v)[i]->type()));
 			break;
 		}
 		}
@@ -466,7 +466,7 @@ void UpdatePDP_Request(const BroAnalyzer& a, const GTPv1_Header* pdu)
 			rv->Assign(15, BuildEndUserAddr(ie));
 			break;
 		default:
-			a->Weird(fmt("gtp_invalid_info_element_%d", (*v)[i]->type()));
+			a->Weird("gtp_invalid_info_element", fmt("%d", (*v)[i]->type()));
 			break;
 		}
 		}
@@ -526,7 +526,7 @@ void UpdatePDP_Response(const BroAnalyzer& a, const GTPv1_Header* pdu)
 			rv->Assign(9, BuildPrivateExt(ie));
 			break;
 		default:
-			a->Weird(fmt("gtp_invalid_info_element_%d", (*v)[i]->type()));
+			a->Weird("gtp_invalid_info_element", fmt("%d", (*v)[i]->type()));
 			break;
 		}
 		}
@@ -560,7 +560,7 @@ void DeletePDP_Request(const BroAnalyzer& a, const GTPv1_Header* pdu)
 			rv->Assign(2, BuildPrivateExt(ie));
 			break;
 		default:
-			a->Weird(fmt("gtp_invalid_info_element_%d", (*v)[i]->type()));
+			a->Weird("gtp_invalid_info_element", fmt("%d", (*v)[i]->type()));
 			break;
 		}
 		}
@@ -591,7 +591,7 @@ void DeletePDP_Response(const BroAnalyzer& a, const GTPv1_Header* pdu)
 			rv->Assign(1, BuildPrivateExt(ie));
 			break;
 		default:
-			a->Weird(fmt("gtp_invalid_info_element_%d", (*v)[i]->type()));
+			a->Weird("gtp_invalid_info_element", fmt("%d", (*v)[i]->type()));
 			break;
 		}
 		}

src/analyzer/protocol/http/events.bif

@@ -2,7 +2,7 @@
 ## Generated for HTTP requests. Bro supports persistent and pipelined HTTP
 ## sessions and raises corresponding events as it parses client/server
 ## dialogues. This event is generated as soon as a request's initial line has
-## been parsed, and before any :bro:id:`http_header` events are raised.
+## been parsed, and before any :zeek:id:`http_header` events are raised.
 ##
 ## See `Wikipedia <http://en.wikipedia.org/wiki/Hypertext_Transfer_Protocol>`__
 ## for more information about the HTTP protocol.
@@ -17,7 +17,7 @@
 ##
 ## version: The version number specified in the request (e.g., ``1.1``).
 ##
-## .. bro:see:: http_all_headers http_begin_entity http_content_type http_end_entity
+## .. zeek:see:: http_all_headers http_begin_entity http_content_type http_end_entity
 ##    http_entity_data http_event http_header http_message_done http_reply http_stats
 ##    truncate_http_URI http_connection_upgrade
 event http_request%(c: connection, method: string, original_URI: string, unescaped_URI: string, version: string%);
@@ -25,7 +25,7 @@ event http_request%(c: connection, method: string, original_URI: string, unescap
 ## Generated for HTTP replies. Bro supports persistent and pipelined HTTP
 ## sessions and raises corresponding events as it parses client/server
 ## dialogues. This event is generated as soon as a reply's initial line has
-## been parsed, and before any :bro:id:`http_header` events are raised.
+## been parsed, and before any :zeek:id:`http_header` events are raised.
 ##
 ## See `Wikipedia <http://en.wikipedia.org/wiki/Hypertext_Transfer_Protocol>`__
 ## for more information about the HTTP protocol.
@@ -38,7 +38,7 @@ event http_request%(c: connection, method: string, original_URI: string, unescap
 ##
 ## reason: The textual description returned by the server along with *code*.
 ##
-## .. bro:see:: http_all_headers http_begin_entity http_content_type http_end_entity
+## .. zeek:see:: http_all_headers http_begin_entity http_content_type http_end_entity
 ##    http_entity_data http_event http_header http_message_done http_request
 ##    http_stats http_connection_upgrade
 event http_reply%(c: connection, version: string, code: count, reason: string%);
@@ -58,7 +58,7 @@ event http_reply%(c: connection, version: string, code: count, reason: string%);
 ##
 ## value: The value of the header.
 ##
-## .. bro:see:: http_all_headers http_begin_entity http_content_type http_end_entity
+## .. zeek:see:: http_all_headers http_begin_entity http_content_type http_end_entity
 ##    http_entity_data http_event  http_message_done http_reply http_request
 ##    http_stats http_connection_upgrade
 ##
@@ -81,7 +81,7 @@ event http_header%(c: connection, is_orig: bool, name: string, value: string%);
 ##        The table is indexed by the position of the header (1 for the first,
 ##        2 for the second, etc.).
 ##
-## .. bro:see::  http_begin_entity http_content_type http_end_entity http_entity_data
+## .. zeek:see::  http_begin_entity http_content_type http_end_entity http_entity_data
 ##    http_event http_header http_message_done http_reply http_request http_stats
 ##    http_connection_upgrade
 ##
@@ -103,7 +103,7 @@ event http_all_headers%(c: connection, is_orig: bool, hlist: mime_header_list%);
 ## is_orig: True if the entity was sent by the originator of the TCP
 ##          connection.
 ##
-## .. bro:see:: http_all_headers  http_content_type http_end_entity http_entity_data
+## .. zeek:see:: http_all_headers  http_content_type http_end_entity http_entity_data
 ##    http_event http_header http_message_done http_reply http_request http_stats
 ##    mime_begin_entity http_connection_upgrade
 event http_begin_entity%(c: connection, is_orig: bool%);
@@ -122,7 +122,7 @@ event http_begin_entity%(c: connection, is_orig: bool%);
 ## is_orig: True if the entity was sent by the originator of the TCP
 ##          connection.
 ##
-## .. bro:see:: http_all_headers http_begin_entity http_content_type http_entity_data
+## .. zeek:see:: http_all_headers http_begin_entity http_content_type http_entity_data
 ##    http_event http_header http_message_done http_reply http_request
 ##    http_stats mime_end_entity http_connection_upgrade
 event http_end_entity%(c: connection, is_orig: bool%);
@@ -134,7 +134,7 @@ event http_end_entity%(c: connection, is_orig: bool%);
 ## A common idiom for using this event is to first *reassemble* the data
 ## at the scripting layer by concatenating it to a successively growing
 ## string; and only perform further content analysis once the corresponding
-## :bro:id:`http_end_entity` event has been raised. Note, however, that doing so
+## :zeek:id:`http_end_entity` event has been raised. Note, however, that doing so
 ## can be quite expensive for HTTP tranders. At the very least, one should
 ## impose an upper size limit on how much data is being buffered.
 ##
@@ -150,7 +150,7 @@ event http_end_entity%(c: connection, is_orig: bool%);
 ##
 ## data: One chunk of raw entity data.
 ##
-## .. bro:see:: http_all_headers http_begin_entity http_content_type http_end_entity
+## .. zeek:see:: http_all_headers http_begin_entity http_content_type http_end_entity
 ##    http_event http_header http_message_done http_reply http_request http_stats
 ##    mime_entity_data http_entity_data_delivery_size skip_http_data
 ##    http_connection_upgrade
@@ -173,7 +173,7 @@ event http_entity_data%(c: connection, is_orig: bool, length: count, data: strin
 ##
 ## subty: The subtype.
 ##
-## .. bro:see:: http_all_headers http_begin_entity  http_end_entity http_entity_data
+## .. zeek:see:: http_all_headers http_begin_entity  http_end_entity http_entity_data
 ##    http_event http_header http_message_done http_reply http_request http_stats
 ##    http_connection_upgrade
 ##
@@ -199,7 +199,7 @@ event http_content_type%(c: connection, is_orig: bool, ty: string, subty: string
 ##
 ## stat: Further meta information about the message.
 ##
-## .. bro:see:: http_all_headers http_begin_entity http_content_type http_end_entity
+## .. zeek:see:: http_all_headers http_begin_entity http_content_type http_end_entity
 ##    http_entity_data http_event http_header  http_reply http_request http_stats
 ##    http_connection_upgrade
 event http_message_done%(c: connection, is_orig: bool, stat: http_message_stat%);
@@ -216,7 +216,7 @@ event http_message_done%(c: connection, is_orig: bool, stat: http_message_stat%)
 ##
 ## detail: Further more detailed description of the error.
 ##
-## .. bro:see:: http_all_headers http_begin_entity http_content_type http_end_entity
+## .. zeek:see:: http_all_headers http_begin_entity http_content_type http_end_entity
 ##    http_entity_data  http_header http_message_done http_reply http_request
 ##    http_stats mime_event http_connection_upgrade
 event http_event%(c: connection, event_type: string, detail: string%);
@@ -230,7 +230,7 @@ event http_event%(c: connection, event_type: string, detail: string%);
 ## stats: Statistics summarizing HTTP-level properties of the finished
 ##        connection.
 ##
-## .. bro:see:: http_all_headers http_begin_entity http_content_type http_end_entity
+## .. zeek:see:: http_all_headers http_begin_entity http_content_type http_end_entity
 ##    http_entity_data http_event http_header http_message_done http_reply
 ##    http_request http_connection_upgrade
 event http_stats%(c: connection, stats: http_stats_rec%);
@@ -243,7 +243,7 @@ event http_stats%(c: connection, stats: http_stats_rec%);
 ##
 ## protocol: The protocol to which the connection is switching.
 ##
-## .. bro:see:: http_all_headers http_begin_entity http_content_type http_end_entity
+## .. zeek:see:: http_all_headers http_begin_entity http_content_type http_end_entity
 ##    http_entity_data http_event http_header http_message_done http_reply
 ##    http_request
 event http_connection_upgrade%(c: connection, protocol: string%);

src/analyzer/protocol/http/functions.bif

@@ -9,7 +9,7 @@
 ##
 ## is_orig: If true, the client data is skipped, and the server data otherwise.
 ##
-## .. bro:see:: skip_smtp_data
+## .. zeek:see:: skip_smtp_data
 function skip_http_entity_data%(c: connection, is_orig: bool%): any
 	%{
 	analyzer::ID id = mgr.CurrentAnalyzer();

src/analyzer/protocol/icmp/events.bif

@@ -12,10 +12,10 @@
 ## icmp: Additional ICMP-specific information augmenting the standard
 ##       connection record *c*.
 ##
-## .. bro:see:: icmp_error_message icmp_sent_payload
+## .. zeek:see:: icmp_error_message icmp_sent_payload
 event icmp_sent%(c: connection, icmp: icmp_conn%);
 
-## The same as :bro:see:`icmp_sent` except containing the ICMP payload.
+## The same as :zeek:see:`icmp_sent` except containing the ICMP payload.
 ##
 ## c: The connection record for the corresponding ICMP flow.
 ##
@@ -24,7 +24,7 @@ event icmp_sent%(c: connection, icmp: icmp_conn%);
 ##
 ## payload: The payload of the ICMP message.
 ##
-## .. bro:see:: icmp_error_message icmp_sent_payload
+## .. zeek:see:: icmp_error_message icmp_sent_payload
 event icmp_sent_payload%(c: connection, icmp: icmp_conn, payload: string%);
 
 ## Generated for ICMP *echo request* messages.
@@ -45,7 +45,7 @@ event icmp_sent_payload%(c: connection, icmp: icmp_conn, payload: string%);
 ## payload: The message-specific data of the packet payload, i.e., everything
 ##          after the first 8 bytes of the ICMP header.
 ##
-## .. bro:see:: icmp_echo_reply
+## .. zeek:see:: icmp_echo_reply
 event icmp_echo_request%(c: connection, icmp: icmp_conn, id: count, seq: count, payload: string%);
 
 ## Generated for ICMP *echo reply* messages.
@@ -66,7 +66,7 @@ event icmp_echo_request%(c: connection, icmp: icmp_conn, id: count, seq: count,
 ## payload: The message-specific data of the packet payload, i.e., everything
 ##          after the first 8 bytes of the ICMP header.
 ##
-## .. bro:see:: icmp_echo_request
+## .. zeek:see:: icmp_echo_request
 event icmp_echo_reply%(c: connection, icmp: icmp_conn, id: count, seq: count, payload: string%);
 
 ## Generated for all ICMPv6 error messages that are not handled
@@ -88,7 +88,7 @@ event icmp_echo_reply%(c: connection, icmp: icmp_conn, id: count, seq: count, pa
 ## context: A record with specifics of the original packet that the message
 ##          refers to.
 ##
-## .. bro:see:: icmp_unreachable icmp_packet_too_big
+## .. zeek:see:: icmp_unreachable icmp_packet_too_big
 ##    icmp_time_exceeded icmp_parameter_problem
 event icmp_error_message%(c: connection, icmp: icmp_conn, code: count, context: icmp_context%);
 
@@ -112,7 +112,7 @@ event icmp_error_message%(c: connection, icmp: icmp_conn, code: count, context:
 ##          includes only a partial IP header for some reason, no
 ##          fields of *context* will be filled out.
 ##
-## .. bro:see:: icmp_error_message icmp_packet_too_big
+## .. zeek:see:: icmp_error_message icmp_packet_too_big
 ##    icmp_time_exceeded icmp_parameter_problem
 event icmp_unreachable%(c: connection, icmp: icmp_conn, code: count, context: icmp_context%);
 
@@ -136,7 +136,7 @@ event icmp_unreachable%(c: connection, icmp: icmp_conn, code: count, context: ic
 ##          a partial IP header for some reason, no fields of *context* will
 ##          be filled out.
 ##
-## .. bro:see:: icmp_error_message icmp_unreachable
+## .. zeek:see:: icmp_error_message icmp_unreachable
 ##    icmp_time_exceeded icmp_parameter_problem
 event icmp_packet_too_big%(c: connection, icmp: icmp_conn, code: count, context: icmp_context%);
 
@@ -160,7 +160,7 @@ event icmp_packet_too_big%(c: connection, icmp: icmp_conn, code: count, context:
 ##          only a partial IP header for some reason, no fields of *context*
 ##          will be filled out.
 ##
-## .. bro:see:: icmp_error_message icmp_unreachable icmp_packet_too_big
+## .. zeek:see:: icmp_error_message icmp_unreachable icmp_packet_too_big
 ##    icmp_parameter_problem
 event icmp_time_exceeded%(c: connection, icmp: icmp_conn, code: count, context: icmp_context%);
 
@@ -184,7 +184,7 @@ event icmp_time_exceeded%(c: connection, icmp: icmp_conn, code: count, context:
 ##          includes only a partial IP header for some reason, no fields
 ##          of *context* will be filled out.
 ##
-## .. bro:see:: icmp_error_message icmp_unreachable icmp_packet_too_big
+## .. zeek:see:: icmp_error_message icmp_unreachable icmp_packet_too_big
 ##    icmp_time_exceeded
 event icmp_parameter_problem%(c: connection, icmp: icmp_conn, code: count, context: icmp_context%);
 
@@ -201,7 +201,7 @@ event icmp_parameter_problem%(c: connection, icmp: icmp_conn, code: count, conte
 ##
 ## options: Any Neighbor Discovery options included with message (:rfc:`4861`).
 ##
-## .. bro:see:: icmp_router_advertisement
+## .. zeek:see:: icmp_router_advertisement
 ##    icmp_neighbor_solicitation icmp_neighbor_advertisement icmp_redirect
 event icmp_router_solicitation%(c: connection, icmp: icmp_conn, options: icmp6_nd_options%);
 
@@ -239,7 +239,7 @@ event icmp_router_solicitation%(c: connection, icmp: icmp_conn, options: icmp6_n
 ##
 ## options: Any Neighbor Discovery options included with message (:rfc:`4861`).
 ##
-## .. bro:see:: icmp_router_solicitation
+## .. zeek:see:: icmp_router_solicitation
 ##    icmp_neighbor_solicitation icmp_neighbor_advertisement icmp_redirect
 event icmp_router_advertisement%(c: connection, icmp: icmp_conn, cur_hop_limit: count, managed: bool, other: bool, home_agent: bool, pref: count, proxy: bool, rsv: count, router_lifetime: interval, reachable_time: interval, retrans_timer: interval, options: icmp6_nd_options%);
 
@@ -258,7 +258,7 @@ event icmp_router_advertisement%(c: connection, icmp: icmp_conn, cur_hop_limit:
 ##
 ## options: Any Neighbor Discovery options included with message (:rfc:`4861`).
 ##
-## .. bro:see:: icmp_router_solicitation icmp_router_advertisement
+## .. zeek:see:: icmp_router_solicitation icmp_router_advertisement
 ##    icmp_neighbor_advertisement icmp_redirect
 event icmp_neighbor_solicitation%(c: connection, icmp: icmp_conn, tgt: addr, options: icmp6_nd_options%);
 
@@ -284,7 +284,7 @@ event icmp_neighbor_solicitation%(c: connection, icmp: icmp_conn, tgt: addr, opt
 ##
 ## options: Any Neighbor Discovery options included with message (:rfc:`4861`).
 ##
-## .. bro:see:: icmp_router_solicitation icmp_router_advertisement
+## .. zeek:see:: icmp_router_solicitation icmp_router_advertisement
 ##    icmp_neighbor_solicitation icmp_redirect
 event icmp_neighbor_advertisement%(c: connection, icmp: icmp_conn, router: bool, solicited: bool, override: bool, tgt: addr, options: icmp6_nd_options%);
 
@@ -306,7 +306,7 @@ event icmp_neighbor_advertisement%(c: connection, icmp: icmp_conn, router: bool,
 ##
 ## options: Any Neighbor Discovery options included with message (:rfc:`4861`).
 ##
-## .. bro:see:: icmp_router_solicitation icmp_router_advertisement
+## .. zeek:see:: icmp_router_solicitation icmp_router_advertisement
 ##    icmp_neighbor_solicitation icmp_neighbor_advertisement
 event icmp_redirect%(c: connection, icmp: icmp_conn, tgt: addr, dest: addr, options: icmp6_nd_options%);
 

src/analyzer/protocol/ident/events.bif

@@ -9,7 +9,7 @@
 ##
 ## rport: The request's remote port.
 ##
-## .. bro:see:: ident_error ident_reply
+## .. zeek:see:: ident_error ident_reply
 ##
 ## .. todo:: Bro's current default configuration does not activate the protocol
 ##    analyzer that generates this event; the corresponding script has not yet
@@ -32,7 +32,7 @@ event ident_request%(c: connection, lport: port, rport: port%);
 ##
 ## system: The operating system returned by the reply.
 ##
-## .. bro:see:: ident_error  ident_request
+## .. zeek:see:: ident_error  ident_request
 ##
 ## .. todo:: Bro's current default configuration does not activate the protocol
 ##    analyzer that generates this event; the corresponding script has not yet
@@ -53,7 +53,7 @@ event ident_reply%(c: connection, lport: port, rport: port, user_id: string, sys
 ##
 ## line: The error description returned by the reply.
 ##
-## .. bro:see:: ident_reply ident_request
+## .. zeek:see:: ident_reply ident_request
 ##
 ## .. todo:: Bro's current default configuration does not activate the protocol
 ##    analyzer that generates this event; the corresponding script has not yet

src/analyzer/protocol/irc/events.bif

@@ -15,7 +15,7 @@
 ##
 ## arguments: The arguments for the command.
 ##
-## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message
+## .. zeek:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message
 ##    irc_global_users irc_invalid_nick irc_invite_message irc_join_message
 ##    irc_kick_message irc_message irc_mode_message irc_names_info irc_network_info
 ##    irc_nick_message irc_notice_message irc_oper_message irc_oper_response
@@ -23,7 +23,7 @@
 ##
 ## .. note:: This event is generated only for messages that originate
 ##    at the client-side. Commands coming in from remote trigger
-##    the :bro:id:`irc_message` event instead.
+##    the :zeek:id:`irc_message` event instead.
 event irc_request%(c: connection, is_orig: bool, prefix: string,
 			command: string, arguments: string%);
 
@@ -45,7 +45,7 @@ event irc_request%(c: connection, is_orig: bool, prefix: string,
 ##
 ## params: The reply's parameters.
 ##
-## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message
+## .. zeek:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message
 ##    irc_global_users irc_invalid_nick irc_invite_message irc_join_message
 ##    irc_kick_message irc_message irc_mode_message irc_names_info irc_network_info
 ##    irc_nick_message irc_notice_message irc_oper_message irc_oper_response
@@ -69,7 +69,7 @@ event irc_reply%(c: connection, is_orig: bool, prefix: string,
 ##
 ## message: TODO.
 ##
-## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message
+## .. zeek:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message
 ##    irc_global_users irc_invalid_nick irc_invite_message irc_join_message
 ##    irc_kick_message  irc_mode_message irc_names_info irc_network_info
 ##    irc_nick_message irc_notice_message irc_oper_message irc_oper_response
@@ -79,7 +79,7 @@ event irc_reply%(c: connection, is_orig: bool, prefix: string,
 ##
 ##    This event is generated only for messages that are forwarded by the server
 ##    to the client. Commands coming from client trigger the
-##    :bro:id:`irc_request` event instead.
+##    :zeek:id:`irc_request` event instead.
 event irc_message%(c: connection, is_orig: bool, prefix: string,
 			command: string, message: string%);
 
@@ -98,7 +98,7 @@ event irc_message%(c: connection, is_orig: bool, prefix: string,
 ##
 ## message: The text included with the message.
 ##
-## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message
+## .. zeek:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message
 ##    irc_global_users irc_invalid_nick irc_invite_message irc_join_message
 ##    irc_kick_message irc_message irc_mode_message irc_names_info irc_network_info
 ##    irc_nick_message irc_notice_message irc_oper_message irc_oper_response
@@ -122,7 +122,7 @@ event irc_quit_message%(c: connection, is_orig: bool, nick: string, message: str
 ##
 ## message: The text of communication.
 ##
-## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message
+## .. zeek:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message
 ##    irc_global_users irc_invalid_nick irc_invite_message irc_join_message
 ##    irc_kick_message irc_message irc_mode_message irc_names_info irc_network_info
 ##    irc_nick_message irc_notice_message irc_oper_message irc_oper_response
@@ -147,7 +147,7 @@ event irc_privmsg_message%(c: connection, is_orig: bool, source: string,
 ##
 ## message: The text of communication.
 ##
-## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message
+## .. zeek:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message
 ##    irc_global_users irc_invalid_nick irc_invite_message irc_join_message
 ##    irc_kick_message irc_message irc_mode_message irc_names_info irc_network_info
 ##    irc_nick_message  irc_oper_message irc_oper_response irc_part_message
@@ -172,7 +172,7 @@ event irc_notice_message%(c: connection, is_orig: bool, source: string,
 ##
 ## message: The text of communication.
 ##
-## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message
+## .. zeek:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message
 ##    irc_global_users irc_invalid_nick irc_invite_message irc_join_message
 ##    irc_kick_message irc_message irc_mode_message irc_names_info irc_network_info
 ##    irc_nick_message irc_notice_message irc_oper_message irc_oper_response
@@ -193,7 +193,7 @@ event irc_squery_message%(c: connection, is_orig: bool, source: string,
 ##
 ## info_list: The user information coming with the command.
 ##
-## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message
+## .. zeek:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message
 ##    irc_global_users irc_invalid_nick irc_invite_message irc_kick_message
 ##    irc_message irc_mode_message irc_names_info irc_network_info irc_nick_message
 ##    irc_notice_message irc_oper_message irc_oper_response irc_part_message
@@ -217,7 +217,7 @@ event irc_join_message%(c: connection, is_orig: bool, info_list: irc_join_list%)
 ##
 ## message: The text coming with the message.
 ##
-## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message
+## .. zeek:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message
 ##    irc_global_users irc_invalid_nick irc_invite_message irc_join_message
 ##    irc_kick_message irc_message irc_mode_message irc_names_info irc_network_info
 ##    irc_nick_message irc_notice_message irc_oper_message irc_oper_response
@@ -240,7 +240,7 @@ event irc_part_message%(c: connection, is_orig: bool, nick: string,
 ##
 ## newnick: The new nickname.
 ##
-## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message
+## .. zeek:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message
 ##    irc_global_users irc_invalid_nick irc_invite_message irc_join_message
 ##    irc_kick_message irc_message irc_mode_message irc_names_info irc_network_info
 ##    irc_notice_message irc_oper_message irc_oper_response irc_part_message
@@ -257,7 +257,7 @@ event irc_nick_message%(c: connection, is_orig: bool, who: string, newnick: stri
 ## is_orig: True if the command was sent by the originator of the TCP
 ##          connection.
 ##
-## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message
+## .. zeek:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message
 ##    irc_global_users  irc_invite_message irc_join_message irc_kick_message
 ##    irc_message irc_mode_message irc_names_info irc_network_info irc_nick_message
 ##    irc_notice_message irc_oper_message irc_oper_response irc_part_message
@@ -280,7 +280,7 @@ event irc_invalid_nick%(c: connection, is_orig: bool%);
 ##
 ## servers: The number of servers as returned in the reply.
 ##
-## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message
+## .. zeek:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message
 ##    irc_global_users irc_invalid_nick irc_invite_message irc_join_message
 ##    irc_kick_message irc_message irc_mode_message irc_names_info irc_nick_message
 ##    irc_notice_message irc_oper_message irc_oper_response irc_part_message
@@ -304,7 +304,7 @@ event irc_network_info%(c: connection, is_orig: bool, users: count,
 ##
 ## servers: The number of servers as returned in the reply.
 ##
-## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message
+## .. zeek:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message
 ##    irc_global_users irc_invalid_nick irc_invite_message irc_join_message
 ##    irc_kick_message irc_message irc_mode_message irc_names_info irc_network_info
 ##    irc_nick_message irc_notice_message irc_oper_message irc_oper_response
@@ -324,7 +324,7 @@ event irc_server_info%(c: connection, is_orig: bool, users: count,
 ##
 ## chans: The number of channels as returned in the reply.
 ##
-## .. bro:see::  irc_channel_topic irc_dcc_message irc_error_message irc_global_users
+## .. zeek:see::  irc_channel_topic irc_dcc_message irc_error_message irc_global_users
 ##    irc_invalid_nick irc_invite_message irc_join_message irc_kick_message
 ##    irc_message irc_mode_message irc_names_info irc_network_info irc_nick_message
 ##    irc_notice_message irc_oper_message irc_oper_response irc_part_message
@@ -359,7 +359,7 @@ event irc_channel_info%(c: connection, is_orig: bool, chans: count%);
 ##
 ## real_name: The real name.
 ##
-## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message
+## .. zeek:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message
 ##    irc_global_users irc_invalid_nick irc_invite_message irc_join_message
 ##    irc_kick_message irc_message irc_mode_message irc_names_info irc_network_info
 ##    irc_nick_message irc_notice_message irc_oper_message irc_oper_response
@@ -386,7 +386,7 @@ event irc_who_line%(c: connection, is_orig: bool, target_nick: string,
 ##
 ## users: The set of users.
 ##
-## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message
+## .. zeek:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message
 ##    irc_global_users irc_invalid_nick irc_invite_message irc_join_message
 ##    irc_kick_message irc_message irc_mode_message  irc_network_info irc_nick_message
 ##    irc_notice_message irc_oper_message irc_oper_response irc_part_message
@@ -406,7 +406,7 @@ event irc_names_info%(c: connection, is_orig: bool, c_type: string,
 ##
 ## nick: The nickname specified in the reply.
 ##
-## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message
+## .. zeek:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message
 ##    irc_global_users irc_invalid_nick irc_invite_message irc_join_message
 ##    irc_kick_message irc_message irc_mode_message irc_names_info irc_network_info
 ##    irc_nick_message irc_notice_message irc_oper_message irc_oper_response
@@ -427,7 +427,7 @@ event irc_whois_operator_line%(c: connection, is_orig: bool, nick: string%);
 ##
 ## chans: The set of channels returned.
 ##
-## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message
+## .. zeek:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message
 ##    irc_global_users irc_invalid_nick irc_invite_message irc_join_message
 ##    irc_kick_message irc_message irc_mode_message irc_names_info irc_network_info
 ##    irc_nick_message irc_notice_message irc_oper_message irc_oper_response
@@ -453,7 +453,7 @@ event irc_whois_channel_line%(c: connection, is_orig: bool, nick: string,
 ##
 ## real_name: The real name specified in the reply.
 ##
-## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message
+## .. zeek:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message
 ##    irc_global_users irc_invalid_nick irc_invite_message irc_join_message
 ##    irc_kick_message irc_message irc_mode_message irc_names_info irc_network_info
 ##    irc_nick_message irc_notice_message irc_oper_message irc_oper_response
@@ -474,7 +474,7 @@ event irc_whois_user_line%(c: connection, is_orig: bool, nick: string,
 ## got_oper: True if the *oper* command was executed successfully
 ##           (*youreport*) and false otherwise (*nooperhost*).
 ##
-## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message
+## .. zeek:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message
 ##    irc_global_users irc_invalid_nick irc_invite_message irc_join_message
 ##    irc_kick_message irc_message irc_mode_message irc_names_info irc_network_info
 ##    irc_nick_message irc_notice_message irc_oper_message irc_part_message
@@ -496,7 +496,7 @@ event irc_oper_response%(c: connection, is_orig: bool, got_oper: bool%);
 ##
 ## msg: The message coming with the reply.
 ##
-## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message
+## .. zeek:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message
 ##    irc_invalid_nick irc_invite_message irc_join_message irc_kick_message
 ##    irc_message irc_mode_message irc_names_info irc_network_info irc_nick_message
 ##    irc_notice_message irc_oper_message irc_oper_response irc_part_message
@@ -517,7 +517,7 @@ event irc_global_users%(c: connection, is_orig: bool, prefix: string, msg: strin
 ##
 ## topic: The topic specified in the reply.
 ##
-## .. bro:see:: irc_channel_info  irc_dcc_message irc_error_message irc_global_users
+## .. zeek:see:: irc_channel_info  irc_dcc_message irc_error_message irc_global_users
 ##    irc_invalid_nick irc_invite_message irc_join_message irc_kick_message
 ##    irc_message irc_mode_message irc_names_info irc_network_info irc_nick_message
 ##    irc_notice_message irc_oper_message irc_oper_response irc_part_message
@@ -539,7 +539,7 @@ event irc_channel_topic%(c: connection, is_orig: bool, channel: string, topic: s
 ##
 ## oper: True if the operator flag was set.
 ##
-## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message
+## .. zeek:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message
 ##    irc_global_users irc_invalid_nick irc_invite_message irc_join_message
 ##    irc_kick_message irc_message irc_mode_message irc_names_info irc_network_info
 ##    irc_nick_message irc_notice_message irc_oper_message irc_oper_response
@@ -561,7 +561,7 @@ event irc_who_message%(c: connection, is_orig: bool, mask: string, oper: bool%);
 ##
 ## users: TODO.
 ##
-## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message
+## .. zeek:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message
 ##    irc_global_users irc_invalid_nick irc_invite_message irc_join_message
 ##    irc_kick_message irc_message irc_mode_message irc_names_info irc_network_info
 ##    irc_nick_message irc_notice_message irc_oper_message irc_oper_response
@@ -583,7 +583,7 @@ event irc_whois_message%(c: connection, is_orig: bool, server: string, users: st
 ##
 ## password: The password specified in the message.
 ##
-## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message
+## .. zeek:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message
 ##    irc_global_users irc_invalid_nick irc_invite_message irc_join_message
 ##    irc_kick_message irc_message irc_mode_message irc_names_info irc_network_info
 ##    irc_nick_message irc_notice_message  irc_oper_response irc_part_message
@@ -610,7 +610,7 @@ event irc_oper_message%(c: connection, is_orig: bool, user: string, password: st
 ##
 ## comment: The comment specified in the message.
 ##
-## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message
+## .. zeek:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message
 ##    irc_global_users irc_invalid_nick irc_invite_message irc_join_message
 ##    irc_message irc_mode_message irc_names_info irc_network_info irc_nick_message
 ##    irc_notice_message irc_oper_message irc_oper_response irc_part_message
@@ -634,7 +634,7 @@ event irc_kick_message%(c: connection, is_orig: bool, prefix: string,
 ##
 ## message: The textual description specified in the message.
 ##
-## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_global_users
+## .. zeek:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_global_users
 ##    irc_invalid_nick irc_invite_message irc_join_message irc_kick_message
 ##    irc_message irc_mode_message irc_names_info irc_network_info irc_nick_message
 ##    irc_notice_message irc_oper_message irc_oper_response irc_part_message
@@ -659,7 +659,7 @@ event irc_error_message%(c: connection, is_orig: bool, prefix: string, message:
 ##
 ## channel: The channel specified in the message.
 ##
-## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message
+## .. zeek:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message
 ##    irc_global_users irc_invalid_nick  irc_join_message irc_kick_message
 ##    irc_message irc_mode_message irc_names_info irc_network_info irc_nick_message
 ##    irc_notice_message irc_oper_message irc_oper_response irc_part_message
@@ -683,7 +683,7 @@ event irc_invite_message%(c: connection, is_orig: bool, prefix: string,
 ##
 ## params: The parameters coming with the message.
 ##
-## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message
+## .. zeek:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message
 ##    irc_global_users irc_invalid_nick irc_invite_message irc_join_message
 ##    irc_kick_message irc_message  irc_names_info irc_network_info irc_nick_message
 ##    irc_notice_message irc_oper_message irc_oper_response irc_part_message
@@ -708,7 +708,7 @@ event irc_mode_message%(c: connection, is_orig: bool, prefix: string, params: st
 ##
 ## message: The textual description specified in the message.
 ##
-## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message
+## .. zeek:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message
 ##    irc_global_users irc_invalid_nick irc_invite_message irc_join_message
 ##    irc_kick_message irc_message irc_mode_message irc_names_info irc_network_info
 ##    irc_nick_message irc_notice_message irc_oper_message irc_oper_response
@@ -742,7 +742,7 @@ event irc_squit_message%(c: connection, is_orig: bool, prefix: string,
 ##
 ## size: The size specified in the message.
 ##
-## .. bro:see:: irc_channel_info irc_channel_topic  irc_error_message irc_global_users
+## .. zeek:see:: irc_channel_info irc_channel_topic  irc_error_message irc_global_users
 ##    irc_invalid_nick irc_invite_message irc_join_message irc_kick_message
 ##    irc_message irc_mode_message irc_names_info irc_network_info irc_nick_message
 ##    irc_notice_message irc_oper_message irc_oper_response irc_part_message
@@ -771,7 +771,7 @@ event irc_dcc_message%(c: connection, is_orig: bool,
 ##
 ## real_name: The real name specified in the message.
 ##
-## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message
+## .. zeek:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message
 ##    irc_global_users irc_invalid_nick irc_invite_message irc_join_message
 ##    irc_kick_message irc_message irc_mode_message irc_names_info irc_network_info
 ##    irc_nick_message irc_notice_message irc_oper_message irc_oper_response
@@ -791,7 +791,7 @@ event irc_user_message%(c: connection, is_orig: bool, user: string, host: string
 ##
 ## password: The password specified in the message.
 ##
-## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message
+## .. zeek:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message
 ##    irc_global_users irc_invalid_nick irc_invite_message irc_join_message
 ##    irc_kick_message irc_message irc_mode_message irc_names_info irc_network_info
 ##    irc_nick_message irc_notice_message irc_oper_message irc_oper_response

src/analyzer/protocol/krb/events.bif

@@ -11,7 +11,7 @@
 ##
 ## msg: A Kerberos KDC request message data structure.
 ##
-## .. bro:see:: krb_as_response krb_tgs_request krb_tgs_response krb_ap_request
+## .. zeek:see:: krb_as_response krb_tgs_request krb_tgs_response krb_ap_request
 ##    krb_ap_response krb_priv krb_safe krb_cred krb_error
 event krb_as_request%(c: connection, msg: KRB::KDC_Request%);
 
@@ -27,7 +27,7 @@ event krb_as_request%(c: connection, msg: KRB::KDC_Request%);
 ##
 ## msg: A Kerberos KDC reply message data structure.
 ##
-## .. bro:see:: krb_as_request krb_tgs_request krb_tgs_response krb_ap_request
+## .. zeek:see:: krb_as_request krb_tgs_request krb_tgs_response krb_ap_request
 ##    krb_ap_response krb_priv krb_safe krb_cred krb_error
 event krb_as_response%(c: connection, msg: KRB::KDC_Response%);
 
@@ -44,7 +44,7 @@ event krb_as_response%(c: connection, msg: KRB::KDC_Response%);
 ##
 ## msg: A Kerberos KDC request message data structure.
 ##
-## .. bro:see:: krb_as_request krb_as_response krb_tgs_response krb_ap_request
+## .. zeek:see:: krb_as_request krb_as_response krb_tgs_response krb_ap_request
 ##    krb_ap_response krb_priv krb_safe krb_cred krb_error
 event krb_tgs_request%(c: connection, msg: KRB::KDC_Request%);
 
@@ -60,7 +60,7 @@ event krb_tgs_request%(c: connection, msg: KRB::KDC_Request%);
 ##
 ## msg: A Kerberos KDC reply message data structure.
 ##
-## .. bro:see:: krb_as_request krb_as_response krb_tgs_request krb_ap_request
+## .. zeek:see:: krb_as_request krb_as_response krb_tgs_request krb_ap_request
 ##    krb_ap_response krb_priv krb_safe krb_cred krb_error
 event krb_tgs_response%(c: connection, msg: KRB::KDC_Response%);
 
@@ -78,7 +78,7 @@ event krb_tgs_response%(c: connection, msg: KRB::KDC_Response%);
 ##
 ## opts: A Kerberos AP options data structure.
 ##
-## .. bro:see:: krb_as_request krb_as_response krb_tgs_request krb_tgs_response
+## .. zeek:see:: krb_as_request krb_as_response krb_tgs_request krb_tgs_response
 ##    krb_ap_response krb_priv krb_safe krb_cred krb_error
 event krb_ap_request%(c: connection, ticket: KRB::Ticket, opts: KRB::AP_Options%);
 
@@ -93,7 +93,7 @@ event krb_ap_request%(c: connection, ticket: KRB::Ticket, opts: KRB::AP_Options%
 ##
 ## c: The connection over which this Kerberos message was sent.
 ##
-## .. bro:see:: krb_as_request krb_as_response krb_tgs_request krb_tgs_response
+## .. zeek:see:: krb_as_request krb_as_response krb_tgs_request krb_tgs_response
 ##    krb_ap_request krb_priv krb_safe krb_cred krb_error
 event krb_ap_response%(c: connection%);
 
@@ -109,7 +109,7 @@ event krb_ap_response%(c: connection%);
 ##
 ## is_orig: Whether the originator of the connection sent this message.
 ##
-## .. bro:see:: krb_as_request krb_as_response krb_tgs_request krb_tgs_response
+## .. zeek:see:: krb_as_request krb_as_response krb_tgs_request krb_tgs_response
 ##    krb_ap_request krb_ap_response krb_safe krb_cred krb_error
 event krb_priv%(c: connection, is_orig: bool%);
 
@@ -125,7 +125,7 @@ event krb_priv%(c: connection, is_orig: bool%);
 ##
 ## msg: A Kerberos SAFE message data structure.
 ##
-## .. bro:see:: krb_as_request krb_as_response krb_tgs_request krb_tgs_response
+## .. zeek:see:: krb_as_request krb_as_response krb_tgs_request krb_tgs_response
 ##    krb_ap_request krb_ap_response krb_priv krb_cred krb_error
 event krb_safe%(c: connection, is_orig: bool, msg: KRB::SAFE_Msg%);
 
@@ -141,7 +141,7 @@ event krb_safe%(c: connection, is_orig: bool, msg: KRB::SAFE_Msg%);
 ##
 ## tickets: Tickets obtained from the KDC that are being forwarded.
 ##
-## .. bro:see:: krb_as_request krb_as_response krb_tgs_request krb_tgs_response
+## .. zeek:see:: krb_as_request krb_as_response krb_tgs_request krb_tgs_response
 ##    krb_ap_request krb_ap_response krb_priv krb_safe krb_error
 event krb_cred%(c: connection, is_orig: bool, tickets: KRB::Ticket_Vector%);
 
@@ -154,6 +154,6 @@ event krb_cred%(c: connection, is_orig: bool, tickets: KRB::Ticket_Vector%);
 ##
 ## msg: A Kerberos error message data structure.
 ##
-## .. bro:see:: krb_as_request krb_as_response krb_tgs_request krb_tgs_response
+## .. zeek:see:: krb_as_request krb_as_response krb_tgs_request krb_tgs_response
 ##    krb_ap_request krb_ap_response krb_priv krb_safe krb_cred
 event krb_error%(c: connection, msg: KRB::Error_Msg%);

src/analyzer/protocol/login/events.bif

@@ -14,7 +14,7 @@
 ##
 ## new_session: True if this is the first command of the Rsh session.
 ##
-## .. bro:see:: rsh_reply login_confused login_confused_text login_display
+## .. zeek:see:: rsh_reply login_confused login_confused_text login_display
 ##    login_failure login_input_line login_output_line login_prompt login_success
 ##    login_terminal
 ##
@@ -41,7 +41,7 @@ event rsh_request%(c: connection, client_user: string, server_user: string, line
 ##
 ## line: The command line sent in the request.
 ##
-## .. bro:see:: rsh_request login_confused login_confused_text login_display
+## .. zeek:see:: rsh_request login_confused login_confused_text login_display
 ##    login_failure login_input_line login_output_line login_prompt login_success
 ##    login_terminal
 ##
@@ -72,7 +72,7 @@ event rsh_reply%(c: connection, client_user: string, server_user: string, line:
 ## line:  The line of text that led the analyzer to conclude that the
 ##        authentication had failed.
 ##
-## .. bro:see:: login_confused login_confused_text login_display login_input_line
+## .. zeek:see:: login_confused login_confused_text login_display login_input_line
 ##    login_output_line login_prompt login_success login_terminal direct_login_prompts
 ##    get_login_state login_failure_msgs login_non_failure_msgs login_prompts login_success_msgs
 ##    login_timeouts set_login_state
@@ -85,7 +85,7 @@ event rsh_reply%(c: connection, client_user: string, server_user: string, line:
 ## .. todo:: Bro's current default configuration does not activate the protocol
 ##    analyzer that generates this event; the corresponding script has not yet
 ##    been ported to Bro 2.x. To still enable this event, one needs to add a
-##    call to :bro:see:`Analyzer::register_for_ports` or a DPD payload
+##    call to :zeek:see:`Analyzer::register_for_ports` or a DPD payload
 ##    signature.
 event login_failure%(c: connection, user: string, client_user: string, password: string, line: string%);
 
@@ -107,7 +107,7 @@ event login_failure%(c: connection, user: string, client_user: string, password:
 ## line:  The line of text that led the analyzer to conclude that the
 ##        authentication had succeeded.
 ##
-## .. bro:see:: login_confused login_confused_text login_display login_failure
+## .. zeek:see:: login_confused login_confused_text login_display login_failure
 ##    login_input_line login_output_line login_prompt login_terminal
 ##    direct_login_prompts get_login_state login_failure_msgs login_non_failure_msgs
 ##    login_prompts login_success_msgs login_timeouts set_login_state
@@ -120,7 +120,7 @@ event login_failure%(c: connection, user: string, client_user: string, password:
 ## .. todo:: Bro's current default configuration does not activate the protocol
 ##    analyzer that generates this event; the corresponding script has not yet
 ##    been ported to Bro 2.x. To still enable this event, one needs to add a
-##    call to :bro:see:`Analyzer::register_for_ports` or a DPD payload
+##    call to :zeek:see:`Analyzer::register_for_ports` or a DPD payload
 ##    signature.
 event login_success%(c: connection, user: string, client_user: string, password: string, line: string%);
 
@@ -131,13 +131,13 @@ event login_success%(c: connection, user: string, client_user: string, password:
 ##
 ## line: The input line.
 ##
-## .. bro:see:: login_confused login_confused_text login_display login_failure
+## .. zeek:see:: login_confused login_confused_text login_display login_failure
 ##    login_output_line login_prompt login_success login_terminal    rsh_request
 ##
 ## .. todo:: Bro's current default configuration does not activate the protocol
 ##    analyzer that generates this event; the corresponding script has not yet
 ##    been ported to Bro 2.x. To still enable this event, one needs to add a
-##    call to :bro:see:`Analyzer::register_for_ports` or a DPD payload
+##    call to :zeek:see:`Analyzer::register_for_ports` or a DPD payload
 ##    signature.
 event login_input_line%(c: connection, line: string%);
 
@@ -148,13 +148,13 @@ event login_input_line%(c: connection, line: string%);
 ##
 ## line: The ouput line.
 ##
-## .. bro:see:: login_confused login_confused_text login_display login_failure
+## .. zeek:see:: login_confused login_confused_text login_display login_failure
 ##    login_input_line  login_prompt login_success login_terminal rsh_reply
 ##
 ## .. todo:: Bro's current default configuration does not activate the protocol
 ##    analyzer that generates this event; the corresponding script has not yet
 ##    been ported to Bro 2.x. To still enable this event, one needs to add a
-##    call to :bro:see:`Analyzer::register_for_ports` or a DPD payload
+##    call to :zeek:see:`Analyzer::register_for_ports` or a DPD payload
 ##    signature.
 event login_output_line%(c: connection, line: string%);
 
@@ -173,7 +173,7 @@ event login_output_line%(c: connection, line: string%);
 ## line: The line of text that caused the heuristics to conclude they were
 ##       confused.
 ##
-## .. bro:see::  login_confused_text login_display login_failure login_input_line login_output_line
+## .. zeek:see::  login_confused_text login_display login_failure login_input_line login_output_line
 ##    login_prompt login_success login_terminal direct_login_prompts get_login_state
 ##    login_failure_msgs login_non_failure_msgs login_prompts login_success_msgs
 ##    login_timeouts set_login_state
@@ -181,20 +181,20 @@ event login_output_line%(c: connection, line: string%);
 ## .. todo:: Bro's current default configuration does not activate the protocol
 ##    analyzer that generates this event; the corresponding script has not yet
 ##    been ported to Bro 2.x. To still enable this event, one needs to add a
-##    call to :bro:see:`Analyzer::register_for_ports` or a DPD payload
+##    call to :zeek:see:`Analyzer::register_for_ports` or a DPD payload
 ##    signature.
 event login_confused%(c: connection, msg: string, line: string%);
 
 ## Generated after getting confused while tracking a Telnet/Rlogin
 ## authentication dialog. The *login* analyzer generates this even for every
-## line of user input after it has reported :bro:id:`login_confused` for a
+## line of user input after it has reported :zeek:id:`login_confused` for a
 ## connection.
 ##
 ## c: The connection.
 ##
 ## line: The line the user typed.
 ##
-## .. bro:see:: login_confused  login_display login_failure login_input_line
+## .. zeek:see:: login_confused  login_display login_failure login_input_line
 ##    login_output_line login_prompt login_success login_terminal direct_login_prompts
 ##    get_login_state login_failure_msgs login_non_failure_msgs login_prompts
 ##    login_success_msgs login_timeouts set_login_state
@@ -202,7 +202,7 @@ event login_confused%(c: connection, msg: string, line: string%);
 ## .. todo:: Bro's current default configuration does not activate the protocol
 ##    analyzer that generates this event; the corresponding script has not yet
 ##    been ported to Bro 2.x. To still enable this event, one needs to add a
-##    call to :bro:see:`Analyzer::register_for_ports` or a DPD payload
+##    call to :zeek:see:`Analyzer::register_for_ports` or a DPD payload
 ##    signature.
 event login_confused_text%(c: connection, line: string%);
 
@@ -213,13 +213,13 @@ event login_confused_text%(c: connection, line: string%);
 ##
 ## terminal: The TERM value transmitted.
 ##
-## .. bro:see:: login_confused login_confused_text login_display login_failure
+## .. zeek:see:: login_confused login_confused_text login_display login_failure
 ##    login_input_line login_output_line login_prompt login_success
 ##
 ## .. todo:: Bro's current default configuration does not activate the protocol
 ##    analyzer that generates this event; the corresponding script has not yet
 ##    been ported to Bro 2.x. To still enable this event, one needs to add a
-##    call to :bro:see:`Analyzer::register_for_ports` or a DPD payload
+##    call to :zeek:see:`Analyzer::register_for_ports` or a DPD payload
 ##    signature.
 event login_terminal%(c: connection, terminal: string%);
 
@@ -230,13 +230,13 @@ event login_terminal%(c: connection, terminal: string%);
 ##
 ## display: The DISPLAY transmitted.
 ##
-## .. bro:see:: login_confused login_confused_text  login_failure login_input_line
+## .. zeek:see:: login_confused login_confused_text  login_failure login_input_line
 ##    login_output_line login_prompt login_success login_terminal
 ##
 ## .. todo:: Bro's current default configuration does not activate the protocol
 ##    analyzer that generates this event; the corresponding script has not yet
 ##    been ported to Bro 2.x. To still enable this event, one needs to add a
-##    call to :bro:see:`Analyzer::register_for_ports` or a DPD payload
+##    call to :zeek:see:`Analyzer::register_for_ports` or a DPD payload
 ##    signature.
 event login_display%(c: connection, display: string%);
 
@@ -252,16 +252,16 @@ event login_display%(c: connection, display: string%);
 ##
 ## c: The connection.
 ##
-## .. bro:see::  authentication_rejected authentication_skipped login_success
+## .. zeek:see::  authentication_rejected authentication_skipped login_success
 ##
 ## .. note::  This event inspects the corresponding Telnet option
-##    while :bro:id:`login_success` heuristically determines success by watching
+##    while :zeek:id:`login_success` heuristically determines success by watching
 ##    session data.
 ##
 ## .. todo:: Bro's current default configuration does not activate the protocol
 ##    analyzer that generates this event; the corresponding script has not yet
 ##    been ported to Bro 2.x. To still enable this event, one needs to add a
-##    call to :bro:see:`Analyzer::register_for_ports` or a DPD payload
+##    call to :zeek:see:`Analyzer::register_for_ports` or a DPD payload
 ##    signature.
 event authentication_accepted%(name: string, c: connection%);
 
@@ -277,16 +277,16 @@ event authentication_accepted%(name: string, c: connection%);
 ##
 ## c: The connection.
 ##
-## .. bro:see:: authentication_accepted authentication_skipped login_failure
+## .. zeek:see:: authentication_accepted authentication_skipped login_failure
 ##
 ## .. note::  This event inspects the corresponding Telnet option
-##    while :bro:id:`login_success` heuristically determines failure by watching
+##    while :zeek:id:`login_success` heuristically determines failure by watching
 ##    session data.
 ##
 ## .. todo:: Bro's current default configuration does not activate the protocol
 ##    analyzer that generates this event; the corresponding script has not yet
 ##    been ported to Bro 2.x. To still enable this event, one needs to add a
-##    call to :bro:see:`Analyzer::register_for_ports` or a DPD payload
+##    call to :zeek:see:`Analyzer::register_for_ports` or a DPD payload
 ##    signature.
 event authentication_rejected%(name: string, c: connection%);
 
@@ -298,7 +298,7 @@ event authentication_rejected%(name: string, c: connection%);
 ##
 ## c: The connection.
 ##
-## .. bro:see:: authentication_accepted authentication_rejected direct_login_prompts
+## .. zeek:see:: authentication_accepted authentication_rejected direct_login_prompts
 ##    get_login_state login_failure_msgs login_non_failure_msgs login_prompts
 ##    login_success_msgs login_timeouts set_login_state
 ##
@@ -310,7 +310,7 @@ event authentication_rejected%(name: string, c: connection%);
 ## .. todo:: Bro's current default configuration does not activate the protocol
 ##    analyzer that generates this event; the corresponding script has not yet
 ##    been ported to Bro 2.x. To still enable this event, one needs to add a
-##    call to :bro:see:`Analyzer::register_for_ports` or a DPD payload
+##    call to :zeek:see:`Analyzer::register_for_ports` or a DPD payload
 ##    signature.
 event authentication_skipped%(c: connection%);
 
@@ -325,13 +325,13 @@ event authentication_skipped%(c: connection%);
 ##
 ## prompt: The TTYPROMPT transmitted.
 ##
-## .. bro:see:: login_confused login_confused_text login_display login_failure
+## .. zeek:see:: login_confused login_confused_text login_display login_failure
 ##    login_input_line login_output_line  login_success login_terminal
 ##
 ## .. todo:: Bro's current default configuration does not activate the protocol
 ##    analyzer that generates this event; the corresponding script has not yet
 ##    been ported to Bro 2.x. To still enable this event, one needs to add a
-##    call to :bro:see:`Analyzer::register_for_ports` or a DPD payload
+##    call to :zeek:see:`Analyzer::register_for_ports` or a DPD payload
 ##    signature.
 event login_prompt%(c: connection, prompt: string%);
 
@@ -344,7 +344,7 @@ event login_prompt%(c: connection, prompt: string%);
 ##
 ## c: The connection.
 ##
-## .. bro:see:: authentication_accepted authentication_rejected authentication_skipped
+## .. zeek:see:: authentication_accepted authentication_rejected authentication_skipped
 ##    login_confused login_confused_text login_display login_failure login_input_line
 ##    login_output_line login_prompt login_success login_terminal
 event activating_encryption%(c: connection%);
@@ -362,7 +362,7 @@ event activating_encryption%(c: connection%);
 ##
 ## c: The connection.
 ##
-## .. bro:see:: bad_option bad_option_termination  authentication_accepted
+## .. zeek:see:: bad_option bad_option_termination  authentication_accepted
 ##    authentication_rejected authentication_skipped login_confused
 ##    login_confused_text login_display login_failure login_input_line
 ##    login_output_line login_prompt login_success login_terminal
@@ -375,7 +375,7 @@ event inconsistent_option%(c: connection%);
 ##
 ## c: The connection.
 ##
-## .. bro:see:: inconsistent_option bad_option_termination authentication_accepted
+## .. zeek:see:: inconsistent_option bad_option_termination authentication_accepted
 ##    authentication_rejected authentication_skipped login_confused
 ##    login_confused_text login_display login_failure login_input_line
 ##    login_output_line login_prompt login_success login_terminal
@@ -383,7 +383,7 @@ event inconsistent_option%(c: connection%);
 ## .. todo:: Bro's current default configuration does not activate the protocol
 ##    analyzer that generates this event; the corresponding script has not yet
 ##    been ported to Bro 2.x. To still enable this event, one needs to add a
-##    call to :bro:see:`Analyzer::register_for_ports` or a DPD payload
+##    call to :zeek:see:`Analyzer::register_for_ports` or a DPD payload
 ##    signature.
 event bad_option%(c: connection%);
 
@@ -394,7 +394,7 @@ event bad_option%(c: connection%);
 ##
 ## c: The connection.
 ##
-## .. bro:see:: inconsistent_option bad_option authentication_accepted
+## .. zeek:see:: inconsistent_option bad_option authentication_accepted
 ##    authentication_rejected authentication_skipped login_confused
 ##    login_confused_text login_display login_failure login_input_line
 ##    login_output_line login_prompt login_success login_terminal
@@ -402,6 +402,6 @@ event bad_option%(c: connection%);
 ## .. todo:: Bro's current default configuration does not activate the protocol
 ##    analyzer that generates this event; the corresponding script has not yet
 ##    been ported to Bro 2.x. To still enable this event, one needs to add a
-##    call to :bro:see:`Analyzer::register_for_ports` or a DPD payload
+##    call to :zeek:see:`Analyzer::register_for_ports` or a DPD payload
 ##    signature.
 event bad_option_termination%(c: connection%);

src/analyzer/protocol/login/functions.bif

@@ -21,7 +21,7 @@
 ##                does not correctly know the state of the connection, and/or
 ##                the username associated with it.
 ##
-## .. bro:see:: set_login_state
+## .. zeek:see:: set_login_state
 function get_login_state%(cid: conn_id%): count
 	%{
 	Connection* c = sessions->FindConnection(cid);
@@ -40,12 +40,12 @@ function get_login_state%(cid: conn_id%): count
 ## cid: The connection ID.
 ##
 ## new_state: The new state of the login analyzer. See
-##            :bro:id:`get_login_state` for possible values.
+##            :zeek:id:`get_login_state` for possible values.
 ##
 ## Returns: Returns false if *cid* is not an active connection
 ##          or is not tagged as a login analyzer, and true otherwise.
 ##
-## .. bro:see:: get_login_state
+## .. zeek:see:: get_login_state
 function set_login_state%(cid: conn_id, new_state: count%): bool
 	%{
 	Connection* c = sessions->FindConnection(cid);

src/analyzer/protocol/mime/events.bif

@@ -9,12 +9,12 @@
 ##
 ## c: The connection.
 ##
-## .. bro:see:: mime_all_data mime_all_headers  mime_content_hash mime_end_entity
+## .. zeek:see:: mime_all_data mime_all_headers  mime_content_hash mime_end_entity
 ##    mime_entity_data mime_event mime_one_header mime_segment_data smtp_data
 ##    http_begin_entity
 ##
 ## .. note:: Bro also extracts MIME entities from HTTP sessions. For those,
-##    however, it raises :bro:id:`http_begin_entity` instead.
+##    however, it raises :zeek:id:`http_begin_entity` instead.
 event mime_begin_entity%(c: connection%);
 
 ## Generated when finishing parsing an email MIME entity.  MIME is a
@@ -28,12 +28,12 @@ event mime_begin_entity%(c: connection%);
 ##
 ## c: The connection.
 ##
-## .. bro:see:: mime_all_data mime_all_headers mime_begin_entity mime_content_hash
+## .. zeek:see:: mime_all_data mime_all_headers mime_begin_entity mime_content_hash
 ##    mime_entity_data mime_event mime_one_header mime_segment_data smtp_data
 ##    http_end_entity
 ##
 ## .. note:: Bro also extracts MIME entities from HTTP sessions. For those,
-##    however, it raises :bro:id:`http_end_entity` instead.
+##    however, it raises :zeek:id:`http_end_entity` instead.
 event mime_end_entity%(c: connection%);
 
 ## Generated for individual MIME headers extracted from email MIME
@@ -48,12 +48,12 @@ event mime_end_entity%(c: connection%);
 ##
 ## h: The parsed MIME header.
 ##
-## .. bro:see:: mime_all_data mime_all_headers mime_begin_entity mime_content_hash
+## .. zeek:see:: mime_all_data mime_all_headers mime_begin_entity mime_content_hash
 ##    mime_end_entity mime_entity_data mime_event  mime_segment_data
 ##    http_header  http_all_headers
 ##
 ## .. note:: Bro also extracts MIME headers from HTTP sessions. For those,
-##    however, it raises :bro:id:`http_header` instead.
+##    however, it raises :zeek:id:`http_header` instead.
 event mime_one_header%(c: connection, h: mime_header_rec%);
 
 ## Generated for MIME headers extracted from email MIME entities, passing all
@@ -70,12 +70,12 @@ event mime_one_header%(c: connection, h: mime_header_rec%);
 ##        The table is indexed by the position of the header (1 for the first,
 ##        2 for the second, etc.).
 ##
-## .. bro:see:: mime_all_data  mime_begin_entity mime_content_hash mime_end_entity
+## .. zeek:see:: mime_all_data  mime_begin_entity mime_content_hash mime_end_entity
 ##    mime_entity_data mime_event mime_one_header mime_segment_data
 ##    http_header  http_all_headers
 ##
 ## .. note:: Bro also extracts MIME headers from HTTP sessions. For those,
-##    however, it raises :bro:id:`http_header` instead.
+##    however, it raises :zeek:id:`http_header` instead.
 event mime_all_headers%(c: connection, hlist: mime_header_list%);
 
 ## Generated for chunks of decoded MIME data from email MIME entities.  MIME
@@ -83,7 +83,7 @@ event mime_all_headers%(c: connection, hlist: mime_header_list%);
 ## corresponding metadata, for transmission. As Bro parses the data of an
 ## entity, it raises a sequence of these events, each coming as soon as a new
 ## chunk of data is available. In contrast, there is also
-## :bro:id:`mime_entity_data`, which passes all of an entities data at once
+## :zeek:id:`mime_entity_data`, which passes all of an entities data at once
 ## in a single block. While the latter is more convenient to handle,
 ## ``mime_segment_data`` is more efficient as Bro does not need to buffer
 ## the data. Thus, if possible, this event should be preferred.
@@ -98,17 +98,17 @@ event mime_all_headers%(c: connection, hlist: mime_header_list%);
 ##
 ## data: The raw data of one segment of the current entity.
 ##
-## .. bro:see:: mime_all_data mime_all_headers mime_begin_entity mime_content_hash
+## .. zeek:see:: mime_all_data mime_all_headers mime_begin_entity mime_content_hash
 ##    mime_end_entity mime_entity_data mime_event mime_one_header http_entity_data
 ##    mime_segment_length mime_segment_overlap_length
 ##
 ## .. note:: Bro also extracts MIME data from HTTP sessions. For those,
-##    however, it raises :bro:id:`http_entity_data` (sic!) instead.
+##    however, it raises :zeek:id:`http_entity_data` (sic!) instead.
 event mime_segment_data%(c: connection, length: count, data: string%);
 
 ## Generated for data decoded from an email MIME entity. This event delivers
 ## the complete content of a single MIME entity with the quoted-printable and
-## and base64 data decoded. In contrast, there is also :bro:id:`mime_segment_data`,
+## and base64 data decoded. In contrast, there is also :zeek:id:`mime_segment_data`,
 ## which passes on a sequence of data chunks as they come in. While
 ## ``mime_entity_data`` is more convenient to handle, ``mime_segment_data`` is
 ## more efficient as Bro does not need to buffer the data. Thus, if possible,
@@ -124,7 +124,7 @@ event mime_segment_data%(c: connection, length: count, data: string%);
 ##
 ## data: The raw data of the complete entity.
 ##
-## .. bro:see:: mime_all_data mime_all_headers mime_begin_entity mime_content_hash
+## .. zeek:see:: mime_all_data mime_all_headers mime_begin_entity mime_content_hash
 ##    mime_end_entity  mime_event mime_one_header mime_segment_data
 ##
 ## .. note:: While Bro also decodes MIME entities extracted from HTTP
@@ -147,7 +147,7 @@ event mime_entity_data%(c: connection, length: count, data: string%);
 ##
 ## data: The raw data of all MIME entities concatenated.
 ##
-## .. bro:see::  mime_all_headers mime_begin_entity mime_content_hash mime_end_entity
+## .. zeek:see::  mime_all_headers mime_begin_entity mime_content_hash mime_end_entity
 ##    mime_entity_data mime_event mime_one_header mime_segment_data
 ##
 ## .. note:: While Bro also decodes MIME entities extracted from HTTP
@@ -167,11 +167,11 @@ event mime_all_data%(c: connection, length: count, data: string%);
 ##
 ## detail: Further more detailed description of the error.
 ##
-## .. bro:see:: mime_all_data mime_all_headers mime_begin_entity mime_content_hash
+## .. zeek:see:: mime_all_data mime_all_headers mime_begin_entity mime_content_hash
 ##    mime_end_entity mime_entity_data  mime_one_header mime_segment_data http_event
 ##
 ## .. note:: Bro also extracts MIME headers from HTTP sessions. For those,
-##    however, it raises :bro:id:`http_event` instead.
+##    however, it raises :zeek:id:`http_event` instead.
 event mime_event%(c: connection, event_type: string, detail: string%);
 
 ## Generated for decoded MIME entities extracted from email messages, passing on
@@ -188,7 +188,7 @@ event mime_event%(c: connection, event_type: string, detail: string%);
 ##
 ## hash_value: The MD5 hash.
 ##
-## .. bro:see:: mime_all_data mime_all_headers mime_begin_entity mime_end_entity
+## .. zeek:see:: mime_all_data mime_all_headers mime_begin_entity mime_end_entity
 ##    mime_entity_data mime_event mime_one_header mime_segment_data
 ##
 ## .. note:: While Bro also decodes MIME entities extracted from HTTP

src/analyzer/protocol/mysql/events.bif

@@ -9,7 +9,7 @@
 ##
 ## arg: The argument for the command (empty string if not provided).
 ##
-## .. bro:see:: mysql_error mysql_ok mysql_server_version mysql_handshake
+## .. zeek:see:: mysql_error mysql_ok mysql_server_version mysql_handshake
 event mysql_command_request%(c: connection, command: count, arg: string%);
 
 ## Generated for an unsuccessful MySQL response.
@@ -23,7 +23,7 @@ event mysql_command_request%(c: connection, command: count, arg: string%);
 ##
 ## msg: Any extra details about the error (empty string if not provided).
 ##
-## .. bro:see:: mysql_command_request mysql_ok mysql_server_version mysql_handshake
+## .. zeek:see:: mysql_command_request mysql_ok mysql_server_version mysql_handshake
 event mysql_error%(c: connection, code: count, msg: string%);
 
 ## Generated for a successful MySQL response.
@@ -35,7 +35,7 @@ event mysql_error%(c: connection, code: count, msg: string%);
 ##
 ## affected_rows: The number of rows that were affected.
 ##
-## .. bro:see:: mysql_command_request mysql_error mysql_server_version mysql_handshake
+## .. zeek:see:: mysql_command_request mysql_error mysql_server_version mysql_handshake
 event mysql_ok%(c: connection, affected_rows: count%);
 
 ## Generated for each MySQL ResultsetRow response packet.
@@ -47,7 +47,7 @@ event mysql_ok%(c: connection, affected_rows: count%);
 ##
 ## row: The result row data.
 ##
-## .. bro:see:: mysql_command_request mysql_error mysql_server_version mysql_handshake mysql_ok
+## .. zeek:see:: mysql_command_request mysql_error mysql_server_version mysql_handshake mysql_ok
 event mysql_result_row%(c: connection, row: string_vec%);
 
 ## Generated for the initial server handshake packet, which includes the MySQL server version.
@@ -59,7 +59,7 @@ event mysql_result_row%(c: connection, row: string_vec%);
 ##
 ## ver: The server version string.
 ##
-## .. bro:see:: mysql_command_request mysql_error mysql_ok mysql_handshake
+## .. zeek:see:: mysql_command_request mysql_error mysql_ok mysql_handshake
 event mysql_server_version%(c: connection, ver: string%);
 
 ## Generated for a client handshake response packet, which includes the username the client is attempting
@@ -72,6 +72,6 @@ event mysql_server_version%(c: connection, ver: string%);
 ##
 ## username: The username supplied by the client
 ##
-## .. bro:see:: mysql_command_request mysql_error mysql_ok mysql_server_version
+## .. zeek:see:: mysql_command_request mysql_error mysql_ok mysql_server_version
 event mysql_handshake%(c: connection, username: string%);
 

src/analyzer/protocol/ncp/events.bif

@@ -11,7 +11,7 @@
 ##
 ## func: The requested function, as specified by the protocol.
 ##
-## .. bro:see:: ncp_reply
+## .. zeek:see:: ncp_reply
 ##
 ## .. todo:: Bro's current default configuration does not activate the protocol
 ##    analyzer that generates this event; the corresponding script has not yet
@@ -36,7 +36,7 @@ event ncp_request%(c: connection, frame_type: count, length: count, func: count%
 ##
 ## completion_code: The reply's completion code, as specified by the protocol.
 ##
-## .. bro:see:: ncp_request
+## .. zeek:see:: ncp_request
 ##
 ## .. todo:: Bro's current default configuration does not activate the protocol
 ##    analyzer that generates this event; the corresponding script has not yet

src/analyzer/protocol/netbios/NetbiosSSN.cc

@@ -97,7 +97,7 @@ int NetbiosSSN_Interpreter::ParseMessage(unsigned int type, unsigned int flags,
 		return ParseDatagram(data, len, is_query);
 
  	default:
-		analyzer->Weird(fmt("unknown_netbios_type: 0x%x", type));
+		analyzer->Weird("unknown_netbios_type", fmt("0x%x", type));
  		return 1;
 	}
 	}
@@ -143,7 +143,7 @@ int NetbiosSSN_Interpreter::ParseMessageTCP(const u_char* data, int len,
 	NetbiosSSN_RawMsgHdr hdr(data, len);
 
 	if ( hdr.length > unsigned(len) )
-		analyzer->Weird(fmt("excess_netbios_hdr_len (%d > %d)",
+		analyzer->Weird("excess_netbios_hdr_len", fmt("(%d > %d)",
 					hdr.length, len));
 
 	else if ( hdr.length < unsigned(len) )
@@ -162,12 +162,12 @@ int NetbiosSSN_Interpreter::ParseMessageUDP(const u_char* data, int len,
 	NetbiosDGM_RawMsgHdr hdr(data, len);
 
 	if ( unsigned(hdr.length-14) > unsigned(len) )
-		analyzer->Weird(fmt("excess_netbios_hdr_len (%d > %d)",
+		analyzer->Weird("excess_netbios_hdr_len", fmt("(%d > %d)",
 				hdr.length, len));
 
 	else if ( hdr.length < unsigned(len) )
 		{
-		analyzer->Weird(fmt("deficit_netbios_hdr_len (%d < %d)",
+		analyzer->Weird("deficit_netbios_hdr_len", fmt("(%d < %d)",
 				hdr.length, len));
 		len = hdr.length;
 		}

src/analyzer/protocol/netbios/events.bif

@@ -16,7 +16,7 @@
 ##
 ## data_len: The length of the message's payload.
 ##
-## .. bro:see:: netbios_session_accepted netbios_session_keepalive
+## .. zeek:see:: netbios_session_accepted netbios_session_keepalive
 ##    netbios_session_raw_message netbios_session_rejected netbios_session_request
 ##    netbios_session_ret_arg_resp  decode_netbios_name decode_netbios_name_type
 ##
@@ -44,7 +44,7 @@ event netbios_session_message%(c: connection, is_orig: bool, msg_type: count, da
 ## msg: The raw payload of the message sent, excluding the common NetBIOS
 ##      header.
 ##
-## .. bro:see:: netbios_session_accepted netbios_session_keepalive
+## .. zeek:see:: netbios_session_accepted netbios_session_keepalive
 ##    netbios_session_message netbios_session_raw_message netbios_session_rejected
 ##    netbios_session_ret_arg_resp decode_netbios_name decode_netbios_name_type
 ##
@@ -72,7 +72,7 @@ event netbios_session_request%(c: connection, msg: string%);
 ## msg: The raw payload of the message sent, excluding the common NetBIOS
 ##      header.
 ##
-## .. bro:see::  netbios_session_keepalive netbios_session_message
+## .. zeek:see::  netbios_session_keepalive netbios_session_message
 ##    netbios_session_raw_message netbios_session_rejected netbios_session_request
 ##    netbios_session_ret_arg_resp decode_netbios_name decode_netbios_name_type
 ##
@@ -100,7 +100,7 @@ event netbios_session_accepted%(c: connection, msg: string%);
 ## msg: The raw payload of the message sent, excluding the common NetBIOS
 ##      header.
 ##
-## .. bro:see:: netbios_session_accepted netbios_session_keepalive
+## .. zeek:see:: netbios_session_accepted netbios_session_keepalive
 ##    netbios_session_message netbios_session_raw_message netbios_session_request
 ##    netbios_session_ret_arg_resp decode_netbios_name decode_netbios_name_type
 ##
@@ -132,7 +132,7 @@ event netbios_session_rejected%(c: connection, msg: string%);
 ## msg: The raw payload of the message sent, excluding the common NetBIOS
 ##      header (i.e., the ``user_data``).
 ##
-## .. bro:see:: netbios_session_accepted netbios_session_keepalive
+## .. zeek:see:: netbios_session_accepted netbios_session_keepalive
 ##    netbios_session_message netbios_session_rejected netbios_session_request
 ##    netbios_session_ret_arg_resp decode_netbios_name decode_netbios_name_type
 ##
@@ -163,7 +163,7 @@ event netbios_session_raw_message%(c: connection, is_orig: bool, msg: string%);
 ## msg: The raw payload of the message sent, excluding the common NetBIOS
 ##      header.
 ##
-## .. bro:see:: netbios_session_accepted netbios_session_keepalive
+## .. zeek:see:: netbios_session_accepted netbios_session_keepalive
 ##    netbios_session_message netbios_session_raw_message netbios_session_rejected
 ##    netbios_session_request decode_netbios_name decode_netbios_name_type
 ##
@@ -193,7 +193,7 @@ event netbios_session_ret_arg_resp%(c: connection, msg: string%);
 ## msg: The raw payload of the message sent, excluding the common NetBIOS
 ##      header.
 ##
-## .. bro:see:: netbios_session_accepted netbios_session_message
+## .. zeek:see:: netbios_session_accepted netbios_session_message
 ##    netbios_session_raw_message netbios_session_rejected netbios_session_request
 ##    netbios_session_ret_arg_resp decode_netbios_name decode_netbios_name_type
 ##

src/analyzer/protocol/netbios/functions.bif

@@ -5,7 +5,7 @@
 ##
 ## Returns: The decoded NetBIOS name, e.g., ``"THE NETBIOS NAME"``.
 ##
-## .. bro:see:: decode_netbios_name_type
+## .. zeek:see:: decode_netbios_name_type
 function decode_netbios_name%(name: string%): string
 	%{
 	char buf[16];
@@ -41,7 +41,7 @@ function decode_netbios_name%(name: string%): string
 ##
 ## Returns: The numeric value of *name*.
 ##
-## .. bro:see:: decode_netbios_name
+## .. zeek:see:: decode_netbios_name
 function decode_netbios_name_type%(name: string%): count
 	%{
 	const u_char* s = name->Bytes();

src/analyzer/protocol/ntlm/events.bif

@@ -4,7 +4,7 @@
 ##
 ## negotiate: The parsed data of the :abbr:`NTLM (NT LAN Manager)` message. See init-bare for more details.
 ##
-## .. bro:see:: ntlm_challenge ntlm_authenticate
+## .. zeek:see:: ntlm_challenge ntlm_authenticate
 event ntlm_negotiate%(c: connection, negotiate: NTLM::Negotiate%);
 
 ## Generated for :abbr:`NTLM (NT LAN Manager)` messages of type *challenge*.
@@ -13,7 +13,7 @@ event ntlm_negotiate%(c: connection, negotiate: NTLM::Negotiate%);
 ##
 ## negotiate: The parsed data of the :abbr:`NTLM (NT LAN Manager)` message. See init-bare for more details.
 ##
-## .. bro:see:: ntlm_negotiate ntlm_authenticate
+## .. zeek:see:: ntlm_negotiate ntlm_authenticate
 event ntlm_challenge%(c: connection, challenge: NTLM::Challenge%);
 
 ## Generated for :abbr:`NTLM (NT LAN Manager)` messages of type *authenticate*.
@@ -22,5 +22,5 @@ event ntlm_challenge%(c: connection, challenge: NTLM::Challenge%);
 ##
 ## request: The parsed data of the :abbr:`NTLM (NT LAN Manager)` message. See init-bare for more details.
 ##
-## .. bro:see:: ntlm_negotiate ntlm_challenge
+## .. zeek:see:: ntlm_negotiate ntlm_challenge
 event ntlm_authenticate%(c: connection, request: NTLM::Authenticate%);

src/analyzer/protocol/ntp/events.bif

@@ -11,7 +11,7 @@
 ## excess: The raw bytes of any optional parts of the NTP packet. Bro does not
 ##         further parse any optional fields.
 ##
-## .. bro:see:: ntp_session_timeout
+## .. zeek:see:: ntp_session_timeout
 ##
 ## .. todo:: Bro's current default configuration does not activate the protocol
 ##    analyzer that generates this event; the corresponding script has not yet

src/analyzer/protocol/pop3/events.bif

@@ -12,7 +12,7 @@
 ##
 ## arg: The argument to the command.
 ##
-## .. bro:see:: pop3_data pop3_login_failure pop3_login_success pop3_reply
+## .. zeek:see:: pop3_data pop3_login_failure pop3_login_success pop3_reply
 ##    pop3_unexpected
 ##
 ## .. todo:: Bro's current default configuration does not activate the protocol
@@ -37,7 +37,7 @@ event pop3_request%(c: connection, is_orig: bool,
 ##
 ## msg: The textual description the server sent along with *cmd*.
 ##
-## .. bro:see:: pop3_data pop3_login_failure pop3_login_success pop3_request
+## .. zeek:see:: pop3_data pop3_login_failure pop3_login_success pop3_request
 ##    pop3_unexpected
 ##
 ## .. todo:: This event is receiving odd parameters, should unify.
@@ -62,7 +62,7 @@ event pop3_reply%(c: connection, is_orig: bool, cmd: string, msg: string%);
 ##
 ## data: The data sent.
 ##
-## .. bro:see:: pop3_login_failure pop3_login_success pop3_reply pop3_request
+## .. zeek:see:: pop3_login_failure pop3_login_success pop3_reply pop3_request
 ##    pop3_unexpected
 ##
 ## .. todo:: Bro's current default configuration does not activate the protocol
@@ -86,7 +86,7 @@ event pop3_data%(c: connection, is_orig: bool, data: string%);
 ##
 ## detail: The input that triggered the event.
 ##
-## .. bro:see:: pop3_data pop3_login_failure pop3_login_success pop3_reply pop3_request
+## .. zeek:see:: pop3_data pop3_login_failure pop3_login_success pop3_reply pop3_request
 ##
 ## .. todo:: Bro's current default configuration does not activate the protocol
 ##    analyzer that generates this event; the corresponding script has not yet
@@ -105,7 +105,7 @@ event pop3_unexpected%(c: connection, is_orig: bool,
 ##
 ## c: The connection.
 ##
-## .. bro:see:: pop3_data pop3_login_failure pop3_login_success pop3_reply
+## .. zeek:see:: pop3_data pop3_login_failure pop3_login_success pop3_reply
 ##    pop3_request pop3_unexpected
 ##
 ## .. todo:: Bro's current default configuration does not activate the protocol
@@ -128,7 +128,7 @@ event pop3_starttls%(c: connection%);
 ##
 ## password: The password used for authentication.
 ##
-## .. bro:see:: pop3_data pop3_login_failure pop3_reply pop3_request
+## .. zeek:see:: pop3_data pop3_login_failure pop3_reply pop3_request
 ##    pop3_unexpected
 ##
 ## .. todo:: Bro's current default configuration does not activate the protocol
@@ -152,7 +152,7 @@ event pop3_login_success%(c: connection, is_orig: bool,
 ##
 ## password: The password attempted for authentication.
 ##
-## .. bro:see:: pop3_data pop3_login_success pop3_reply pop3_request
+## .. zeek:see:: pop3_data pop3_login_success pop3_reply pop3_request
 ##    pop3_unexpected
 ##
 ## .. todo:: Bro's current default configuration does not activate the protocol

src/analyzer/protocol/rpc/MOUNT.cc

@@ -17,7 +17,7 @@ using namespace analyzer::rpc;
 int MOUNT_Interp::RPC_BuildCall(RPC_CallInfo* c, const u_char*& buf, int& n)
 	{
 	if ( c->Program() != 100005 )
-		Weird(fmt("bad_RPC_program (%d)", c->Program()));
+		Weird("bad_RPC_program", fmt("%d", c->Program()));
 
 	uint32 proc = c->Proc();
 	// The call arguments, depends on the call type obviously ...
@@ -49,7 +49,7 @@ int MOUNT_Interp::RPC_BuildCall(RPC_CallInfo* c, const u_char*& buf, int& n)
 			n = 0;
 			}
 		else
-			Weird(fmt("unknown_MOUNT_request(%u)", proc));
+			Weird("unknown_MOUNT_request", fmt("%u", proc));
 
 		// Return 1 so that replies to unprocessed calls will still
 		// be processed, and the return status extracted.

src/analyzer/protocol/rpc/NFS.cc

@@ -17,7 +17,7 @@ using namespace analyzer::rpc;
 int NFS_Interp::RPC_BuildCall(RPC_CallInfo* c, const u_char*& buf, int& n)
 	{
 	if ( c->Program() != 100003 )
-		Weird(fmt("bad_RPC_program (%d)", c->Program()));
+		Weird("bad_RPC_program", fmt("%d", c->Program()));
 
 	uint32 proc = c->Proc();
 	// The call arguments, depends on the call type obviously ...
@@ -103,7 +103,7 @@ int NFS_Interp::RPC_BuildCall(RPC_CallInfo* c, const u_char*& buf, int& n)
 			n = 0;
 			}
 		else
-			Weird(fmt("unknown_NFS_request(%u)", proc));
+			Weird("unknown_NFS_request", fmt("%u", proc));
 
 		// Return 1 so that replies to unprocessed calls will still
 		// be processed, and the return status extracted.

src/analyzer/protocol/rpc/RPC.cc

@@ -371,9 +371,9 @@ void RPC_Interpreter::Event_RPC_Reply(uint32_t xid, BifEnum::rpc_status status,
 		}
 	}
 
-void RPC_Interpreter::Weird(const char* msg)
+void RPC_Interpreter::Weird(const char* msg, const char* addl)
 	{
-	analyzer->Weird(msg);
+	analyzer->Weird(msg, addl);
 	}
 
 
@@ -532,9 +532,7 @@ bool Contents_RPC::CheckResync(int& len, const u_char*& data, bool orig)
 				DEBUG_MSG("%.6f RPC resync: "
 						  "discard small pieces: %d\n",
 							  network_time, len);
-				Conn()->Weird(
-					fmt("RPC resync: discard %d bytes\n",
-						len));
+				Conn()->Weird("RPC_resync", fmt("discard %d bytes\n", len));
 				}
 
 			NeedResync();
@@ -677,7 +675,7 @@ void Contents_RPC::DeliverStream(int len, const u_char* data, bool orig)
 					//		network_time, IsOrig(), marker, last_frag, msg_buf.GetExpected(), msg_buf.GetProcessed(), len);
 
 				if ( ! msg_buf.AddToExpected(marker) )
-					Conn()->Weird(fmt("RPC_message_too_long (%" PRId64 ")" , msg_buf.GetExpected()));
+					Conn()->Weird("RPC_message_too_long", fmt("%" PRId64, msg_buf.GetExpected()));
 
 				if ( last_frag )
 					state = WAIT_FOR_LAST_DATA;

src/analyzer/protocol/rpc/RPC.h

@@ -123,7 +123,7 @@ protected:
 	void Event_RPC_Call(RPC_CallInfo* c);
 	void Event_RPC_Reply(uint32_t xid, BifEnum::rpc_status status, int reply_len);
 
-	void Weird(const char* name);
+	void Weird(const char* name, const char* addl = "");
 
 	PDict(RPC_CallInfo) calls;
 	analyzer::Analyzer* analyzer;

src/analyzer/protocol/rpc/events.bif

@@ -10,7 +10,7 @@
 ##
 ## info: Reports the status of the dialogue, along with some meta information.
 ##
-## .. bro:see:: nfs_proc_create nfs_proc_getattr nfs_proc_lookup nfs_proc_mkdir
+## .. zeek:see:: nfs_proc_create nfs_proc_getattr nfs_proc_lookup nfs_proc_mkdir
 ##    nfs_proc_not_implemented  nfs_proc_read nfs_proc_readdir nfs_proc_readlink
 ##    nfs_proc_remove nfs_proc_rmdir nfs_proc_write nfs_reply_status rpc_call
 ##    rpc_dialogue rpc_reply
@@ -38,7 +38,7 @@ event nfs_proc_null%(c: connection, info: NFS3::info_t%);
 ## attrs: The attributes returned in the reply. The values may not be valid if
 ##       the request was unsuccessful.
 ##
-## .. bro:see:: nfs_proc_create  nfs_proc_lookup nfs_proc_mkdir
+## .. zeek:see:: nfs_proc_create  nfs_proc_lookup nfs_proc_mkdir
 ##    nfs_proc_not_implemented nfs_proc_null nfs_proc_read nfs_proc_readdir
 ##    nfs_proc_readlink nfs_proc_remove nfs_proc_rmdir nfs_proc_write nfs_reply_status
 ##    rpc_call rpc_dialogue rpc_reply file_mode
@@ -66,7 +66,7 @@ event nfs_proc_getattr%(c: connection, info: NFS3::info_t, fh: string, attrs: NF
 ## rep: The attributes returned in the reply. The values may not be
 ##      valid if the request was unsuccessful.
 ##
-## .. bro:see:: nfs_proc_create  nfs_proc_lookup nfs_proc_mkdir
+## .. zeek:see:: nfs_proc_create  nfs_proc_lookup nfs_proc_mkdir
 ##    nfs_proc_not_implemented nfs_proc_null nfs_proc_read nfs_proc_readdir
 ##    nfs_proc_readlink nfs_proc_remove nfs_proc_rmdir nfs_proc_write nfs_reply_status
 ##    rpc_call rpc_dialogue rpc_reply file_mode
@@ -94,7 +94,7 @@ event nfs_proc_sattr%(c: connection, info: NFS3::info_t, req: NFS3::sattrargs_t,
 ## rep: The response returned in the reply. The values may not be valid if the
 ##      request was unsuccessful.
 ##
-## .. bro:see:: nfs_proc_create nfs_proc_getattr  nfs_proc_mkdir
+## .. zeek:see:: nfs_proc_create nfs_proc_getattr  nfs_proc_mkdir
 ##    nfs_proc_not_implemented nfs_proc_null nfs_proc_read nfs_proc_readdir
 ##    nfs_proc_readlink nfs_proc_remove nfs_proc_rmdir nfs_proc_write nfs_reply_status
 ##    rpc_call rpc_dialogue rpc_reply
@@ -122,7 +122,7 @@ event nfs_proc_lookup%(c: connection, info: NFS3::info_t, req: NFS3::diropargs_t
 ## rep: The response returned in the reply. The values may not be valid if the
 ##      request was unsuccessful.
 ##
-## .. bro:see:: nfs_proc_create nfs_proc_getattr nfs_proc_lookup nfs_proc_mkdir
+## .. zeek:see:: nfs_proc_create nfs_proc_getattr nfs_proc_lookup nfs_proc_mkdir
 ##    nfs_proc_not_implemented nfs_proc_null nfs_proc_remove nfs_proc_rmdir
 ##    nfs_proc_write nfs_reply_status rpc_call rpc_dialogue rpc_reply
 ##    NFS3::return_data NFS3::return_data_first_only NFS3::return_data_max
@@ -150,7 +150,7 @@ event nfs_proc_read%(c: connection, info: NFS3::info_t, req: NFS3::readargs_t, r
 ## rep: The response returned in the reply. The values may not be valid if the
 ##      request was unsuccessful.
 ##
-## .. bro:see:: nfs_proc_create nfs_proc_getattr nfs_proc_lookup nfs_proc_mkdir
+## .. zeek:see:: nfs_proc_create nfs_proc_getattr nfs_proc_lookup nfs_proc_mkdir
 ##    nfs_proc_not_implemented nfs_proc_null nfs_proc_read nfs_proc_readdir
 ##    nfs_proc_remove nfs_proc_rmdir nfs_proc_write nfs_reply_status
 ##    nfs_proc_symlink rpc_call rpc_dialogue rpc_reply
@@ -178,7 +178,7 @@ event nfs_proc_readlink%(c: connection, info: NFS3::info_t, fh: string, rep: NFS
 ## rep: The attributes returned in the reply. The values may not be
 ##      valid if the request was unsuccessful.
 ##
-## .. bro:see:: nfs_proc_create  nfs_proc_lookup nfs_proc_mkdir
+## .. zeek:see:: nfs_proc_create  nfs_proc_lookup nfs_proc_mkdir
 ##    nfs_proc_not_implemented nfs_proc_null nfs_proc_read nfs_proc_readdir
 ##    nfs_proc_readlink nfs_proc_remove nfs_proc_rmdir nfs_proc_write nfs_reply_status
 ##    nfs_proc_link rpc_call rpc_dialogue rpc_reply file_mode
@@ -206,7 +206,7 @@ event nfs_proc_symlink%(c: connection, info: NFS3::info_t, req: NFS3::symlinkarg
 ## rep: The response returned in the reply. The values may not be valid if the
 ##      request was unsuccessful.
 ##
-## .. bro:see:: nfs_proc_create nfs_proc_getattr nfs_proc_lookup nfs_proc_mkdir
+## .. zeek:see:: nfs_proc_create nfs_proc_getattr nfs_proc_lookup nfs_proc_mkdir
 ##    nfs_proc_not_implemented nfs_proc_null nfs_proc_read nfs_proc_readdir
 ##    nfs_proc_remove nfs_proc_rmdir nfs_proc_write nfs_reply_status rpc_call
 ##    nfs_proc_symlink rpc_dialogue rpc_reply
@@ -234,7 +234,7 @@ event nfs_proc_link%(c: connection, info: NFS3::info_t, req: NFS3::linkargs_t, r
 ## rep: The response returned in the reply. The values may not be valid if the
 ##      request was unsuccessful.
 ##
-## .. bro:see:: nfs_proc_create nfs_proc_getattr nfs_proc_lookup nfs_proc_mkdir
+## .. zeek:see:: nfs_proc_create nfs_proc_getattr nfs_proc_lookup nfs_proc_mkdir
 ##    nfs_proc_not_implemented nfs_proc_null nfs_proc_read nfs_proc_readdir
 ##    nfs_proc_readlink nfs_proc_remove nfs_proc_rmdir  nfs_reply_status rpc_call
 ##    rpc_dialogue rpc_reply NFS3::return_data NFS3::return_data_first_only
@@ -263,7 +263,7 @@ event nfs_proc_write%(c: connection, info: NFS3::info_t, req: NFS3::writeargs_t,
 ## rep: The response returned in the reply. The values may not be valid if the
 ##      request was unsuccessful.
 ##
-## .. bro:see::  nfs_proc_getattr nfs_proc_lookup nfs_proc_mkdir
+## .. zeek:see::  nfs_proc_getattr nfs_proc_lookup nfs_proc_mkdir
 ##    nfs_proc_not_implemented nfs_proc_null nfs_proc_read nfs_proc_readdir
 ##    nfs_proc_readlink nfs_proc_remove nfs_proc_rmdir nfs_proc_write nfs_reply_status
 ##    rpc_call rpc_dialogue rpc_reply
@@ -291,7 +291,7 @@ event nfs_proc_create%(c: connection, info: NFS3::info_t, req: NFS3::diropargs_t
 ## rep: The response returned in the reply. The values may not be valid if the
 ##      request was unsuccessful.
 ##
-## .. bro:see:: nfs_proc_create nfs_proc_getattr nfs_proc_lookup
+## .. zeek:see:: nfs_proc_create nfs_proc_getattr nfs_proc_lookup
 ##    nfs_proc_not_implemented nfs_proc_null nfs_proc_read nfs_proc_readdir
 ##    nfs_proc_readlink nfs_proc_remove nfs_proc_rmdir nfs_proc_write nfs_reply_status
 ##    rpc_call rpc_dialogue rpc_reply
@@ -319,7 +319,7 @@ event nfs_proc_mkdir%(c: connection, info: NFS3::info_t, req: NFS3::diropargs_t,
 ## rep: The response returned in the reply. The values may not be valid if the
 ##      request was unsuccessful.
 ##
-## .. bro:see:: nfs_proc_create nfs_proc_getattr nfs_proc_lookup nfs_proc_mkdir
+## .. zeek:see:: nfs_proc_create nfs_proc_getattr nfs_proc_lookup nfs_proc_mkdir
 ##    nfs_proc_not_implemented nfs_proc_null nfs_proc_read nfs_proc_readdir
 ##    nfs_proc_readlink  nfs_proc_rmdir nfs_proc_write nfs_reply_status rpc_call
 ##    rpc_dialogue rpc_reply
@@ -347,7 +347,7 @@ event nfs_proc_remove%(c: connection, info: NFS3::info_t, req: NFS3::diropargs_t
 ## rep: The response returned in the reply. The values may not be valid if the
 ##      request was unsuccessful.
 ##
-## .. bro:see:: nfs_proc_create nfs_proc_getattr nfs_proc_lookup nfs_proc_mkdir
+## .. zeek:see:: nfs_proc_create nfs_proc_getattr nfs_proc_lookup nfs_proc_mkdir
 ##    nfs_proc_not_implemented nfs_proc_null nfs_proc_read nfs_proc_readdir
 ##    nfs_proc_readlink nfs_proc_remove  nfs_proc_write nfs_reply_status rpc_call
 ##    rpc_dialogue rpc_reply
@@ -375,7 +375,7 @@ event nfs_proc_rmdir%(c: connection, info: NFS3::info_t, req: NFS3::diropargs_t,
 ## rep: The response returned in the reply. The values may not be valid if the
 ##      request was unsuccessful.
 ##
-## .. bro:see:: nfs_proc_create nfs_proc_getattr nfs_proc_lookup nfs_proc_mkdir
+## .. zeek:see:: nfs_proc_create nfs_proc_getattr nfs_proc_lookup nfs_proc_mkdir
 ##    nfs_proc_not_implemented nfs_proc_null nfs_proc_read nfs_proc_readdir
 ##    nfs_proc_readlink nfs_proc_remove nfs_proc_rename nfs_proc_write
 ##    nfs_reply_status rpc_call rpc_dialogue rpc_reply
@@ -403,7 +403,7 @@ event nfs_proc_rename%(c: connection, info: NFS3::info_t, req: NFS3::renameoparg
 ## rep: The response returned in the reply. The values may not be valid if the
 ##      request was unsuccessful.
 ##
-## .. bro:see:: nfs_proc_create nfs_proc_getattr nfs_proc_lookup nfs_proc_mkdir
+## .. zeek:see:: nfs_proc_create nfs_proc_getattr nfs_proc_lookup nfs_proc_mkdir
 ##    nfs_proc_not_implemented nfs_proc_null nfs_proc_read nfs_proc_readlink
 ##    nfs_proc_remove nfs_proc_rmdir nfs_proc_write nfs_reply_status rpc_call
 ##    rpc_dialogue rpc_reply
@@ -427,7 +427,7 @@ event nfs_proc_readdir%(c: connection, info: NFS3::info_t, req: NFS3::readdirarg
 ##
 ## proc: The procedure called that Bro does not implement.
 ##
-## .. bro:see:: nfs_proc_create nfs_proc_getattr nfs_proc_lookup nfs_proc_mkdir
+## .. zeek:see:: nfs_proc_create nfs_proc_getattr nfs_proc_lookup nfs_proc_mkdir
 ##    nfs_proc_null nfs_proc_read nfs_proc_readdir nfs_proc_readlink nfs_proc_remove
 ##    nfs_proc_rmdir nfs_proc_write nfs_reply_status rpc_call rpc_dialogue rpc_reply
 ##
@@ -444,7 +444,7 @@ event nfs_proc_not_implemented%(c: connection, info: NFS3::info_t, proc: NFS3::p
 ##
 ## info: Reports the status included in the reply.
 ##
-## .. bro:see:: nfs_proc_create nfs_proc_getattr nfs_proc_lookup nfs_proc_mkdir
+## .. zeek:see:: nfs_proc_create nfs_proc_getattr nfs_proc_lookup nfs_proc_mkdir
 ##    nfs_proc_not_implemented nfs_proc_null nfs_proc_read nfs_proc_readdir
 ##    nfs_proc_readlink nfs_proc_remove nfs_proc_rmdir nfs_proc_write rpc_call
 ##    rpc_dialogue rpc_reply
@@ -463,7 +463,7 @@ event nfs_reply_status%(n: connection, info: NFS3::info_t%);
 ##
 ## r: The RPC connection.
 ##
-## .. bro:see:: pm_request_set pm_request_unset pm_request_getport
+## .. zeek:see:: pm_request_set pm_request_unset pm_request_getport
 ##    pm_request_dump pm_request_callit pm_attempt_null pm_attempt_set
 ##    pm_attempt_unset pm_attempt_getport pm_attempt_dump
 ##    pm_attempt_callit pm_bad_port rpc_call rpc_dialogue rpc_reply
@@ -488,7 +488,7 @@ event pm_request_null%(r: connection%);
 ##          reply. If no reply was seen, this will be false once the request
 ##          times out.
 ##
-## .. bro:see:: pm_request_null pm_request_unset pm_request_getport
+## .. zeek:see:: pm_request_null pm_request_unset pm_request_getport
 ##    pm_request_dump pm_request_callit pm_attempt_null pm_attempt_set
 ##    pm_attempt_unset pm_attempt_getport pm_attempt_dump
 ##    pm_attempt_callit pm_bad_port rpc_call rpc_dialogue rpc_reply
@@ -513,7 +513,7 @@ event pm_request_set%(r: connection, m: pm_mapping, success: bool%);
 ##          reply. If no reply was seen, this will be false once the request
 ##          times out.
 ##
-## .. bro:see:: pm_request_null pm_request_set pm_request_getport
+## .. zeek:see:: pm_request_null pm_request_set pm_request_getport
 ##    pm_request_dump pm_request_callit pm_attempt_null pm_attempt_set
 ##    pm_attempt_unset pm_attempt_getport pm_attempt_dump
 ##    pm_attempt_callit pm_bad_port rpc_call rpc_dialogue rpc_reply
@@ -536,7 +536,7 @@ event pm_request_unset%(r: connection, m: pm_mapping, success: bool%);
 ##
 ## p: The port returned by the server.
 ##
-## .. bro:see:: pm_request_null pm_request_set pm_request_unset
+## .. zeek:see:: pm_request_null pm_request_set pm_request_unset
 ##    pm_request_dump pm_request_callit pm_attempt_null pm_attempt_set
 ##    pm_attempt_unset pm_attempt_getport pm_attempt_dump
 ##    pm_attempt_callit pm_bad_port rpc_call rpc_dialogue rpc_reply
@@ -557,7 +557,7 @@ event pm_request_getport%(r: connection, pr: pm_port_request, p: port%);
 ##
 ## m: The mappings returned by the server.
 ##
-## .. bro:see:: pm_request_null pm_request_set pm_request_unset
+## .. zeek:see:: pm_request_null pm_request_set pm_request_unset
 ##    pm_request_getport pm_request_callit pm_attempt_null
 ##    pm_attempt_set pm_attempt_unset pm_attempt_getport
 ##    pm_attempt_dump pm_attempt_callit pm_bad_port rpc_call
@@ -581,7 +581,7 @@ event pm_request_dump%(r: connection, m: pm_mappings%);
 ##
 ## p: The port value returned by the call.
 ##
-## .. bro:see:: pm_request_null pm_request_set pm_request_unset
+## .. zeek:see:: pm_request_null pm_request_set pm_request_unset
 ##    pm_request_getport pm_request_dump pm_attempt_null
 ##    pm_attempt_set pm_attempt_unset pm_attempt_getport
 ##    pm_attempt_dump pm_attempt_callit pm_bad_port rpc_call
@@ -602,9 +602,9 @@ event pm_request_callit%(r: connection, call: pm_callit_request, p: port%);
 ## r: The RPC connection.
 ##
 ## status: The status of the reply, which should be one of the index values of
-##         :bro:id:`RPC_status`.
+##         :zeek:id:`RPC_status`.
 ##
-## .. bro:see:: pm_request_null pm_request_set pm_request_unset
+## .. zeek:see:: pm_request_null pm_request_set pm_request_unset
 ##    pm_request_getport pm_request_dump pm_request_callit
 ##    pm_attempt_set pm_attempt_unset pm_attempt_getport
 ##    pm_attempt_dump pm_attempt_callit pm_bad_port rpc_call
@@ -625,11 +625,11 @@ event pm_attempt_null%(r: connection, status: rpc_status%);
 ## r: The RPC connection.
 ##
 ## status: The status of the reply, which should be one of the index values of
-##         :bro:id:`RPC_status`.
+##         :zeek:id:`RPC_status`.
 ##
 ## m: The argument to the original request.
 ##
-## .. bro:see:: pm_request_null pm_request_set pm_request_unset
+## .. zeek:see:: pm_request_null pm_request_set pm_request_unset
 ##    pm_request_getport pm_request_dump pm_request_callit
 ##    pm_attempt_null pm_attempt_unset pm_attempt_getport
 ##    pm_attempt_dump pm_attempt_callit pm_bad_port rpc_call
@@ -650,11 +650,11 @@ event pm_attempt_set%(r: connection, status: rpc_status, m: pm_mapping%);
 ## r: The RPC connection.
 ##
 ## status: The status of the reply, which should be one of the index values of
-##         :bro:id:`RPC_status`.
+##         :zeek:id:`RPC_status`.
 ##
 ## m: The argument to the original request.
 ##
-## .. bro:see:: pm_request_null pm_request_set pm_request_unset
+## .. zeek:see:: pm_request_null pm_request_set pm_request_unset
 ##    pm_request_getport pm_request_dump pm_request_callit
 ##    pm_attempt_null pm_attempt_set pm_attempt_getport
 ##    pm_attempt_dump pm_attempt_callit pm_bad_port rpc_call
@@ -675,11 +675,11 @@ event pm_attempt_unset%(r: connection, status: rpc_status, m: pm_mapping%);
 ## r: The RPC connection.
 ##
 ## status: The status of the reply, which should be one of the index values of
-##         :bro:id:`RPC_status`.
+##         :zeek:id:`RPC_status`.
 ##
 ## pr: The argument to the original request.
 ##
-## .. bro:see:: pm_request_null pm_request_set pm_request_unset
+## .. zeek:see:: pm_request_null pm_request_set pm_request_unset
 ##    pm_request_getport pm_request_dump pm_request_callit
 ##    pm_attempt_null pm_attempt_set pm_attempt_unset pm_attempt_dump
 ##    pm_attempt_callit pm_bad_port rpc_call rpc_dialogue rpc_reply
@@ -699,9 +699,9 @@ event pm_attempt_getport%(r: connection, status: rpc_status, pr: pm_port_request
 ## r: The RPC connection.
 ##
 ## status: The status of the reply, which should be one of the index values of
-##         :bro:id:`RPC_status`.
+##         :zeek:id:`RPC_status`.
 ##
-## .. bro:see:: pm_request_null pm_request_set pm_request_unset
+## .. zeek:see:: pm_request_null pm_request_set pm_request_unset
 ##    pm_request_getport pm_request_dump pm_request_callit
 ##    pm_attempt_null pm_attempt_set pm_attempt_unset
 ##    pm_attempt_getport pm_attempt_callit pm_bad_port rpc_call
@@ -722,11 +722,11 @@ event pm_attempt_dump%(r: connection, status: rpc_status%);
 ## r: The RPC connection.
 ##
 ## status: The status of the reply, which should be one of the index values of
-##         :bro:id:`RPC_status`.
+##         :zeek:id:`RPC_status`.
 ##
 ## call: The argument to the original request.
 ##
-## .. bro:see:: pm_request_null pm_request_set pm_request_unset
+## .. zeek:see:: pm_request_null pm_request_set pm_request_unset
 ##    pm_request_getport pm_request_dump pm_request_callit
 ##    pm_attempt_null pm_attempt_set pm_attempt_unset
 ##    pm_attempt_getport pm_attempt_dump pm_bad_port rpc_call
@@ -751,7 +751,7 @@ event pm_attempt_callit%(r: connection, status: rpc_status, call: pm_callit_requ
 ##
 ## bad_p: The invalid port value.
 ##
-## .. bro:see:: pm_request_null pm_request_set pm_request_unset
+## .. zeek:see:: pm_request_null pm_request_set pm_request_unset
 ##    pm_request_getport pm_request_dump pm_request_callit
 ##    pm_attempt_null pm_attempt_set pm_attempt_unset
 ##    pm_attempt_getport pm_attempt_dump pm_attempt_callit rpc_call
@@ -767,7 +767,7 @@ event pm_bad_port%(r: connection, bad_p: count%);
 ## and reply by their transaction identifiers and raises this event once both
 ## have been seen. If there's not a reply, this event will still be generated
 ## eventually on timeout. In that case, *status* will be set to
-## :bro:enum:`RPC_TIMEOUT`.
+## :zeek:enum:`RPC_TIMEOUT`.
 ##
 ## See `Wikipedia <http://en.wikipedia.org/wiki/ONC_RPC>`__ for more information
 ## about the ONC RPC protocol.
@@ -781,7 +781,7 @@ event pm_bad_port%(r: connection, bad_p: count%);
 ## proc: The procedure of the remote program to call.
 ##
 ## status: The status of the reply, which should be one of the index values of
-##         :bro:id:`RPC_status`.
+##         :zeek:id:`RPC_status`.
 ##
 ## start_time: The time when the *call* was seen.
 ##
@@ -789,13 +789,13 @@ event pm_bad_port%(r: connection, bad_p: count%);
 ##
 ## reply_len: The size of the *reply_body* PDU.
 ##
-## .. bro:see:: rpc_call rpc_reply dce_rpc_bind dce_rpc_message dce_rpc_request
+## .. zeek:see:: rpc_call rpc_reply dce_rpc_bind dce_rpc_message dce_rpc_request
 ##    dce_rpc_response rpc_timeout
 ##
 ## .. todo:: Bro's current default configuration does not activate the protocol
 ##    analyzer that generates this event; the corresponding script has not yet
 ##    been ported to Bro 2.x. To still enable this event, one needs to add a
-##    call to :bro:see:`Analyzer::register_for_ports` or a DPD payload
+##    call to :zeek:see:`Analyzer::register_for_ports` or a DPD payload
 ##    signature.
 event rpc_dialogue%(c: connection, prog: count, ver: count, proc: count, status: rpc_status, start_time: time, call_len: count, reply_len: count%);
 
@@ -816,13 +816,13 @@ event rpc_dialogue%(c: connection, prog: count, ver: count, proc: count, status:
 ##
 ## call_len: The size of the *call_body* PDU.
 ##
-## .. bro:see::  rpc_dialogue rpc_reply dce_rpc_bind dce_rpc_message dce_rpc_request
+## .. zeek:see::  rpc_dialogue rpc_reply dce_rpc_bind dce_rpc_message dce_rpc_request
 ##    dce_rpc_response rpc_timeout
 ##
 ## .. todo:: Bro's current default configuration does not activate the protocol
 ##    analyzer that generates this event; the corresponding script has not yet
 ##    been ported to Bro 2.x. To still enable this event, one needs to add a
-##    call to :bro:see:`Analyzer::register_for_ports` or a DPD payload
+##    call to :zeek:see:`Analyzer::register_for_ports` or a DPD payload
 ##    signature.
 event rpc_call%(c: connection, xid: count, prog: count, ver: count, proc: count, call_len: count%);
 
@@ -836,17 +836,17 @@ event rpc_call%(c: connection, xid: count, prog: count, ver: count, proc: count,
 ## xid: The transaction identifier allowing to match requests with replies.
 ##
 ## status: The status of the reply, which should be one of the index values of
-##         :bro:id:`RPC_status`.
+##         :zeek:id:`RPC_status`.
 ##
 ## reply_len: The size of the *reply_body* PDU.
 ##
-## .. bro:see:: rpc_call rpc_dialogue  dce_rpc_bind dce_rpc_message dce_rpc_request
+## .. zeek:see:: rpc_call rpc_dialogue  dce_rpc_bind dce_rpc_message dce_rpc_request
 ##    dce_rpc_response rpc_timeout
 ##
 ## .. todo:: Bro's current default configuration does not activate the protocol
 ##    analyzer that generates this event; the corresponding script has not yet
 ##    been ported to Bro 2.x. To still enable this event, one needs to add a
-##    call to :bro:see:`Analyzer::register_for_ports` or a DPD payload
+##    call to :zeek:see:`Analyzer::register_for_ports` or a DPD payload
 ##    signature.
 event rpc_reply%(c: connection, xid: count, status: rpc_status, reply_len: count%);
 
@@ -859,7 +859,7 @@ event rpc_reply%(c: connection, xid: count, status: rpc_status, reply_len: count
 ##
 ## info: Reports the status of the dialogue, along with some meta information.
 ##
-## .. bro:see:: mount_proc_mnt mount_proc_umnt
+## .. zeek:see:: mount_proc_mnt mount_proc_umnt
 ##    mount_proc_umnt_all mount_proc_not_implemented
 ##
 ## .. todo:: Bro's current default configuration does not activate the protocol
@@ -882,7 +882,7 @@ event mount_proc_null%(c: connection, info: MOUNT3::info_t%);
 ## rep: The response returned in the reply. The values may not be valid if the
 ##      request was unsuccessful.
 ##
-## .. bro:see:: mount_proc_mnt mount_proc_umnt
+## .. zeek:see:: mount_proc_mnt mount_proc_umnt
 ##    mount_proc_umnt_all mount_proc_not_implemented
 ##
 ## .. todo:: Bro's current default configuration does not activate the protocol
@@ -902,7 +902,7 @@ event mount_proc_mnt%(c: connection, info: MOUNT3::info_t, req: MOUNT3::dirmntar
 ##
 ## req:  The arguments passed in the request.
 ##
-## .. bro:see:: mount_proc_mnt mount_proc_umnt
+## .. zeek:see:: mount_proc_mnt mount_proc_umnt
 ##    mount_proc_umnt_all mount_proc_not_implemented
 ##
 ## .. todo:: Bro's current default configuration does not activate the protocol
@@ -922,7 +922,7 @@ event mount_proc_umnt%(c: connection, info: MOUNT3::info_t, req: MOUNT3::dirmnta
 ##
 ## req:  The arguments passed in the request.
 ##
-## .. bro:see:: mount_proc_mnt mount_proc_umnt
+## .. zeek:see:: mount_proc_mnt mount_proc_umnt
 ##    mount_proc_umnt_all mount_proc_not_implemented
 ##
 ## .. todo:: Bro's current default configuration does not activate the protocol
@@ -940,7 +940,7 @@ event mount_proc_umnt_all%(c: connection, info: MOUNT3::info_t, req: MOUNT3::dir
 ##
 ## proc: The procedure called that Bro does not implement.
 ##
-## .. bro:see:: mount_proc_mnt mount_proc_umnt
+## .. zeek:see:: mount_proc_mnt mount_proc_umnt
 ##    mount_proc_umnt_all mount_proc_not_implemented
 ##
 ## .. todo:: Bro's current default configuration does not activate the protocol
@@ -956,7 +956,7 @@ event mount_proc_not_implemented%(c: connection, info: MOUNT3::info_t, proc: MOU
 ##
 ## info: Reports the status included in the reply.
 ##
-## .. bro:see:: mount_proc_mnt mount_proc_umnt
+## .. zeek:see:: mount_proc_mnt mount_proc_umnt
 ##    mount_proc_umnt_all mount_proc_not_implemented
 ##
 ## .. todo:: Bro's current default configuration does not activate the protocol

src/analyzer/protocol/sip/events.bif

@@ -13,7 +13,7 @@
 ##
 ## version: The version number specified in the request (e.g., ``2.0``).
 ##
-## .. bro:see:: sip_reply sip_header sip_all_headers sip_begin_entity sip_end_entity
+## .. zeek:see:: sip_reply sip_header sip_all_headers sip_begin_entity sip_end_entity
 event sip_request%(c: connection, method: string, original_URI: string, version: string%);
 
 ## Generated for :abbr:`SIP (Session Initiation Protocol)` replies, used in Voice over IP (VoIP).
@@ -31,7 +31,7 @@ event sip_request%(c: connection, method: string, original_URI: string, version:
 ##
 ## reason: Textual details for the response code.
 ##
-## .. bro:see:: sip_request sip_header sip_all_headers sip_begin_entity sip_end_entity
+## .. zeek:see:: sip_request sip_header sip_all_headers sip_begin_entity sip_end_entity
 event sip_reply%(c: connection, version: string, code: count, reason: string%);
 
 ## Generated for each :abbr:`SIP (Session Initiation Protocol)` header.
@@ -47,7 +47,7 @@ event sip_reply%(c: connection, version: string, code: count, reason: string%);
 ##
 ## value: Header value.
 ##
-## .. bro:see:: sip_request sip_reply sip_all_headers sip_begin_entity sip_end_entity
+## .. zeek:see:: sip_request sip_reply sip_all_headers sip_begin_entity sip_end_entity
 event sip_header%(c: connection, is_orig: bool, name: string, value: string%);
 
 ## Generated once for all :abbr:`SIP (Session Initiation Protocol)` headers from the originator or responder.
@@ -61,7 +61,7 @@ event sip_header%(c: connection, is_orig: bool, name: string, value: string%);
 ##
 ## hlist: All the headers, and their values
 ##
-## .. bro:see:: sip_request sip_reply sip_header sip_begin_entity sip_end_entity
+## .. zeek:see:: sip_request sip_reply sip_header sip_begin_entity sip_end_entity
 event sip_all_headers%(c: connection, is_orig: bool, hlist: mime_header_list%);
 
 ## Generated at the beginning of a :abbr:`SIP (Session Initiation Protocol)` message.
@@ -75,7 +75,7 @@ event sip_all_headers%(c: connection, is_orig: bool, hlist: mime_header_list%);
 ##
 ## is_orig: Whether the message came from the originator.
 ##
-## .. bro:see:: sip_request sip_reply sip_header sip_all_headers sip_end_entity
+## .. zeek:see:: sip_request sip_reply sip_header sip_all_headers sip_end_entity
 event sip_begin_entity%(c: connection, is_orig: bool%);
 
 ## Generated at the end of a :abbr:`SIP (Session Initiation Protocol)` message.
@@ -87,5 +87,5 @@ event sip_begin_entity%(c: connection, is_orig: bool%);
 ##
 ## is_orig: Whether the message came from the originator.
 ##
-## .. bro:see:: sip_request sip_reply sip_header sip_all_headers sip_begin_entity
+## .. zeek:see:: sip_request sip_reply sip_header sip_all_headers sip_begin_entity
 event sip_end_entity%(c: connection, is_orig: bool%);

src/analyzer/protocol/smb/CMakeLists.txt

@@ -35,6 +35,7 @@ bro_plugin_bif(
 	smb2_com_tree_connect.bif
 	smb2_com_tree_disconnect.bif
 	smb2_com_write.bif
+	smb2_com_transform_header.bif
 	smb2_events.bif
 
 	events.bif
@@ -84,5 +85,6 @@ bro_plugin_pac(
 	smb2-com-tree-connect.pac
 	smb2-com-tree-disconnect.pac
 	smb2-com-write.pac
+	smb2-com-transform-header.pac
 )
 bro_plugin_end()

src/analyzer/protocol/smb/events.bif

@@ -3,7 +3,7 @@
 ## up is when the drive mapping isn't seen so the analyzer is not able
 ## to determine whether to send the data to the files framework or to
 ## the DCE_RPC analyzer. This heuristic can be tuned by adding or
-## removing "named pipe" names from the :bro:see:`SMB::pipe_filenames`
+## removing "named pipe" names from the :zeek:see:`SMB::pipe_filenames`
 ## const.
 ##
 ## c: The connection.

src/analyzer/protocol/smb/smb-common.pac

@@ -1,6 +1,7 @@
 enum SMBVersion {
 	SMB1 = 0xff534d42, # \xffSMB
 	SMB2 = 0xfe534d42, # \xfeSMB
+	SMB3 = 0xfd534d42, # \xfdSMB (implies use of transform_header)
 };
 
 enum TransactionType {

src/analyzer/protocol/smb/smb.pac

@@ -40,6 +40,7 @@
 #include "smb2_com_tree_connect.bif.h"
 #include "smb2_com_tree_disconnect.bif.h"
 #include "smb2_com_write.bif.h"
+#include "smb2_com_transform_header.bif.h"
 %}
 
 analyzer SMB withcontext {
@@ -93,6 +94,7 @@ connection SMB_Conn(bro_analyzer: BroAnalyzer) {
 %include smb2-com-tree-connect.pac
 %include smb2-com-tree-disconnect.pac
 %include smb2-com-write.pac
+%include smb2-com-transform-header.pac
 
 type uint24 = record {
 	byte1 : uint8;
@@ -128,6 +130,8 @@ type SMB_Protocol_Identifier(is_orig: bool, msg_len: uint32) = record {
 	smb_1_or_2        : case protocol of {
 		SMB1    -> smb1    : SMB_PDU(is_orig, msg_len);
 		SMB2    -> smb2    : SMB2_PDU(is_orig);
+		# SMB 3.x protocol ID implies use of transform header to support encryption
+		SMB3    -> smb3    : SMB2_transform_header;
 		default -> unknown : empty;
 	};
 };

src/analyzer/protocol/smb/smb1_com_check_directory.bif

@@ -10,7 +10,7 @@
 ##
 ## directory_name: The directory name to check for existence.
 ##
-## .. bro:see:: smb1_message smb1_check_directory_response
+## .. zeek:see:: smb1_message smb1_check_directory_response
 event smb1_check_directory_request%(c: connection, hdr: SMB1::Header, directory_name: string%);
 
 ## Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
@@ -23,5 +23,5 @@ event smb1_check_directory_request%(c: connection, hdr: SMB1::Header, directory_
 ##
 ## hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 1 message.
 ##
-## .. bro:see:: smb1_message smb1_check_directory_request
+## .. zeek:see:: smb1_message smb1_check_directory_request
 event smb1_check_directory_response%(c: connection, hdr: SMB1::Header%);

src/analyzer/protocol/smb/smb1_com_close.bif

@@ -10,6 +10,6 @@
 ##
 ## file_id: The file identifier being closed.
 ##
-## .. bro:see:: smb1_message
+## .. zeek:see:: smb1_message
 event smb1_close_request%(c: connection, hdr: SMB1::Header, file_id: count%);
 

src/analyzer/protocol/smb/smb1_com_create_directory.bif

@@ -11,7 +11,7 @@
 ##
 ## directory_name: The name of the directory to create.
 ##
-## .. bro:see:: smb1_message smb1_create_directory_response smb1_transaction2_request
+## .. zeek:see:: smb1_message smb1_create_directory_response smb1_transaction2_request
 event smb1_create_directory_request%(c: connection, hdr: SMB1::Header, directory_name: string%);
 
 ## Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
@@ -25,5 +25,5 @@ event smb1_create_directory_request%(c: connection, hdr: SMB1::Header, directory
 ##
 ## hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 1 message.
 ##
-## .. bro:see:: smb1_message smb1_create_directory_request smb1_transaction2_request
+## .. zeek:see:: smb1_message smb1_create_directory_request smb1_transaction2_request
 event smb1_create_directory_response%(c: connection, hdr: SMB1::Header%);

src/analyzer/protocol/smb/smb1_com_echo.bif

@@ -12,7 +12,7 @@
 ## 
 ## data: The data for the server to echo.
 ##
-## .. bro:see:: smb1_message smb1_echo_response
+## .. zeek:see:: smb1_message smb1_echo_response
 event smb1_echo_request%(c: connection, echo_count: count, data: string%);
 
 ## Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
@@ -28,5 +28,5 @@ event smb1_echo_request%(c: connection, echo_count: count, data: string%);
 ## 
 ## data: The data echoed back from the client.
 ##
-## .. bro:see:: smb1_message smb1_echo_request
+## .. zeek:see:: smb1_message smb1_echo_request
 event smb1_echo_response%(c: connection, seq_num: count, data: string%);

src/analyzer/protocol/smb/smb1_com_logoff_andx.bif

@@ -10,6 +10,6 @@
 ##
 ## is_orig: Indicates which host sent the logoff message.
 ##
-## .. bro:see:: smb1_message
+## .. zeek:see:: smb1_message
 event smb1_logoff_andx%(c: connection, is_orig: bool%);
 

src/analyzer/protocol/smb/smb1_com_negotiate.bif

@@ -11,7 +11,7 @@
 ##
 ## dialects: The SMB dialects supported by the client.
 ##
-## .. bro:see:: smb1_message smb1_negotiate_response
+## .. zeek:see:: smb1_message smb1_negotiate_response
 event smb1_negotiate_request%(c: connection, hdr: SMB1::Header, dialects: string_vec%);
 
 ## Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
@@ -26,7 +26,7 @@ event smb1_negotiate_request%(c: connection, hdr: SMB1::Header, dialects: string
 ##
 ## response: A record structure containing more information from the response.
 ##
-## .. bro:see:: smb1_message smb1_negotiate_request
+## .. zeek:see:: smb1_message smb1_negotiate_request
 event smb1_negotiate_response%(c: connection, hdr: SMB1::Header, response: SMB1::NegotiateResponse%);
 
 #### Types

src/analyzer/protocol/smb/smb1_com_nt_cancel.bif

@@ -8,5 +8,5 @@
 ##
 ## hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 1 message.
 ##
-## .. bro:see:: smb1_message
+## .. zeek:see:: smb1_message
 event smb1_nt_cancel_request%(c: connection, hdr: SMB1::Header%);

src/analyzer/protocol/smb/smb1_com_nt_create_andx.bif

@@ -11,7 +11,7 @@
 ##
 ## name: The ``name`` attribute  specified in the message.
 ##
-## .. bro:see:: smb1_message smb1_nt_create_andx_response
+## .. zeek:see:: smb1_message smb1_nt_create_andx_response
 event smb1_nt_create_andx_request%(c: connection, hdr: SMB1::Header, file_name: string%);
 
 ## Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
@@ -30,7 +30,7 @@ event smb1_nt_create_andx_request%(c: connection, hdr: SMB1::Header, file_name:
 ##
 ## times: Timestamps associated with the file in question.
 ##
-## .. bro:see:: smb1_message smb1_nt_create_andx_request
+## .. zeek:see:: smb1_message smb1_nt_create_andx_request
 event smb1_nt_create_andx_response%(c: connection, hdr: SMB1::Header, file_id: count, file_size: count, times: SMB::MACTimes%);
 
 

src/analyzer/protocol/smb/smb1_com_query_information.bif

@@ -11,6 +11,6 @@
 ##
 ## filename: The filename that the client is querying.
 ##
-## .. bro:see:: smb1_message smb1_transaction2_request
+## .. zeek:see:: smb1_message smb1_transaction2_request
 event smb1_query_information_request%(c: connection, hdr: SMB1::Header, filename: string%);
 

src/analyzer/protocol/smb/smb1_com_read_andx.bif

@@ -15,7 +15,7 @@
 ##
 ## length: The number of bytes being requested.
 ##
-## .. bro:see:: smb1_message smb1_read_andx_response
+## .. zeek:see:: smb1_message smb1_read_andx_response
 event smb1_read_andx_request%(c: connection, hdr: SMB1::Header, file_id: count, offset: count, length: count%);
 
 ## Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
@@ -29,6 +29,6 @@ event smb1_read_andx_request%(c: connection, hdr: SMB1::Header, file_id: count,
 ##
 ## data_len: The length of data from the requested file.
 ##
-## .. bro:see:: smb1_message smb1_read_andx_request
+## .. zeek:see:: smb1_message smb1_read_andx_request
 event smb1_read_andx_response%(c: connection, hdr: SMB1::Header, data_len: count%);
 

src/analyzer/protocol/smb/smb1_com_session_setup_andx.bif

@@ -9,7 +9,7 @@
 ##
 ## request: The parsed request data of the SMB message. See init-bare for more details.
 ##
-## .. bro:see:: smb1_message smb1_session_setup_andx_response
+## .. zeek:see:: smb1_message smb1_session_setup_andx_response
 event smb1_session_setup_andx_request%(c: connection, hdr: SMB1::Header, request: SMB1::SessionSetupAndXRequest%);
 
 ## Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
@@ -23,7 +23,7 @@ event smb1_session_setup_andx_request%(c: connection, hdr: SMB1::Header, request
 ##
 ## response: The parsed response data of the SMB message. See init-bare for more details.
 ##
-## .. bro:see:: smb1_message smb1_session_setup_andx_request
+## .. zeek:see:: smb1_message smb1_session_setup_andx_request
 event smb1_session_setup_andx_response%(c: connection, hdr: SMB1::Header, response: SMB1::SessionSetupAndXResponse%);
 
 #### Types

src/analyzer/protocol/smb/smb1_com_transaction.bif

@@ -18,7 +18,7 @@
 ##
 ## data: content of the SMB_Data.Trans_Data field
 ##
-## .. bro:see:: smb1_message smb1_transaction2_request
+## .. zeek:see:: smb1_message smb1_transaction2_request
 event smb1_transaction_request%(c: connection, hdr: SMB1::Header, name: string, sub_cmd: count, parameters: string, data: string%);
 
 ## Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`

src/analyzer/protocol/smb/smb1_com_transaction2.bif

@@ -15,7 +15,7 @@
 ##
 ## sub_cmd: The sub command, some are parsed and have their own events.
 ##
-## .. bro:see:: smb1_message smb1_trans2_find_first2_request smb1_trans2_query_path_info_request
+## .. zeek:see:: smb1_message smb1_trans2_find_first2_request smb1_trans2_query_path_info_request
 ##    smb1_trans2_get_dfs_referral_request smb1_transaction_request
 event smb1_transaction2_request%(c: connection, hdr: SMB1::Header, args: SMB1::Trans2_Args, sub_cmd: count%);
 
@@ -31,7 +31,7 @@ event smb1_transaction2_request%(c: connection, hdr: SMB1::Header, args: SMB1::T
 ##
 ## args: A record data structure with arguments given to the command.
 ##
-## .. bro:see:: smb1_message smb1_transaction2_request smb1_trans2_query_path_info_request
+## .. zeek:see:: smb1_message smb1_transaction2_request smb1_trans2_query_path_info_request
 ##    smb1_trans2_get_dfs_referral_request
 event smb1_trans2_find_first2_request%(c: connection, hdr: SMB1::Header, args: SMB1::Find_First2_Request_Args%);
 
@@ -47,7 +47,7 @@ event smb1_trans2_find_first2_request%(c: connection, hdr: SMB1::Header, args: S
 ##
 ## file_name: File name the request is in reference to. 
 ##
-## .. bro:see:: smb1_message smb1_transaction2_request smb1_trans2_find_first2_request
+## .. zeek:see:: smb1_message smb1_transaction2_request smb1_trans2_find_first2_request
 ##    smb1_trans2_get_dfs_referral_request
 event smb1_trans2_query_path_info_request%(c: connection, hdr: SMB1::Header, file_name: string%);
 
@@ -63,7 +63,7 @@ event smb1_trans2_query_path_info_request%(c: connection, hdr: SMB1::Header, fil
 ##
 ## file_name: File name the request is in reference to.
 ##
-## .. bro:see:: smb1_message smb1_transaction2_request smb1_trans2_find_first2_request
+## .. zeek:see:: smb1_message smb1_transaction2_request smb1_trans2_find_first2_request
 ##    smb1_trans2_query_path_info_request
 event smb1_trans2_get_dfs_referral_request%(c: connection, hdr: SMB1::Header, file_name: string%);
 

src/analyzer/protocol/smb/smb1_com_tree_connect_andx.bif

@@ -12,7 +12,7 @@
 ##
 ## service: The ``service`` attribute specified in the message.
 ##
-## .. bro:see:: smb1_message smb1_tree_connect_andx_response
+## .. zeek:see:: smb1_message smb1_tree_connect_andx_response
 event smb1_tree_connect_andx_request%(c: connection, hdr: SMB1::Header, path: string, service: string%);
 
 ## Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
@@ -29,6 +29,6 @@ event smb1_tree_connect_andx_request%(c: connection, hdr: SMB1::Header, path: st
 ##
 ## native_file_system: The file system of the remote server as indicate by the server.
 ##
-## .. bro:see:: smb1_message smb1_tree_connect_andx_request
+## .. zeek:see:: smb1_message smb1_tree_connect_andx_request
 event smb1_tree_connect_andx_response%(c: connection, hdr: SMB1::Header, service: string, native_file_system: string%);
 

src/analyzer/protocol/smb/smb1_com_tree_disconnect.bif

@@ -10,6 +10,6 @@
 ##
 ## is_orig: True if the message was from the originator.
 ##
-## .. bro:see:: smb1_message
+## .. zeek:see:: smb1_message
 event smb1_tree_disconnect%(c: connection, hdr: SMB1::Header, is_orig: bool%);
 

src/analyzer/protocol/smb/smb1_com_write_andx.bif

@@ -13,7 +13,7 @@
 ##
 ## data: The data being written.
 ##
-## .. bro:see:: smb1_message smb1_write_andx_response
+## .. zeek:see:: smb1_message smb1_write_andx_response
 event smb1_write_andx_request%(c: connection, hdr: SMB1::Header, file_id: count, offset: count, data_len: count%);
 
 ## Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
@@ -28,5 +28,5 @@ event smb1_write_andx_request%(c: connection, hdr: SMB1::Header, file_id: count,
 ##
 ## written_bytes: The number of bytes the server reported having actually written.
 ##
-## .. bro:see:: smb1_message smb1_write_andx_request
+## .. zeek:see:: smb1_message smb1_write_andx_request
 event smb1_write_andx_response%(c: connection, hdr: SMB1::Header, written_bytes: count%);

src/analyzer/protocol/smb/smb1_events.bif

@@ -14,7 +14,7 @@
 ## is_orig: True if the message was sent by the originator of the underlying
 ##          transport-level connection.
 ##
-## .. bro:see:: smb2_message
+## .. zeek:see:: smb2_message
 event smb1_message%(c: connection, hdr: SMB1::Header, is_orig: bool%);
 
 ## Generated when there is an :abbr:`SMB (Server Message Block)` version 1 response with no message body.
@@ -23,7 +23,7 @@ event smb1_message%(c: connection, hdr: SMB1::Header, is_orig: bool%);
 ##
 ## hdr: The parsed header of the :abbr:`SMB (Server Message Block)` message.
 ##
-## .. bro:see:: smb1_message
+## .. zeek:see:: smb1_message
 event smb1_empty_response%(c: connection, hdr: SMB1::Header%);
 
 ## Generated for :abbr:`SMB (Server Message Block)` version 1 messages
@@ -37,6 +37,6 @@ event smb1_empty_response%(c: connection, hdr: SMB1::Header%);
 ## is_orig: True if the message was sent by the originator of the underlying
 ##          transport-level connection.
 ##
-## .. bro:see:: smb1_message
+## .. zeek:see:: smb1_message
 event smb1_error%(c: connection, hdr: SMB1::Header, is_orig: bool%);
 

src/analyzer/protocol/smb/smb2-com-negotiate.pac

@@ -1,3 +1,21 @@
+enum smb3_capabilities {
+	SMB2_GLOBAL_CAP_DFS                   = 0x00,
+	SMB2_GLOBAL_CAP_LEASING               = 0x02,
+	SMB2_GLOBAL_CAP_LARGE_MTU             = 0x04,
+	SMB2_GLOBAL_CAP_MULTI_CHANNE          = 0x08,
+	SMB2_GLOBAL_CAP_PERSISTENT_HANDLES    = 0x10,
+	SMB2_GLOBAL_CAP_DIRECTORY_LEASING     = 0x20,
+	SMB2_GLOBAL_CAP_ENCRYPTION            = 0x40,
+};
+
+enum smb3_context_type {
+	SMB2_PREAUTH_INTEGRITY_CAPABILITIES   = 0x0001,
+	SMB2_ENCRYPTION_CAPABILITIES          = 0x0002,
+	SMB2_COMPRESSION_CAPABILITIES         = 0x0004,
+	SMB2_NETNAME_NEGOTIATE_CONTEXT_ID     = 0x0005,
+};
+
+
 refine connection SMB_Conn += {
 
 	function proc_smb2_negotiate_request(h: SMB2_Header, val: SMB2_negotiate_request) : bool
@@ -25,9 +43,19 @@ refine connection SMB_Conn += {
 
 			nr->Assign(0, val_mgr->GetCount(${val.dialect_revision}));
 			nr->Assign(1, val_mgr->GetCount(${val.security_mode}));
-			nr->Assign(2, BuildSMB2GUID(${val.server_guid})),
+			nr->Assign(2, BuildSMB2GUID(${val.server_guid}));
 			nr->Assign(3, filetime2brotime(${val.system_time}));
 			nr->Assign(4, filetime2brotime(${val.server_start_time}));
+			nr->Assign(5, val_mgr->GetCount(${val.negotiate_context_count}));
+
+			VectorVal* cv = new VectorVal(BifType::Vector::SMB2::NegotiateContextValues);
+
+			if ( ${val.dialect_revision} == 0x0311 )
+				for ( auto i = 0u; i < ${val.smb3_ncl.vals}->size(); ++i )
+					cv->Assign(i, BuildSMB2ContextVal(${val.smb3_ncl.vals[i]}));
+
+			nr->Assign(6, cv);
+
 			BifEvent::generate_smb2_negotiate_response(bro_analyzer(), bro_analyzer()->Conn(),
 			                                           BuildSMB2HeaderVal(h),
 			                                           nr);
@@ -37,35 +65,81 @@ refine connection SMB_Conn += {
 		%}
 };
 
+type SMB3_preauth_integrity_capabilities = record {
+	hash_alg_count    	: uint16;
+	salt_length     	: uint16;
+	hash_alg		: uint16[hash_alg_count];
+	salt			: bytestring &length = salt_length;
+};
+
+type SMB3_encryption_capabilities = record {
+	cipher_count    	: uint16;
+	ciphers			: uint16[cipher_count];
+};
+
+type SMB3_compression_capabilities = record {
+	alg_count : uint16;
+	pad:        uint16;
+	reserved  : uint32;
+	algs      : uint16[alg_count];
+};
+
+type SMB3_netname_negotiate_context_id(len: uint16) = record {
+	net_name: bytestring &length = len;
+};
+
+type SMB3_negotiate_context_value = record {
+	context_type    	: uint16;          # specify the type of context
+	data_length     	: uint16;          # the length of the data field
+	reserved		: uint32;	   # ignored
+	data			: case context_type of {
+		SMB2_PREAUTH_INTEGRITY_CAPABILITIES   -> preauth_integrity_capabilities : SMB3_preauth_integrity_capabilities;
+		SMB2_ENCRYPTION_CAPABILITIES          -> encryption_capabilities        : SMB3_encryption_capabilities;
+		SMB2_COMPRESSION_CAPABILITIES         -> compression_capabilities       : SMB3_compression_capabilities;
+		SMB2_NETNAME_NEGOTIATE_CONTEXT_ID     -> netname_negotiate_context_id   : SMB3_netname_negotiate_context_id(data_length);
+	};
+	pad			: padding align 4;
+};
+
 type SMB2_negotiate_request(header: SMB2_Header) = record {
-	structure_size    : uint16;          # client MUST set this to 36
-	dialect_count     : uint16;          # must be > 0
-	security_mode     : uint16;          # there is a list of required modes
-	reserved          : padding[2];      # must be set to 0
-	capabilities      : uint32;          # must be set to 0
-	client_guid       : SMB2_guid;       # guid if client implements SMB 2.1 dialect, otherwise set to 0
-	client_start_time : SMB_timestamp;   # must be set to 0
+	structure_size    	: uint16;          # client MUST set this to 36
+	dialect_count     	: uint16;          # must be > 0
+	security_mode     	: uint16;          # there is a list of required modes
+	reserved          	: padding[2];      # must be set to 0
+	capabilities      	: uint32;          # must be set to 0 if SMB 2.x, otherwise if SMB 3.x one of enum smb2_capabilities
+	client_guid       	: SMB2_guid;       # guid if client implements SMB 2.1 dialect, otherwise set to 0
+	client_start_time 	: SMB_timestamp;
 	dialects          : uint16[dialect_count];
 } &byteorder=littleendian, &let {
 	proc : bool = $context.connection.proc_smb2_negotiate_request(header, this);
 };
 
+type NegotiateContextList(len: uint16) = record {
+	pad  : padding align 8;
+	vals : SMB3_negotiate_context_value[len];
+}
+
 type SMB2_negotiate_response(header: SMB2_Header) = record {
-	structure_size    : uint16;
-	security_mode     : uint16;
-	dialect_revision  : uint16;
-	reserved          : padding[2];
-	server_guid       : SMB2_guid;
-	capabilities      : uint32;
-	max_transact_size : uint32;
-	max_read_size     : uint32;
-	max_write_size    : uint32;
-	system_time       : SMB_timestamp;
-	server_start_time : SMB_timestamp;
-	security_offset   : uint16;
-	security_length   : uint16;
-	pad1              : padding to security_offset - header.head_length;
-	security_blob     : bytestring &length=security_length;
+	structure_size            : uint16;
+	security_mode             : uint16;
+	dialect_revision          : uint16;
+	negotiate_context_count   : uint16;	# reserved to 0 if not smb 3.1.1
+	server_guid               : SMB2_guid;
+	capabilities              : uint32;
+	max_transact_size         : uint32;
+	max_read_size             : uint32;
+	max_write_size            : uint32;
+	system_time               : SMB_timestamp;
+	server_start_time         : SMB_timestamp;
+	security_offset           : uint16;
+	security_length           : uint16;
+	negotiate_context_offset  : uint32;
+	pad1                      : padding to security_offset - header.head_length;
+	security_blob             : bytestring &length=security_length;
+	negotiate_context_list    : case dialect_revision of {
+		0x0311    -> smb3_ncl : NegotiateContextList(negotiate_context_count);
+		default   -> unknown  : empty;
+	};
 } &byteorder=littleendian, &let {
 	proc : bool = $context.connection.proc_smb2_negotiate_response(header, this);
 	gssapi_proc : bool = $context.connection.forward_gssapi(security_blob, false);

src/analyzer/protocol/smb/smb2-com-transform-header.pac

@@ -0,0 +1,37 @@
+refine connection SMB_Conn += {
+
+	function BuildSMB2TransformHeaderVal(hdr: SMB2_transform_header): BroVal
+		%{
+		RecordVal* r = new RecordVal(BifType::Record::SMB2::Transform_header);
+
+		r->Assign(0, bytestring_to_val(${hdr.signature}));
+		r->Assign(1, bytestring_to_val(${hdr.nonce}));
+		r->Assign(2, val_mgr->GetCount(${hdr.orig_msg_size}));
+		r->Assign(3, val_mgr->GetCount(${hdr.flags}));
+		r->Assign(4, val_mgr->GetCount(${hdr.session_id}));
+
+		return r;
+		%}
+
+	function proc_smb2_transform_header(hdr: SMB2_transform_header) : bool
+		%{
+		if ( smb2_transform_header )
+			BifEvent::generate_smb2_transform_header(bro_analyzer(),
+			                                         bro_analyzer()->Conn(),
+			                                         BuildSMB2TransformHeaderVal(hdr));
+
+		return true;
+		%}
+
+};
+
+type SMB2_transform_header = record {
+	signature         : bytestring &length = 16;
+	nonce             : bytestring &length = 16;
+	orig_msg_size     : uint32;
+	reserved          : uint16;
+	flags             : uint16;
+	session_id	  : uint64;
+} &let {
+	proc: bool = $context.connection.proc_smb2_transform_header(this);
+} &byteorder = littleendian;

src/analyzer/protocol/smb/smb2-com-write.pac

@@ -24,6 +24,15 @@ refine connection SMB_Conn += {
 
 	function proc_smb2_write_response(h: SMB2_Header, val: SMB2_write_response) : bool
 		%{
+
+		if ( smb2_write_response )
+			{
+			BifEvent::generate_smb2_write_response(bro_analyzer(),
+			                                      bro_analyzer()->Conn(),
+			                                      BuildSMB2HeaderVal(h),
+							      ${val.write_count});
+			}
+
 		return true;
 		%}
 

src/analyzer/protocol/smb/smb2-protocol.pac

@@ -100,6 +100,74 @@ refine connection SMB_Conn += {
 		std::map<uint64,uint64> smb2_request_tree_id;
 	%}
 
+	function BuildSMB2ContextVal(ncv: SMB3_negotiate_context_value): BroVal
+		%{
+		RecordVal* r = new RecordVal(BifType::Record::SMB2::NegotiateContextValue);
+
+		r->Assign(0, val_mgr->GetCount(${ncv.context_type}));
+		r->Assign(1, val_mgr->GetCount(${ncv.data_length}));
+
+		switch ( ${ncv.context_type} ) {
+			case SMB2_PREAUTH_INTEGRITY_CAPABILITIES:
+				{
+				RecordVal* rpreauth = new RecordVal(BifType::Record::SMB2::PreAuthIntegrityCapabilities);
+				rpreauth->Assign(0, val_mgr->GetCount(${ncv.preauth_integrity_capabilities.hash_alg_count}));
+				rpreauth->Assign(1, val_mgr->GetCount(${ncv.preauth_integrity_capabilities.salt_length}));
+
+				VectorVal* ha = new VectorVal(internal_type("index_vec")->AsVectorType());
+
+				for ( int i = 0; i < (${ncv.preauth_integrity_capabilities.hash_alg_count}); ++i )
+						ha->Assign(i, val_mgr->GetCount(${ncv.preauth_integrity_capabilities.hash_alg[i]}));
+
+				rpreauth->Assign(2, ha);
+				rpreauth->Assign(3, bytestring_to_val(${ncv.preauth_integrity_capabilities.salt}));
+				r->Assign(2, rpreauth);
+				}
+				break;
+
+			case SMB2_ENCRYPTION_CAPABILITIES:
+				{
+				RecordVal* rencr = new RecordVal(BifType::Record::SMB2::EncryptionCapabilities);
+				rencr->Assign(0, val_mgr->GetCount(${ncv.encryption_capabilities.cipher_count}));
+
+				VectorVal* c = new VectorVal(internal_type("index_vec")->AsVectorType());
+
+				for ( int i = 0; i < (${ncv.encryption_capabilities.cipher_count}); ++i )
+						c->Assign(i, val_mgr->GetCount(${ncv.encryption_capabilities.ciphers[i]}));
+
+				rencr->Assign(1, c);
+				r->Assign(3, rencr);
+				}
+				break;
+
+			case SMB2_COMPRESSION_CAPABILITIES:
+				{
+				RecordVal* rcomp = new RecordVal(BifType::Record::SMB2::CompressionCapabilities);
+				rcomp->Assign(0, val_mgr->GetCount(${ncv.compression_capabilities.alg_count}));
+
+				VectorVal* c = new VectorVal(internal_type("index_vec")->AsVectorType());
+
+				for ( int i = 0; i < (${ncv.compression_capabilities.alg_count}); ++i )
+						c->Assign(i, val_mgr->GetCount(${ncv.compression_capabilities.algs[i]}));
+
+				rcomp->Assign(1, c);
+				r->Assign(4, rcomp);
+				}
+				break;
+
+			case SMB2_NETNAME_NEGOTIATE_CONTEXT_ID:
+				{
+				r->Assign(5, bytestring_to_val(${ncv.netname_negotiate_context_id.net_name}));
+				}
+				break;
+
+			default:
+				break;
+		}
+
+		return r;
+		%}
+
 	function BuildSMB2HeaderVal(hdr: SMB2_Header): BroVal
 		%{
 		RecordVal* r = new RecordVal(BifType::Record::SMB2::Header);

src/analyzer/protocol/smb/smb2_com_close.bif

@@ -10,7 +10,7 @@
 ##
 ## file_name: The SMB2 GUID of the file being closed.
 ##
-## .. bro:see:: smb2_message smb2_close_response
+## .. zeek:see:: smb2_message smb2_close_response
 event smb2_close_request%(c: connection, hdr: SMB2::Header, file_id: SMB2::GUID%);
 
 ## Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
@@ -25,7 +25,7 @@ event smb2_close_request%(c: connection, hdr: SMB2::Header, file_id: SMB2::GUID%
 ##
 ## response: A record of attributes returned from the server from the close.
 ##
-## .. bro:see:: smb2_message smb2_close_request
+## .. zeek:see:: smb2_message smb2_close_request
 event smb2_close_response%(c: connection, hdr: SMB2::Header, response: SMB2::CloseResponse%);
 
 

src/analyzer/protocol/smb/smb2_com_create.bif

@@ -10,7 +10,7 @@
 ##
 ## request: A record with more information related to the request.
 ##
-## .. bro:see:: smb2_message smb2_create_response
+## .. zeek:see:: smb2_message smb2_create_response
 event smb2_create_request%(c: connection, hdr: SMB2::Header, request: SMB2::CreateRequest%);
 
 ## Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
@@ -25,7 +25,7 @@ event smb2_create_request%(c: connection, hdr: SMB2::Header, request: SMB2::Crea
 ##
 ## response: A record with more information related to the response.
 ##
-## .. bro:see:: smb2_message smb2_create_request
+## .. zeek:see:: smb2_message smb2_create_request
 event smb2_create_response%(c: connection, hdr: SMB2::Header, response: SMB2::CreateResponse%);
 
 #### Types

src/analyzer/protocol/smb/smb2_com_negotiate.bif

@@ -10,7 +10,7 @@
 ##
 ## dialects: A vector of the client's supported dialects.
 ##
-## .. bro:see:: smb2_message smb2_negotiate_response
+## .. zeek:see:: smb2_message smb2_negotiate_response
 event smb2_negotiate_request%(c: connection, hdr: SMB2::Header, dialects: index_vec%);
 
 ## Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
@@ -25,7 +25,7 @@ event smb2_negotiate_request%(c: connection, hdr: SMB2::Header, dialects: index_
 ##
 ## response: The negotiate response data structure.
 ##
-## .. bro:see:: smb2_message smb2_negotiate_request
+## .. zeek:see:: smb2_message smb2_negotiate_request
 event smb2_negotiate_response%(c: connection, hdr: SMB2::Header, response: SMB2::NegotiateResponse%);
 
 #### Types

src/analyzer/protocol/smb/smb2_com_read.bif

@@ -14,5 +14,5 @@
 ##
 ## length: The number of bytes of the file being read.
 ##
-## .. bro:see:: smb2_message
+## .. zeek:see:: smb2_message
 event smb2_read_request%(c: connection, hdr: SMB2::Header, file_id: SMB2::GUID, offset: count, length: count%);

src/analyzer/protocol/smb/smb2_com_session_setup.bif

@@ -11,7 +11,7 @@
 ##
 ## request: A record containing more information related to the request.
 ##
-## .. bro:see:: smb2_message smb2_session_setup_response
+## .. zeek:see:: smb2_message smb2_session_setup_response
 event smb2_session_setup_request%(c: connection, hdr: SMB2::Header, request: SMB2::SessionSetupRequest%);
 
 ## Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
@@ -26,7 +26,7 @@ event smb2_session_setup_request%(c: connection, hdr: SMB2::Header, request: SMB
 ##
 ## response: A record containing more information related to the response.
 ##
-## .. bro:see:: smb2_message smb2_session_setup_request
+## .. zeek:see:: smb2_message smb2_session_setup_request
 event smb2_session_setup_response%(c: connection, hdr: SMB2::Header, response: SMB2::SessionSetupResponse%);
 
 #### Types