Replace some code-block Sphinx directives

Simplifying to either code or console directives
2025-10-07 17:18:20 +00:00 · 2018-12-19 15:33:57 -06:00 · 2018-12-19 15:33:57 -06:00 · ce320ce984
commit ce320ce984
parent 2a3a66fce2
10 changed files with 66 additions and 66 deletions
--- a/doc/broids/index.rst
+++ b/doc/broids/index.rst
@ -24,7 +24,7 @@ rejected usernames and passwords occurring from a single address.  We
 start by defining a threshold for the number of attempts, a monitoring
 interval (in minutes), and a new notice type.
-.. code-block:: bro
+.. code:: bro
   :caption: detect-bruteforcing.bro
   module FTP;
@ -53,7 +53,7 @@ function to break down the reply code and check if the first digit is a
 "5" or not. If true, we then use the :ref:`Summary Statistics Framework
 <sumstats-framework>` to keep track of the number of failed attempts.
-.. code-block:: bro
+.. code:: bro
   :caption: detect-bruteforcing.bro
   event ftp_reply(c: connection, code: count, msg: string, cont_resp: bool)
@ -70,7 +70,7 @@ Next, we use the SumStats framework to raise a notice of the attack when
 the number of failed attempts exceeds the specified threshold during the
 measuring interval.
-.. code-block:: bro
+.. code:: bro
   :caption: detect-bruteforcing.bro
   event bro_init()
@ -99,7 +99,7 @@ measuring interval.
 Below is the final code for our script.
-.. code-block:: bro
+.. code:: bro
   :caption: detect-bruteforcing.bro
   ##! FTP brute-forcing detector, triggering when too many rejected usernames or
@ -163,7 +163,7 @@ Below is the final code for our script.
           }
       }
-.. code-block:: console
+.. console::
   $ bro -r ftp/bruteforce.pcap protocols/ftp/detect-bruteforcing.bro
   $ cat notice.log
--- a/doc/frameworks/file-analysis.rst
+++ b/doc/frameworks/file-analysis.rst
@ -41,7 +41,7 @@ Here's a simple example:
   :language: bro
   :linenos:
-.. code-block:: console
+.. console::
   $ bro -r http/get.trace file_analysis_01.bro
   file_state_remove
@ -88,7 +88,7 @@ calculate the MD5 of plain text files:
   :language: bro
   :linenos:
-.. code-block:: console
+.. console::
   $ bro -r http/get.trace file_analysis_02.bro
   new file, FakNcS1Jfe01uljb3
@ -137,7 +137,7 @@ the input framework uses to uniquely identify an input stream.
 Example output of the above script may be:
-.. code-block:: console
+.. console::
   $ echo "Hello world" > myfile
   $ bro file_analysis_03.bro
--- a/doc/frameworks/netcontrol.rst
+++ b/doc/frameworks/netcontrol.rst
@ -143,7 +143,7 @@ plugin to print one line to the standard output, which contains information
 about the rule that was added. It will also cause creation of `netcontrol.log`,
 which contains information about all actions that are taken by NetControl:
-.. code-block:: console
+.. console::
   $ bro -C -r tls/ecdhe.pcap netcontrol-1-drop-with-debug.bro
   netcontrol debug (Debug-All): init
@ -179,7 +179,7 @@ additional log called `netcontrol_drop.log`. This log file is much more succinct
 only contains information that is specific to drops that are enacted by
 NetControl:
-.. code-block:: console
+.. console::
   $ cat netcontrol_drop.log
   #separator \x09
@ -203,7 +203,7 @@ following code automatically blocks a recognized SSH guesser:
   :language: bro
   :linenos:
-.. code-block:: console
+.. console::
   $ bro -C -r ssh/sshguess.pcap netcontrol-2-ssh-guesser.bro
   netcontrol debug (Debug-All): init
@ -233,7 +233,7 @@ the :bro:see:`Notice::ACTION_DROP` action of the notice framework:
   :language: bro
   :linenos:
-.. code-block:: console
+.. console::
   $ bro -C -r ssh/sshguess.pcap netcontrol-3-ssh-guesser.bro
   netcontrol debug (Debug-All): init
@ -259,7 +259,7 @@ Using the :bro:see:`Notice::ACTION_DROP` action of the notice framework also
 will cause the `dropped` column in `notice.log` to be set to true each time that
 the NetControl framework enacts a block:
-.. code-block:: console
+.. console::
   $ cat notice.log
   #separator \x09
@ -326,7 +326,7 @@ drops all connections on the network:
   :language: bro
   :linenos:
-.. code-block:: console
+.. console::
   $ bro -C -r tls/ecdhe.pcap netcontrol-4-drop.bro
   netcontrol debug (Debug-All): init
@ -386,7 +386,7 @@ originating from the 192.168.* network:
   :language: bro
   :linenos:
-.. code-block:: console
+.. console::
   $ bro -C -r tls/ecdhe.pcap netcontrol-5-hook.bro
   netcontrol debug (Debug-All): init
@ -465,7 +465,7 @@ address is already blocked in the second connection.
   :language: bro
   :linenos:
-.. code-block:: console
+.. console::
   $ bro -C -r tls/google-duplicate.trace netcontrol-6-find.bro
   netcontrol debug (Debug-All): init
@ -519,7 +519,7 @@ Using catch and release in your scripts is easy; just use
   :language: bro
   :linenos:
-.. code-block:: console
+.. console::
   $ bro -C -r tls/ecdhe.pcap netcontrol-7-catch-release.bro
   netcontrol debug (Debug-All): init
@ -535,7 +535,7 @@ first 10 minutes, it is blocked for 1 hour and then monitored for 24 hours, etc.
 Catch and release adds its own new logfile in addition to the already existing
 ones (netcontrol_catch_release.log):
-.. code-block:: console
+.. console::
   $ cat netcontrol_catch_release.log
   #separator \x09
@ -664,7 +664,7 @@ plugin. We manually block a few addresses in the
   :language: bro
   :linenos:
-.. code-block:: console
+.. console::
   $ bro netcontrol-8-multiple.bro
   netcontrol debug (Debug-All): init
@ -675,7 +675,7 @@ output to the command line. The other two lines are handled by the OpenFlow
 plugin. We can verify this by looking at netcontrol.log. The plugin column shows
 which plugin handled a rule and reveals that two rules were handled by OpenFlow:
-.. code-block:: console
+.. console::
   $ cat netcontrol.log
   #separator \x09
@ -702,7 +702,7 @@ which plugin handled a rule and reveals that two rules were handled by OpenFlow:
 Furthermore, openflow.log also shows the two added rules, converted to OpenFlow
 flow mods:
-.. code-block:: console
+.. console::
   $ cat openflow.log
   #separator \x09
@ -792,7 +792,7 @@ to our very first example:
   :language: bro
   :linenos:
-.. code-block:: console
+.. console::
   $ bro -C -r tls/ecdhe.pcap netcontrol-10-use-skeleton.bro
   add, [ty=NetControl::DROP, target=NetControl::FORWARD, entity=[ty=NetControl::CONNECTION, conn=[orig_h=192.168.18.50, orig_p=56981/tcp, resp_h=74.125.239.97, resp_p=443/tcp], flow=<uninitialized>, ip=<uninitialized>, mac=<uninitialized>], expire=20.0 secs, priority=0, location=, out_port=<uninitialized>, mod=<uninitialized>, id=2, cid=2, _plugin_ids={
--- a/doc/frameworks/notice.rst
+++ b/doc/frameworks/notice.rst
@ -96,7 +96,7 @@ the server at 192.168.56.103:
   :language: bro
   :linenos:
-.. code-block:: console
+.. console::
   $ bro -C -r ssh/sshguess.pcap notice_ssh_guesser.bro
   $ cat notice.log
--- a/doc/frameworks/sumstats.rst
+++ b/doc/frameworks/sumstats.rst
@ -81,7 +81,7 @@ inline documentation that does this with the Sumstats framework:
 When run on a sample PCAP file from the Bro test suite, the following output
 is created:
-.. code-block:: console
+.. console::
   $ bro -r workshop_2011_browse.trace sumstats-countconns.bro
   Number of connections established: 6
@ -103,7 +103,7 @@ real-world functional example, that is left to the
 Let's see if there are any hosts that crossed the threshold in a PCAP file
 containing a host running nmap:
-.. code-block:: console
+.. console::
   $ bro -r nmap-vsn.trace sumstats-toy-scan.bro
   192.168.1.71 attempted 5 or more connections
--- a/doc/httpmonitor/index.rst
+++ b/doc/httpmonitor/index.rst
@ -89,7 +89,7 @@ detect a reply for a ``GET http://`` request.
   :language: bro
   :linenos:
-.. code-block:: console
+.. console::
   $ bro -r http/proxy.pcap http_proxy_01.bro
   A local server is acting as an open proxy: 192.168.56.101
@ -104,7 +104,7 @@ will extend our basic script to also consider the additional codes.
   :language: bro
   :linenos:
-.. code-block:: console
+.. console::
   $ bro -r http/proxy.pcap http_proxy_02.bro
   A local server is acting as an open proxy: 192.168.56.101
@ -117,7 +117,7 @@ network.
   :language: bro
   :linenos:
-.. code-block:: console
+.. console::
   $ bro -r http/proxy.pcap http_proxy_03.bro
   A local server is acting as an open proxy: 192.168.56.101
@ -140,7 +140,7 @@ Below is the complete script.
   :language: bro
   :linenos:
-.. code-block:: console
+.. console::
   $ bro -r http/proxy.pcap http_proxy_04.bro
   $ cat notice.log
@ -178,7 +178,7 @@ using the :ref:`File Analysis Framework <file-analysis-framework>`
   :language: bro
   :linenos:
-.. code-block:: console
+.. console::
   $ bro -r bro.org.pcap file_extraction.bro
   Extracting file HTTP-FiIpIB2hRQSDBOSJRg.html
--- a/doc/logs/index.rst
+++ b/doc/logs/index.rst
@ -41,7 +41,7 @@ As the fields of the log entries can be further customized by the
 user, the Logging Framework makes use of a header block to ensure that
 it remains self-describing. Here's the first few lines of a ``conn.log``.
-.. code-block:: console
+.. console::
   $ cat conn.log
   #separator \x09
@ -139,7 +139,7 @@ require the user to refer to fields referenced by their position).
 For example, the following command extracts just the given columns
 from a ``conn.log``:
-.. code-block:: console
+.. console::
   $ cat conn.log | bro-cut id.orig_h id.orig_p id.resp_h duration
   141.142.220.202   5353    224.0.0.251     -
@ -156,7 +156,7 @@ from a ``conn.log``:
 The corresponding ``awk`` command will look like this:
-.. code-block:: console
+.. console::
   $ awk '/^[^#]/ {print $3, $4, $5, $6, $9}' conn.log
   141.142.220.202 5353 224.0.0.251 5353 -
@ -223,7 +223,7 @@ includes the human readable time stamp, the unique identifier, the
 HTTP ``Host``, and HTTP ``URI`` as extracted from the ``http.log``
 file:
-.. code-block:: console
+.. console::
   $ bro-cut -d ts uid host uri < http.log
   2011-03-18T19:06:08+0000  CUM0KZ3MLUfNB0cl11      bits.wikimedia.org      /skins-1.5/monobook/main.css
@ -237,7 +237,7 @@ Often times log files from multiple sources are stored in UTC time to
 allow easy correlation.  Converting the timestamp from a log file to
 UTC can be accomplished with the ``-u`` option:
-.. code-block:: console
+.. console::
   $ bro-cut -u ts uid host uri < http.log
   2011-03-18T19:06:08+0000  CUM0KZ3MLUfNB0cl11      bits.wikimedia.org      /skins-1.5/monobook/main.css
@ -255,7 +255,7 @@ using the ``-D`` and ``-U`` flags, using the standard ``strftime``
 syntax. For example, to format the timestamp in the US-typical "Middle
 Endian" you could use a format string of: ``%d-%m-%YT%H:%M:%S%z``
-.. code-block:: console
+.. console::
   $ bro-cut -D %d-%m-%YT%H:%M:%S%z ts uid host uri < http.log
   18-03-2011T19:06:08+0000  CUM0KZ3MLUfNB0cl11      bits.wikimedia.org      /skins-1.5/monobook/main.css
@ -285,7 +285,7 @@ largest number of bytes from the responder by redirecting the output
 for ``cat conn.log`` into bro-cut to extract the UID and the
 resp_bytes, then sorting that output by the resp_bytes field.
-.. code-block:: console
+.. console::
   $ cat conn.log | bro-cut uid resp_bytes | sort -nrk2 | head -5
   CwjjYJ2WqgTbAqiHl6        734
@ -297,7 +297,7 @@ resp_bytes, then sorting that output by the resp_bytes field.
 Taking the UID of the first of the top responses, we can now
 crossreference that with the UIDs in the ``http.log`` file.
-.. code-block:: console
+.. console::
   $ cat http.log | bro-cut uid id.resp_h method status_code host uri | grep UM0KZ3MLUfNB0cl11
   CUM0KZ3MLUfNB0cl11        208.80.152.118  GET     304     bits.wikimedia.org      /skins-1.5/monobook/main.css
--- a/doc/mimestats/index.rst
+++ b/doc/mimestats/index.rst
@ -81,7 +81,7 @@ final code for our script.
   :language: bro
   :linenos:
-.. code-block:: console
+.. console::
   $ bro -r http/bro.org.pcap mimestats.bro
   #separator \x09
--- a/doc/quickstart/index.rst
+++ b/doc/quickstart/index.rst
@ -260,7 +260,7 @@ In ``local.bro``, let's define a new ``policy`` hook handler body:
   :language: bro
   :linenos:
-.. code-block:: console
+.. console::
   $ bro -r tls/tls-expired-cert.trace conditional-notice.bro
   $ cat notice.log
--- a/doc/scripting/index.rst
+++ b/doc/scripting/index.rst
@ -41,7 +41,7 @@ script :doc:`/scripts/policy/frameworks/files/detect-MHR.bro`
 that is responsible for generating the
 appropriate DNS lookup, parsing the response, and generating a notice if appropriate.
-.. code-block:: bro
+.. code:: bro
   :caption: detect-MHR.bro
   ##! Detect file downloads that have hash values matching files in Team
@ -126,7 +126,7 @@ specific event (``event file_hash``).  Don't get discouraged if you don't
 understand every section of the script; we'll cover the basics of the
 script and much more in following sections.
-.. code-block:: bro
+.. code:: bro
   :caption: detect-MHR.bro
   @load base/frameworks/files
@ -145,7 +145,7 @@ this level of granularity might not be entirely necessary.  The ``@load`` direct
 are ensuring the Files framework, the Notice framework and the script to hash all files has
 been loaded by Bro.
-.. code-block:: bro
+.. code:: bro
   :caption: detect-MHR.bro
   export {
@ -196,7 +196,7 @@ Up until this point, the script has merely done some basic setup.  With
 the next section, the script starts to define instructions to take in
 a given event.
-.. code-block:: bro
+.. code:: bro
   :caption: detect-MHR.bro
   function do_mhr_lookup(hash: string, fi: Notice::FileInfo)
@ -324,7 +324,7 @@ This effort resulted in built-in-function files organized such that
 each entry contains a descriptive event name, the arguments passed to
 the event, and a concise explanation of the functions use.
-.. code-block:: bro
+.. code:: bro
   ## Generated for DNS requests. For requests with multiple queries, this event
   ## is raised once for each.
@ -413,7 +413,7 @@ more layers of information about a connection.  This will give us a
 chance to see the contents of the connection record without it being
 overly populated.
-.. code-block:: console
+.. console::
   $ bro -b -r http/get.trace connection_record_01.bro
   [id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=5, num_pkts=7, num_bytes_ip=512, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=5007, state=5, num_pkts=7, num_bytes_ip=5379, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.211484, service={
@ -449,7 +449,7 @@ brackets, which would correspond to the ``$``-delimiter in a Bro script.
   :language: bro
   :linenos:
-.. code-block:: console
+.. console::
   $bro -b -r http/get.trace connection_record_02.bro
   [id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=5, num_pkts=7, num_bytes_ip=512, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=5007, state=5, num_pkts=7, num_bytes_ip=5379, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.211484, service={
@ -562,7 +562,7 @@ would fail.
   :language: bro
   :linenos:
-.. code-block:: console
+.. console::
   $ bro -b data_type_const.bro
   {
@ -711,7 +711,7 @@ You can see the full script and its output below.
   :language: bro
   :linenos:
-.. code-block:: console
+.. console::
   $ bro data_struct_set_declaration.bro
   SSL Port: 22/tcp
@ -735,7 +735,7 @@ to preserve a one-to-one mapping of keys to values.
   :language: bro
   :linenos:
-.. code-block:: console
+.. console::
   $ bro data_struct_table_declaration.bro
   Service Name:  SSH - Common Port: 22/tcp
@ -771,7 +771,7 @@ security platform.
   :language: bro
   :linenos:
-.. code-block:: console
+.. console::
   $ bro -b data_struct_table_complex.bro
   Harakiri was released in 1962 by Shochiku Eiga studios, directed by Masaki Kobayashi and starring Tatsuya Nakadai
@ -824,7 +824,7 @@ lengths.
   :language: bro
   :linenos:
-.. code-block:: console
+.. console::
   $ bro data_struct_vector_declaration.bro
   contents of v1: [1, 2, 3, 4]
@ -846,7 +846,7 @@ current item in the vector with ``addr_vector[i]``.
   :language: bro
   :linenos:
-.. code-block:: console
+.. console::
   $ bro -b data_struct_vector_iter.bro
   1.2.0.0/18
@ -923,7 +923,7 @@ For example, ``10.0.0.1 in 10.0.0.0/8`` would return true while
 script, we get the output listing the IP address and the subnet in
 which it belongs.
-.. code-block:: console
+.. console::
   $ bro data_type_subnets.bro
   172.16.4.56 belongs to subnet 172.16.0.0/20
@ -959,7 +959,7 @@ produce a common date time formatted time stamp.
 When the script is executed we get an output showing the details of
 established connections.  
-.. code-block:: console
+.. console::
   $ bro -r wikipedia.trace data_type_time.bro
   2011/06/18 19:03:08:  New connection established from 141.142.220.118 to 208.80.152.118\x0a
@ -1009,7 +1009,7 @@ This time, when we execute the script we see an additional line in the
 output to display the time delta since the last fully established
 connection.  
-.. code-block:: console
+.. console::
   $ bro -r wikipedia.trace data_type_interval.bro
   2011/06/18 19:03:08:  New connection established from 141.142.220.118 to 208.80.152.118
@ -1064,7 +1064,7 @@ excluding the actual matches.  In this case, our pattern matches
 twice, and results in a table with three entries.  The ``print`` statements
 in the script will print the contents of the table in order.  
-.. code-block:: console
+.. console::
   $ bro data_type_pattern_01.bro
   The
@ -1081,7 +1081,7 @@ on the result of the comparison between the pattern and the string.
 .. literalinclude:: data_type_pattern_02.bro
-.. code-block:: console
+.. console::
   $ bro data_type_pattern_02.bro
   equality and /^?(equal)$?/ are not equal
@ -1126,7 +1126,7 @@ field is unique.
   :language: bro
   :linenos:
-.. code-block:: console
+.. console::
   $ bro data_struct_record_01.bro
   Service: dns(RFC1035)
@ -1153,7 +1153,7 @@ record.
 .. literalinclude:: data_struct_record_02.bro
-.. code-block:: console
+.. console::
   $ bro data_struct_record_02.bro
   System: morlock
@ -1173,7 +1173,7 @@ It's also common to see a ``type`` used to simply alias a data
 structure to a more descriptive name.  The example below shows an
 example of this from Bro's own type definitions file.
-.. code-block:: bro
+.. code:: bro
   :caption: init-bare.bro
   type string_array: table[count] of string;
@ -1240,7 +1240,7 @@ into the Logging Framework.
   :language: bro
   :linenos:
-.. code-block:: console
+.. console::
   $ bro framework_logging_factorial_01.bro
   1
@ -1297,7 +1297,7 @@ Now, if we run this script, instead of generating
 logging information to stdout, no output is created.  Instead the
 output is all in ``factor.log``, properly formatted and organized.
-.. code-block:: console
+.. console::
   $ bro framework_logging_factorial_02.bro
   $ cat factor.log
@ -1371,7 +1371,7 @@ factorials that are a factors of 5, ``factor-non5.log`` with the
 factorials that are not factors of 5, and ``factor.log`` which would have
 included all factorials.  
-.. code-block:: console
+.. console::
   $ bro framework_logging_factorial_03.bro
   $ cat factor-mod5.log
@ -1473,7 +1473,7 @@ or not that notice is acted upon is decided by the local Notice
 Policy, but the script attempts to supply as much information as
 possible while staying concise.  
-.. code-block:: bro
+.. code:: bro
   :caption: scripts/policy/protocols/ssh/interesting-hostnames.bro
   ##! This script will generate a notice if an apparent SSH login originates
@ -1604,7 +1604,7 @@ identifier.  An identifier is a unique string of information collected
 from the connection relative to the behavior that has been observed by
 Bro.  
-.. code-block:: bro
+.. code:: bro
   :caption: scripts/policy/protocols/ssl/expiring-certs.bro
   NOTICE([$note=Certificate_Expires_Soon,