From 4a04b563f5e6dd4c6d6fc109904dd52027babc65 Mon Sep 17 00:00:00 2001
From: Yacin Nadji <yacin.nadji@corelight.com>
Date: Fri, 5 Aug 2022 16:17:50 +0200
Subject: [PATCH 1/4] GH-2319: Add change handlers to Site

---
 scripts/base/utils/site.zeek                  | 34 +++++++++++++++----
 .../Baseline/scripts.base.utils.site/output   | 16 +++++++++
 testing/btest/scripts/base/utils/site.test    | 26 ++++++++++++++
 3 files changed, 69 insertions(+), 7 deletions(-)

diff --git a/scripts/base/utils/site.zeek b/scripts/base/utils/site.zeek
index 7745d7b2c8..d98f76ee79 100644
--- a/scripts/base/utils/site.zeek
+++ b/scripts/base/utils/site.zeek
@@ -234,13 +234,33 @@ function get_emails(a: addr): string
 	return fmt_email_string(find_all_emails(a));
 	}
 
-event zeek_init() &priority=10
+function update_local_nets_table(id: string, new_value: set[subnet]): set[subnet]
+	{
+	# Create the local_nets mapping table.
+	for ( cidr in new_value )
+		local_nets_table[cidr] = cidr;
+	return new_value;
+	}
+
+function update_zones_regex(id: string, new_value: set[string]): set[string]
 	{
 	# Double backslashes are needed due to string parsing.
-	local_dns_suffix_regex = set_to_regex(local_zones, "(^\\.?|\\.)(~~)$");
-	local_dns_neighbor_suffix_regex = set_to_regex(neighbor_zones, "(^\\.?|\\.)(~~)$");
-
-	# Create the local_nets mapping table.
-	for ( cidr in Site::local_nets )
-		local_nets_table[cidr] = cidr;
+	if ( id == "Site::local_zones" )
+		local_dns_suffix_regex = set_to_regex(new_value, "(^\\.?|\\.)(~~)$");
+	else if ( id == "Site::neighbor_zones" )
+		local_dns_neighbor_suffix_regex = set_to_regex(new_value, "(^\\.?|\\.)(~~)$");
+	return new_value;
+	}
+
+event zeek_init() &priority=10
+	{
+	Option::set_change_handler("Site::local_nets", update_local_nets_table);
+	Option::set_change_handler("Site::local_zones", update_zones_regex);
+	Option::set_change_handler("Site::neighbor_zones", update_zones_regex);
+
+	# Use change handler to initialize local_nets mapping table and zones
+	# regexes.
+	update_local_nets_table("Site::local_nets", Site::local_nets);
+	update_zones_regex("Site::local_zones", Site::local_zones);
+	update_zones_regex("Site::neighbor_zones", Site::neighbor_zones);
 	}
diff --git a/testing/btest/Baseline/scripts.base.utils.site/output b/testing/btest/Baseline/scripts.base.utils.site/output
index 3a883a2244..fa42176017 100644
--- a/testing/btest/Baseline/scripts.base.utils.site/output
+++ b/testing/btest/Baseline/scripts.base.utils.site/output
@@ -1,3 +1,19 @@
 ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
 site-admin@example.com, other-site-admin@example.com
 site-admin@example.com, net-admin@example.com, other-site-admin@example.com
+T
+T
+T
+T
+T
+T
+T
+T
+T
+T
+T
+T
+T
+T
+T
+T
diff --git a/testing/btest/scripts/base/utils/site.test b/testing/btest/scripts/base/utils/site.test
index c66cedf16e..ba7944e7cc 100644
--- a/testing/btest/scripts/base/utils/site.test
+++ b/testing/btest/scripts/base/utils/site.test
@@ -2,6 +2,7 @@
 # @TEST-EXEC: btest-diff output
 
 @load base/utils/site
+@load base/frameworks/config
 
 global a = { "site-admin@example.com", "other-site-admin@example.com" };
 global b = { "net-admin@example.com" };
@@ -10,9 +11,34 @@ redef Site::local_admins += {
     [141.142.0.0/16] = a,
     [141.142.100.0/24] = b,
 };
+redef Site::local_nets = set();
+redef Site::local_zones = set();
+redef Site::neighbor_zones = set();
 
 event zeek_init()
     {
     print Site::get_emails(141.142.1.1);
     print Site::get_emails(141.142.100.100);
+
+    print Site::is_local_name("foo.wutang.com") == F;
+    print Site::is_neighbor_name("baz.shaolin.com") == F;
+    print Site::is_local_addr(141.142.1.1) == F;
+    print Site::is_local_addr(141.142.100.100) == F;
+    print 141.142.0.0 in Site::local_nets_table == F;
+    print 141.142.100.100 in Site::local_nets_table == F;
+
+    Config::set_value("Site::local_nets", set(141.142.0.0/16, 141.142.100.0/24));
+    Config::set_value("Site::local_zones", set("wutang.com"));
+    Config::set_value("Site::neighbor_zones", set("shaolin.com"));
+
+    print Site::is_local_name("foo.wutang.com") == T;
+    print Site::is_neighbor_name("baz.shaolin.com") == T;
+    print Site::is_neighbor_name("foo.wutang.com") == F;
+    print Site::is_local_name("baz.shaolin.com") == F;
+    print Site::is_local_addr(141.142.1.1) == T;
+    print Site::is_local_addr(141.142.100.100) == T;
+    print 141.142.1.1 in Site::local_nets_table == T;
+    print 141.142.100.100 in Site::local_nets_table == T;
+    print Site::local_nets_table[141.142.1.1] == 141.142.0.0/16;
+    print Site::local_nets_table[141.142.100.100] == 141.142.100.0/24;
     }

From dc1102e9dda4aa1a0cfeecd3e45c6b801f8135ab Mon Sep 17 00:00:00 2001
From: Yacin Nadji <yacin.nadji@corelight.com>
Date: Mon, 8 Aug 2022 11:40:18 +0200
Subject: [PATCH 2/4] split update_zones_regex into two functions

---
 scripts/base/utils/site.zeek | 21 ++++++++++++---------
 1 file changed, 12 insertions(+), 9 deletions(-)

diff --git a/scripts/base/utils/site.zeek b/scripts/base/utils/site.zeek
index d98f76ee79..17b4da03fc 100644
--- a/scripts/base/utils/site.zeek
+++ b/scripts/base/utils/site.zeek
@@ -242,25 +242,28 @@ function update_local_nets_table(id: string, new_value: set[subnet]): set[subnet
 	return new_value;
 	}
 
-function update_zones_regex(id: string, new_value: set[string]): set[string]
+function update_local_zones_regex(id: string, new_value: set[string]): set[string]
 	{
 	# Double backslashes are needed due to string parsing.
-	if ( id == "Site::local_zones" )
-		local_dns_suffix_regex = set_to_regex(new_value, "(^\\.?|\\.)(~~)$");
-	else if ( id == "Site::neighbor_zones" )
-		local_dns_neighbor_suffix_regex = set_to_regex(new_value, "(^\\.?|\\.)(~~)$");
+	local_dns_suffix_regex = set_to_regex(new_value, "(^\\.?|\\.)(~~)$");
+	return new_value;
+	}
+
+function update_neighbor_zones_regex(id: string, new_value: set[string]): set[string]
+	{
+	local_dns_neighbor_suffix_regex = set_to_regex(new_value, "(^\\.?|\\.)(~~)$");
 	return new_value;
 	}
 
 event zeek_init() &priority=10
 	{
 	Option::set_change_handler("Site::local_nets", update_local_nets_table);
-	Option::set_change_handler("Site::local_zones", update_zones_regex);
-	Option::set_change_handler("Site::neighbor_zones", update_zones_regex);
+	Option::set_change_handler("Site::local_zones", update_local_zones_regex);
+	Option::set_change_handler("Site::neighbor_zones", update_neighbor_zones_regex);
 
 	# Use change handler to initialize local_nets mapping table and zones
 	# regexes.
 	update_local_nets_table("Site::local_nets", Site::local_nets);
-	update_zones_regex("Site::local_zones", Site::local_zones);
-	update_zones_regex("Site::neighbor_zones", Site::neighbor_zones);
+	update_local_zones_regex("Site::local_zones", Site::local_zones);
+	update_neighbor_zones_regex("Site::neighbor_zones", Site::neighbor_zones);
 	}

From 825fb1c24ad90a7e82fc2e1d1c7f35c5532b65f4 Mon Sep 17 00:00:00 2001
From: Yacin Nadji <yacin.nadji@corelight.com>
Date: Mon, 8 Aug 2022 11:47:52 +0200
Subject: [PATCH 3/4] lower priority for change handlers

---
 scripts/base/utils/site.zeek | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/scripts/base/utils/site.zeek b/scripts/base/utils/site.zeek
index 17b4da03fc..d26cff6791 100644
--- a/scripts/base/utils/site.zeek
+++ b/scripts/base/utils/site.zeek
@@ -257,9 +257,11 @@ function update_neighbor_zones_regex(id: string, new_value: set[string]): set[st
 
 event zeek_init() &priority=10
 	{
-	Option::set_change_handler("Site::local_nets", update_local_nets_table);
-	Option::set_change_handler("Site::local_zones", update_local_zones_regex);
-	Option::set_change_handler("Site::neighbor_zones", update_neighbor_zones_regex);
+	# Have these run with a lower priority so we account for additions/removals
+	# from user created change handlers.
+	Option::set_change_handler("Site::local_nets", update_local_nets_table, -5);
+	Option::set_change_handler("Site::local_zones", update_local_zones_regex, -5);
+	Option::set_change_handler("Site::neighbor_zones", update_neighbor_zones_regex, -5);
 
 	# Use change handler to initialize local_nets mapping table and zones
 	# regexes.

From 84610ed832055158033b9ac454715404f663bcc0 Mon Sep 17 00:00:00 2001
From: Yacin Nadji <yacin.nadji@corelight.com>
Date: Mon, 8 Aug 2022 11:52:06 +0200
Subject: [PATCH 4/4] update plugins.hooks baseline

---
 testing/btest/Baseline/plugins.hooks/output | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)

diff --git a/testing/btest/Baseline/plugins.hooks/output b/testing/btest/Baseline/plugins.hooks/output
index fb698f57cf..6fb7e4b453 100644
--- a/testing/btest/Baseline/plugins.hooks/output
+++ b/testing/btest/Baseline/plugins.hooks/output
@@ -542,9 +542,12 @@
 0.000000   MetaHookPost  CallFunction(Option::set_change_handler, <frame>, (Signatures::summary_interval, Config::config_option_changed{ Config::log = Config::Info($ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value))if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, to_any_coerceConfig::log)return (Config::new_value)}, -100)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Option::set_change_handler, <frame>, (Site::local_admins, Config::config_option_changed{ Config::log = Config::Info($ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value))if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, to_any_coerceConfig::log)return (Config::new_value)}, -100)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Option::set_change_handler, <frame>, (Site::local_nets, Config::config_option_changed{ Config::log = Config::Info($ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value))if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, to_any_coerceConfig::log)return (Config::new_value)}, -100)) -> <no result>
+0.000000   MetaHookPost  CallFunction(Option::set_change_handler, <frame>, (Site::local_nets, Site::update_local_nets_table{ <init> Site::cidr{ for ([Site::cidr] in Site::new_value) Site::local_nets_table[Site::cidr] = Site::cidrreturn (Site::new_value)}}, -5)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Option::set_change_handler, <frame>, (Site::local_zones, Config::config_option_changed{ Config::log = Config::Info($ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value))if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, to_any_coerceConfig::log)return (Config::new_value)}, -100)) -> <no result>
+0.000000   MetaHookPost  CallFunction(Option::set_change_handler, <frame>, (Site::local_zones, Site::update_local_zones_regex{ Site::local_dns_suffix_regex = set_to_regex(Site::new_value, (^\.?|\.)(~~)$)return (Site::new_value)}, -5)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Option::set_change_handler, <frame>, (Site::neighbor_nets, Config::config_option_changed{ Config::log = Config::Info($ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value))if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, to_any_coerceConfig::log)return (Config::new_value)}, -100)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Option::set_change_handler, <frame>, (Site::neighbor_zones, Config::config_option_changed{ Config::log = Config::Info($ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value))if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, to_any_coerceConfig::log)return (Config::new_value)}, -100)) -> <no result>
+0.000000   MetaHookPost  CallFunction(Option::set_change_handler, <frame>, (Site::neighbor_zones, Site::update_neighbor_zones_regex{ Site::local_dns_neighbor_suffix_regex = set_to_regex(Site::new_value, (^\.?|\.)(~~)$)return (Site::new_value)}, -5)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Option::set_change_handler, <frame>, (Site::private_address_space, Config::config_option_changed{ Config::log = Config::Info($ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value))if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, to_any_coerceConfig::log)return (Config::new_value)}, -100)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Option::set_change_handler, <frame>, (Software::asset_tracking, Config::config_option_changed{ Config::log = Config::Info($ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value))if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, to_any_coerceConfig::log)return (Config::new_value)}, -100)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Option::set_change_handler, <frame>, (Weird::ignore_hosts, Config::config_option_changed{ Config::log = Config::Info($ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value))if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, to_any_coerceConfig::log)return (Config::new_value)}, -100)) -> <no result>
@@ -659,6 +662,9 @@
 0.000000   MetaHookPost  CallFunction(PacketFilter::log_policy, <null>, ([ts=XXXXXXXXXX.XXXXXX, node=zeek, filter=ip or not ip, init=T, success=T], PacketFilter::LOG, [name=default, writer=Log::WRITER_ASCII, path=packet_filter, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=lambda_<2528247166937952945>, interv=0 secs, postprocessor=<uninitialized>, config={}, policy=<uninitialized>])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Pcap::install_pcap_filter, <frame>, (PacketFilter::DefaultPcapFilter)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Pcap::precompile_pcap_filter, <frame>, (PacketFilter::DefaultPcapFilter, ip or not ip)) -> <no result>
+0.000000   MetaHookPost  CallFunction(Site::update_local_nets_table, <frame>, (Site::local_nets, {})) -> <no result>
+0.000000   MetaHookPost  CallFunction(Site::update_local_zones_regex, <frame>, (Site::local_zones, {})) -> <no result>
+0.000000   MetaHookPost  CallFunction(Site::update_neighbor_zones_regex, <frame>, (Site::neighbor_zones, {})) -> <no result>
 0.000000   MetaHookPost  CallFunction(SumStats::add_observe_plugin_dependency, <frame>, (SumStats::STD_DEV, SumStats::VARIANCE)) -> <no result>
 0.000000   MetaHookPost  CallFunction(SumStats::add_observe_plugin_dependency, <frame>, (SumStats::VARIANCE, SumStats::AVERAGE)) -> <no result>
 0.000000   MetaHookPost  CallFunction(SumStats::register_observe_plugin, <frame>, (SumStats::AVERAGE, lambda_<3452231521688988155>{ if (!SumStats::rv?$average) SumStats::rv$average = SumStats::valelseSumStats::rv$average += (SumStats::val - SumStats::rv$average) / (coerce SumStats::rv$num to double)})) -> <no result>
@@ -2024,9 +2030,12 @@
 0.000000   MetaHookPre   CallFunction(Option::set_change_handler, <frame>, (Signatures::summary_interval, Config::config_option_changed{ Config::log = Config::Info($ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value))if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, to_any_coerceConfig::log)return (Config::new_value)}, -100))
 0.000000   MetaHookPre   CallFunction(Option::set_change_handler, <frame>, (Site::local_admins, Config::config_option_changed{ Config::log = Config::Info($ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value))if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, to_any_coerceConfig::log)return (Config::new_value)}, -100))
 0.000000   MetaHookPre   CallFunction(Option::set_change_handler, <frame>, (Site::local_nets, Config::config_option_changed{ Config::log = Config::Info($ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value))if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, to_any_coerceConfig::log)return (Config::new_value)}, -100))
+0.000000   MetaHookPre   CallFunction(Option::set_change_handler, <frame>, (Site::local_nets, Site::update_local_nets_table{ <init> Site::cidr{ for ([Site::cidr] in Site::new_value) Site::local_nets_table[Site::cidr] = Site::cidrreturn (Site::new_value)}}, -5))
 0.000000   MetaHookPre   CallFunction(Option::set_change_handler, <frame>, (Site::local_zones, Config::config_option_changed{ Config::log = Config::Info($ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value))if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, to_any_coerceConfig::log)return (Config::new_value)}, -100))
+0.000000   MetaHookPre   CallFunction(Option::set_change_handler, <frame>, (Site::local_zones, Site::update_local_zones_regex{ Site::local_dns_suffix_regex = set_to_regex(Site::new_value, (^\.?|\.)(~~)$)return (Site::new_value)}, -5))
 0.000000   MetaHookPre   CallFunction(Option::set_change_handler, <frame>, (Site::neighbor_nets, Config::config_option_changed{ Config::log = Config::Info($ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value))if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, to_any_coerceConfig::log)return (Config::new_value)}, -100))
 0.000000   MetaHookPre   CallFunction(Option::set_change_handler, <frame>, (Site::neighbor_zones, Config::config_option_changed{ Config::log = Config::Info($ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value))if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, to_any_coerceConfig::log)return (Config::new_value)}, -100))
+0.000000   MetaHookPre   CallFunction(Option::set_change_handler, <frame>, (Site::neighbor_zones, Site::update_neighbor_zones_regex{ Site::local_dns_neighbor_suffix_regex = set_to_regex(Site::new_value, (^\.?|\.)(~~)$)return (Site::new_value)}, -5))
 0.000000   MetaHookPre   CallFunction(Option::set_change_handler, <frame>, (Site::private_address_space, Config::config_option_changed{ Config::log = Config::Info($ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value))if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, to_any_coerceConfig::log)return (Config::new_value)}, -100))
 0.000000   MetaHookPre   CallFunction(Option::set_change_handler, <frame>, (Software::asset_tracking, Config::config_option_changed{ Config::log = Config::Info($ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value))if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, to_any_coerceConfig::log)return (Config::new_value)}, -100))
 0.000000   MetaHookPre   CallFunction(Option::set_change_handler, <frame>, (Weird::ignore_hosts, Config::config_option_changed{ Config::log = Config::Info($ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value))if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, to_any_coerceConfig::log)return (Config::new_value)}, -100))
@@ -2141,6 +2150,9 @@
 0.000000   MetaHookPre   CallFunction(PacketFilter::log_policy, <null>, ([ts=XXXXXXXXXX.XXXXXX, node=zeek, filter=ip or not ip, init=T, success=T], PacketFilter::LOG, [name=default, writer=Log::WRITER_ASCII, path=packet_filter, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=lambda_<2528247166937952945>, interv=0 secs, postprocessor=<uninitialized>, config={}, policy=<uninitialized>]))
 0.000000   MetaHookPre   CallFunction(Pcap::install_pcap_filter, <frame>, (PacketFilter::DefaultPcapFilter))
 0.000000   MetaHookPre   CallFunction(Pcap::precompile_pcap_filter, <frame>, (PacketFilter::DefaultPcapFilter, ip or not ip))
+0.000000   MetaHookPre   CallFunction(Site::update_local_nets_table, <frame>, (Site::local_nets, {}))
+0.000000   MetaHookPre   CallFunction(Site::update_local_zones_regex, <frame>, (Site::local_zones, {}))
+0.000000   MetaHookPre   CallFunction(Site::update_neighbor_zones_regex, <frame>, (Site::neighbor_zones, {}))
 0.000000   MetaHookPre   CallFunction(SumStats::add_observe_plugin_dependency, <frame>, (SumStats::STD_DEV, SumStats::VARIANCE))
 0.000000   MetaHookPre   CallFunction(SumStats::add_observe_plugin_dependency, <frame>, (SumStats::VARIANCE, SumStats::AVERAGE))
 0.000000   MetaHookPre   CallFunction(SumStats::register_observe_plugin, <frame>, (SumStats::AVERAGE, lambda_<3452231521688988155>{ if (!SumStats::rv?$average) SumStats::rv$average = SumStats::valelseSumStats::rv$average += (SumStats::val - SumStats::rv$average) / (coerce SumStats::rv$num to double)}))
@@ -3505,9 +3517,12 @@
 0.000000 | HookCallFunction Option::set_change_handler(Signatures::summary_interval, Config::config_option_changed{ Config::log = Config::Info($ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value))if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, to_any_coerceConfig::log)return (Config::new_value)}, -100)
 0.000000 | HookCallFunction Option::set_change_handler(Site::local_admins, Config::config_option_changed{ Config::log = Config::Info($ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value))if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, to_any_coerceConfig::log)return (Config::new_value)}, -100)
 0.000000 | HookCallFunction Option::set_change_handler(Site::local_nets, Config::config_option_changed{ Config::log = Config::Info($ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value))if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, to_any_coerceConfig::log)return (Config::new_value)}, -100)
+0.000000 | HookCallFunction Option::set_change_handler(Site::local_nets, Site::update_local_nets_table{ <init> Site::cidr{ for ([Site::cidr] in Site::new_value) Site::local_nets_table[Site::cidr] = Site::cidrreturn (Site::new_value)}}, -5)
 0.000000 | HookCallFunction Option::set_change_handler(Site::local_zones, Config::config_option_changed{ Config::log = Config::Info($ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value))if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, to_any_coerceConfig::log)return (Config::new_value)}, -100)
+0.000000 | HookCallFunction Option::set_change_handler(Site::local_zones, Site::update_local_zones_regex{ Site::local_dns_suffix_regex = set_to_regex(Site::new_value, (^\.?|\.)(~~)$)return (Site::new_value)}, -5)
 0.000000 | HookCallFunction Option::set_change_handler(Site::neighbor_nets, Config::config_option_changed{ Config::log = Config::Info($ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value))if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, to_any_coerceConfig::log)return (Config::new_value)}, -100)
 0.000000 | HookCallFunction Option::set_change_handler(Site::neighbor_zones, Config::config_option_changed{ Config::log = Config::Info($ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value))if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, to_any_coerceConfig::log)return (Config::new_value)}, -100)
+0.000000 | HookCallFunction Option::set_change_handler(Site::neighbor_zones, Site::update_neighbor_zones_regex{ Site::local_dns_neighbor_suffix_regex = set_to_regex(Site::new_value, (^\.?|\.)(~~)$)return (Site::new_value)}, -5)
 0.000000 | HookCallFunction Option::set_change_handler(Site::private_address_space, Config::config_option_changed{ Config::log = Config::Info($ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value))if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, to_any_coerceConfig::log)return (Config::new_value)}, -100)
 0.000000 | HookCallFunction Option::set_change_handler(Software::asset_tracking, Config::config_option_changed{ Config::log = Config::Info($ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value))if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, to_any_coerceConfig::log)return (Config::new_value)}, -100)
 0.000000 | HookCallFunction Option::set_change_handler(Weird::ignore_hosts, Config::config_option_changed{ Config::log = Config::Info($ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value))if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, to_any_coerceConfig::log)return (Config::new_value)}, -100)
@@ -3622,6 +3637,9 @@
 0.000000 | HookCallFunction PacketFilter::log_policy([ts=XXXXXXXXXX.XXXXXX, node=zeek, filter=ip or not ip, init=T, success=T], PacketFilter::LOG, [name=default, writer=Log::WRITER_ASCII, path=packet_filter, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=lambda_<2528247166937952945>, interv=0 secs, postprocessor=<uninitialized>, config={}, policy=<uninitialized>])
 0.000000 | HookCallFunction Pcap::install_pcap_filter(PacketFilter::DefaultPcapFilter)
 0.000000 | HookCallFunction Pcap::precompile_pcap_filter(PacketFilter::DefaultPcapFilter, ip or not ip)
+0.000000 | HookCallFunction Site::update_local_nets_table(Site::local_nets, {})
+0.000000 | HookCallFunction Site::update_local_zones_regex(Site::local_zones, {})
+0.000000 | HookCallFunction Site::update_neighbor_zones_regex(Site::neighbor_zones, {})
 0.000000 | HookCallFunction SumStats::add_observe_plugin_dependency(SumStats::STD_DEV, SumStats::VARIANCE)
 0.000000 | HookCallFunction SumStats::add_observe_plugin_dependency(SumStats::VARIANCE, SumStats::AVERAGE)
 0.000000 | HookCallFunction SumStats::register_observe_plugin(SumStats::AVERAGE, lambda_<3452231521688988155>{ if (!SumStats::rv?$average) SumStats::rv$average = SumStats::valelseSumStats::rv$average += (SumStats::val - SumStats::rv$average) / (coerce SumStats::rv$num to double)})