Merge remote-tracking branch 'origin/master' into topic/johanna/clone

.gitmodules

@@ -4,12 +4,9 @@
 [submodule "aux/binpac"]
 	path = aux/binpac
 	url = https://github.com/zeek/binpac
-[submodule "aux/broccoli"]
+[submodule "aux/zeekctl"]
-	path = aux/broccoli
+	path = aux/zeekctl
-	url = https://github.com/zeek/broccoli
+	url = https://github.com/zeek/zeekctl
-[submodule "aux/broctl"]
-	path = aux/broctl
-	url = https://github.com/zeek/broctl
 [submodule "aux/btest"]
 	path = aux/btest
 	url = https://github.com/zeek/btest

CHANGES

@@ -1,4 +1,169 @@
 
+2.6-311 | 2019-05-20 09:07:58 -0700
+
+  * Add missing &optional attr to KRB record fields; also add existence
+    checks to scripts (Jon Siwek, Corelight).
+
+2.6-308 | 2019-05-17 14:13:46 -0700
+
+  * Always emit scripting errors to stderr during zeek_init (Jon Siwek, Corelight)
+
+2.6-307 | 2019-05-16 13:37:24 -0700
+
+  * More bro-to-zeek renaming in scripts and other files (Daniel Thayer)
+
+  * More bro-to-zeek renaming in the unit tests (Daniel Thayer)
+
+2.6-303 | 2019-05-15 15:03:11 -0700
+
+  * Changes needed due to bro-to-zeek renaming in broker (Daniel Thayer)
+
+2.6-301 | 2019-05-15 10:05:53 -0700
+
+  * Fix potential race in openflow broker plugin (Jon Siwek, Corelight)
+
+2.6-300 | 2019-05-15 09:00:57 -0700
+
+  * Fixes to DNS lookup, including ref-counting bugs, preventing starvation
+    of the DNS_Mgr in the I/O loop, dead code removal, and a fix that
+    prevents the timeout of already resolved DNS lookups (Jon Siwek, Corelight)
+
+2.6-292 | 2019-05-14 19:01:05 -0700
+
+  * Fix maybe-uninitialized compiler warning (Jon Siwek, Corelight)
+
+2.6-290 | 2019-05-14 18:35:25 -0700
+
+  * Update btest.cfg path to use zeek-aux (Jon Siwek, Corelight)
+
+2.6-288 | 2019-05-14 17:47:55 -0700
+
+  * Update CMake to use aux/zeekctl and aux/zeek-aux submodules (Jon Siwek, Corelight)
+
+2.6-287 | 2019-05-14 17:40:40 -0700
+
+  * Rename broctl submodule to zeekctl (Jon Siwek, Corelight)
+
+2.6-286 | 2019-05-14 13:19:12 -0700
+
+  * Undo an unintentional change to btest.cfg from a recent commit (Daniel Thayer)
+
+  * Fix zeek-wrapper and improve error messages (Daniel Thayer)
+
+    The script was not passing command-line arguments to the new program.
+
+  * Update for renaming BroControl to ZeekControl. (Robin Sommer, Corelight)
+
+  * GH-239: Rename bro to zeek, bro-config to zeek-config, and bro-path-dev to zeek-path-dev.
+    (Robin Sommer, Corelight)
+
+    This also installs symlinks from "zeek" and "bro-config" to a wrapper
+    script that prints a deprecation warning.
+
+2.6-279 | 2019-05-13 20:02:59 -0700
+
+  * GH-365: improve un-indexable type error message (Jon Siwek, Corelight)
+
+2.6-277 | 2019-05-08 12:42:18 -0700
+
+  * Allow tuning Broker log batching via scripts (Jon Siwek, Corelight)
+
+    Via redefining "Broker::log_batch_size" or "Broker::log_batch_interval"
+
+2.6-276 | 2019-05-08 09:03:27 -0700
+
+  * Force the Broker IOSource to idle periodically, preventing packet
+	  IOSource starvation. (Jon Siwek, Corelight).
+
+2.6-274 | 2019-05-08 08:58:25 -0700
+
+  * GH-353: Add `/<re>/i` case-insensitive signature syntax (Jon Siwek, Corelight)
+
+2.6-272 | 2019-05-06 18:43:13 -0700
+
+  * Remove support for using && and || with patterns. (Johanna Amann, Corelight)
+
+    This was never documented and previously deprecated.
+
+  * Remove RemoteSerializer and related code/types. (Johanna Amann, Corelight)
+
+    Also removes broccoli from the source tree.
+
+  * Remove PersistenceSerializer. (Johanna Amann, Corelight)
+
+  * Remove &synchronized and &persistent attributes. (Johanna Amann, Corelight)
+
+2.6-264 | 2019-05-03 11:16:38 -0700
+
+  * Fix sporadic openflow/broker test failure (Jon Siwek, Corelight)
+
+2.6-263 | 2019-05-02 22:49:40 -0700
+
+  * Install local.zeek as symlink to pre-existing local.bro (Jon Siwek, Corelight)
+
+    This a convenience for those that are upgrading.  If we didn't do
+    this, then deployments can silently break until the user intervenes
+    since BroControl now prefers to load the initially-vanilla local.zeek
+    instead of the formerly-customized local.bro.
+
+2.6-262 | 2019-05-02 21:39:01 -0700
+
+  * Rename Zeexygen to Zeekygen (Jon Siwek, Corelight)
+
+2.6-261 | 2019-05-02 20:49:23 -0700
+
+  * Remove previously deprecated policy/protocols/smb/__load__ (Jon Siwek, Corelight)
+
+2.6-260 | 2019-05-02 19:16:48 -0700
+
+  * GH-243: Remove deprecated functions/events from 2.6 and earlier (Johanna Amann, Corelight)
+
+2.6-258 | 2019-05-02 12:26:54 -0700
+
+  * GH-340: Improve IPv4/IPv6 regexes, extraction, and validity functions.
+
+    is_valid_ip() is not a BIF, the IP regular expressions are improved and
+    extract_ip_addresses should give better results due to this.
+    (Jon Siwek, Corelight)
+
+2.6-255 | 2019-05-01 08:38:49 -0700
+
+  * Add methods to queue events without handler existence check
+
+    Added ConnectionEventFast() and QueueEventFast() methods to avoid
+    redundant event handler existence checks.
+
+    It's common practice for caller to already check for event handler
+    existence before doing all the work of constructing the arguments, so
+    it's desirable to not have to check for existence again.
+
+    E.g. going through ConnectionEvent() means 3 existence checks:
+    one you do yourself before calling it, one in ConnectionEvent(), and then
+    another in QueueEvent().
+
+    The existence check itself can be more than a few operations sometimes
+    as it needs to check a few flags that determine if it's enabled, has
+    a local body, or has any remote receivers in the old comm. system or
+    has been flagged as something to publish in the new comm. system. (Jon Siwek, Corelight)
+
+  * Cleanup/improve PList usage and Event API
+
+    Majority of PLists are now created as automatic/stack objects,
+    rather than on heap and initialized either with the known-capacity
+    reserved upfront or directly from an initializer_list (so there's no
+    wasted slack in the memory that gets allocated for lists containing
+    a fixed/known number of elements).
+
+    Added versions of the ConnectionEvent/QueueEvent methods that take
+    a val_list by value.
+
+    Added a move ctor/assign-operator to Plists to allow passing them
+    around without having to copy the underlying array of pointers. (Jon Siwek, Corelight)
+
+2.6-250 | 2019-04-29 18:09:29 -0700
+
+  * Remove 'dns_resolver' option, replace w/ ZEEK_DNS_RESOLVER env. var. (Jon Siwek, Corelight)
+
 2.6-249 | 2019-04-26 19:26:44 -0700
 
   * Fix parsing of hybrid IPv6-IPv4 addr literals with no zero compression (Jon Siwek, Corelight)

CMakeLists.txt

@@ -1,7 +1,7 @@
 project(Bro C CXX)
 
 # When changing the minimum version here, also adapt
-# aux/bro-aux/plugin-support/skeleton/CMakeLists.txt
+# aux/zeek-aux/plugin-support/skeleton/CMakeLists.txt
 cmake_minimum_required(VERSION 2.8.12 FATAL_ERROR)
 
 include(cmake/CommonCMakeConfig.cmake)
@@ -23,31 +23,31 @@ endif ()
 
 set(BRO_ROOT_DIR ${CMAKE_INSTALL_PREFIX})
 if (NOT BRO_SCRIPT_INSTALL_PATH)
-    # set the default Bro script installation path (user did not specify one)
+    # set the default Zeek script installation path (user did not specify one)
     set(BRO_SCRIPT_INSTALL_PATH ${BRO_ROOT_DIR}/share/bro)
 endif ()
 
 if (NOT BRO_MAN_INSTALL_PATH)
-    # set the default Bro man page installation path (user did not specify one)
+    # set the default Zeek man page installation path (user did not specify one)
     set(BRO_MAN_INSTALL_PATH ${BRO_ROOT_DIR}/share/man)
 endif ()
 
-# sanitize the Bro script install directory into an absolute path
+# sanitize the Zeek script install directory into an absolute path
 # (CMake is confused by ~ as a representation of home directory)
 get_filename_component(BRO_SCRIPT_INSTALL_PATH ${BRO_SCRIPT_INSTALL_PATH}
     ABSOLUTE)
 
 set(BRO_PLUGIN_INSTALL_PATH ${BRO_ROOT_DIR}/lib/bro/plugins CACHE STRING "Installation path for plugins" FORCE)
 
-configure_file(bro-path-dev.in ${CMAKE_CURRENT_BINARY_DIR}/bro-path-dev)
+configure_file(zeek-path-dev.in ${CMAKE_CURRENT_BINARY_DIR}/zeek-path-dev)
 
-file(WRITE ${CMAKE_CURRENT_BINARY_DIR}/bro-path-dev.sh
+file(WRITE ${CMAKE_CURRENT_BINARY_DIR}/zeek-path-dev.sh
-     "export BROPATH=`${CMAKE_CURRENT_BINARY_DIR}/bro-path-dev`\n"
+     "export BROPATH=`${CMAKE_CURRENT_BINARY_DIR}/zeek-path-dev`\n"
      "export BRO_PLUGIN_PATH=\"${CMAKE_CURRENT_BINARY_DIR}/src\":${BRO_PLUGIN_PATH}\n"
      "export PATH=\"${CMAKE_CURRENT_BINARY_DIR}/src\":$PATH\n")
 
-file(WRITE ${CMAKE_CURRENT_BINARY_DIR}/bro-path-dev.csh
+file(WRITE ${CMAKE_CURRENT_BINARY_DIR}/zeek-path-dev.csh
-     "setenv BROPATH `${CMAKE_CURRENT_BINARY_DIR}/bro-path-dev`\n"
+     "setenv BROPATH `${CMAKE_CURRENT_BINARY_DIR}/zeek-path-dev`\n"
      "setenv BRO_PLUGIN_PATH \"${CMAKE_CURRENT_BINARY_DIR}/src\":${BRO_PLUGIN_PATH}\n"
      "setenv PATH \"${CMAKE_CURRENT_BINARY_DIR}/src\":$PATH\n")
 
@@ -254,36 +254,43 @@ if ( NOT BINARY_PACKAGING_MODE )
 endif ()
 
 string(TOLOWER ${CMAKE_BUILD_TYPE} CMAKE_BUILD_TYPE_LOWER)
-configure_file(${CMAKE_CURRENT_SOURCE_DIR}/bro-config.h.in
+configure_file(${CMAKE_CURRENT_SOURCE_DIR}/zeek-config.h.in
-               ${CMAKE_CURRENT_BINARY_DIR}/bro-config.h)
+               ${CMAKE_CURRENT_BINARY_DIR}/zeek-config.h)
 include_directories(${CMAKE_CURRENT_BINARY_DIR})
-install(FILES ${CMAKE_CURRENT_BINARY_DIR}/bro-config.h DESTINATION include/bro)
+install(FILES ${CMAKE_CURRENT_BINARY_DIR}/zeek-config.h DESTINATION include/bro)
 
 if ( CAF_ROOT_DIR )
-  set(BRO_CONFIG_CAF_ROOT_DIR ${CAF_ROOT_DIR})
+  set(ZEEK_CONFIG_CAF_ROOT_DIR ${CAF_ROOT_DIR})
 else ()
-  set(BRO_CONFIG_CAF_ROOT_DIR ${BRO_ROOT_DIR})
+  set(ZEEK_CONFIG_CAF_ROOT_DIR ${BRO_ROOT_DIR})
 endif ()
 
 if ( BinPAC_ROOT_DIR )
-  set(BRO_CONFIG_BINPAC_ROOT_DIR ${BinPAC_ROOT_DIR})
+  set(ZEEK_CONFIG_BINPAC_ROOT_DIR ${BinPAC_ROOT_DIR})
 else ()
-  set(BRO_CONFIG_BINPAC_ROOT_DIR ${BRO_ROOT_DIR})
+  set(ZEEK_CONFIG_BINPAC_ROOT_DIR ${BRO_ROOT_DIR})
 endif ()
 
 if ( BROKER_ROOT_DIR )
-  set(BRO_CONFIG_BROKER_ROOT_DIR ${BROKER_ROOT_DIR})
+  set(ZEEK_CONFIG_BROKER_ROOT_DIR ${BROKER_ROOT_DIR})
 else ()
-  set(BRO_CONFIG_BROKER_ROOT_DIR ${BRO_ROOT_DIR})
+  set(ZEEK_CONFIG_BROKER_ROOT_DIR ${BRO_ROOT_DIR})
 endif ()
 
-configure_file(${CMAKE_CURRENT_SOURCE_DIR}/bro-config.in
+configure_file(${CMAKE_CURRENT_SOURCE_DIR}/zeek-config.in
-               ${CMAKE_CURRENT_BINARY_DIR}/bro-config @ONLY)
+               ${CMAKE_CURRENT_BINARY_DIR}/zeek-config @ONLY)
-install(PROGRAMS ${CMAKE_CURRENT_BINARY_DIR}/bro-config DESTINATION bin)
+install(PROGRAMS ${CMAKE_CURRENT_BINARY_DIR}/zeek-config DESTINATION bin)
 
 install(DIRECTORY ${CMAKE_CURRENT_SOURCE_DIR}/cmake DESTINATION share/bro
         USE_SOURCE_PERMISSIONS)
 
+# Install wrapper script for Bro-to-Zeek renaming.
+include(InstallShellScript)
+include(InstallSymlink)
+InstallShellScript("bin" "zeek-wrapper.in" "zeek-wrapper")
+InstallSymlink("${CMAKE_INSTALL_PREFIX}/bin/zeek-wrapper" "${CMAKE_INSTALL_PREFIX}/bin/bro-config")
+InstallSymlink("${CMAKE_INSTALL_PREFIX}/include/bro/zeek-config.h" "${CMAKE_INSTALL_PREFIX}/include/bro/bro-config.h")
+
 ########################################################################
 ## Recurse on sub-directories
 
@@ -324,14 +331,13 @@ add_subdirectory(man)
 
 include(CheckOptionalBuildSources)
 
-CheckOptionalBuildSources(aux/broctl   Broctl   INSTALL_BROCTL)
+CheckOptionalBuildSources(aux/zeekctl   ZeekControl INSTALL_ZEEKCTL)
-CheckOptionalBuildSources(aux/bro-aux  Bro-Aux  INSTALL_AUX_TOOLS)
+CheckOptionalBuildSources(aux/zeek-aux  Zeek-Aux  INSTALL_AUX_TOOLS)
-CheckOptionalBuildSources(aux/broccoli Broccoli INSTALL_BROCCOLI)
 
 ########################################################################
 ## Packaging Setup
 
-if (INSTALL_BROCTL)
+if (INSTALL_ZEEKCTL)
     # CPack RPM Generator may not automatically detect this
     set(CPACK_RPM_PACKAGE_REQUIRES "python >= 2.6.0")
 endif ()
@@ -352,12 +358,12 @@ if (CMAKE_BUILD_TYPE)
 endif ()
 
 message(
-    "\n====================|  Bro Build Summary  |====================="
+    "\n====================|  Zeek Build Summary  |===================="
     "\n"
     "\nBuild type:        ${CMAKE_BUILD_TYPE}"
     "\nBuild dir:         ${CMAKE_BINARY_DIR}"
     "\nInstall prefix:    ${CMAKE_INSTALL_PREFIX}"
-    "\nBro Script Path:   ${BRO_SCRIPT_INSTALL_PATH}"
+    "\nZeek Script Path:  ${BRO_SCRIPT_INSTALL_PATH}"
     "\nDebug mode:        ${ENABLE_DEBUG}"
     "\n"
     "\nCC:                ${CMAKE_C_COMPILER}"
@@ -366,8 +372,7 @@ message(
     "\nCXXFLAGS:          ${CMAKE_CXX_FLAGS} ${CMAKE_CXX_FLAGS_${BuildType}}"
     "\nCPP:               ${CMAKE_CXX_COMPILER}"
     "\n"
-    "\nBroccoli:          ${INSTALL_BROCCOLI}"
+    "\nZeekControl:       ${INSTALL_ZEEKCTL}"
-    "\nBroctl:            ${INSTALL_BROCTL}"
     "\nAux. Tools:        ${INSTALL_AUX_TOOLS}"
     "\n"
     "\nlibmaxminddb:      ${USE_GEOIP}"

Makefile

@@ -55,9 +55,9 @@ test:
 	-@( cd testing && make )
 
 test-aux:
-	-test -d aux/broctl && ( cd aux/broctl && make test-all )
+	-test -d aux/zeekctl && ( cd aux/zeekctl && make test-all )
 	-test -d aux/btest  && ( cd aux/btest && make test )
-	-test -d aux/bro-aux && ( cd aux/bro-aux && make test )
+	-test -d aux/zeek-aux && ( cd aux/zeek-aux && make test )
 	-test -d aux/plugins && ( cd aux/plugins && make test-all )
 
 test-all: test test-aux

NEWS

@@ -1,5 +1,5 @@
 
-This document summarizes the most important changes in the current Bro
+This document summarizes the most important changes in the current Zeek
 release. For an exhaustive list of changes, see the ``CHANGES`` file
 (note that submodules, such as Broker, come with their own ``CHANGES``.)
 
@@ -18,7 +18,7 @@ New Functionality
   - dns_NSEC
   - dns_NSEC3
 
-- Bro's Plugin framework now allows a patch version.  If a patch version is not
+- Zeek's Plugin framework now allows a patch version.  If a patch version is not
   provided, it will default to 0.  To specify this, modify the plugin
   Configuration class in your ``src/Plugin.cc`` and set
   ``config.version.patch``.  Note that the default plugin skeleton
@@ -72,14 +72,43 @@ New Functionality
   (capital for originator, lowercase responder) to indicate a content
   gap in the TCP stream.  These are recorded logarithmically.
 
+- The ``ZEEK_DNS_RESOLVER`` environment variable now controls
+  the DNS resolver to use by setting it to an IPv4 or IPv6 address.  If
+  not set, then the first IPv4 address from /etc/resolv.conf gets used.
+
+- The ``/<re>/i`` convenience syntax for case-insensitive patterns is now
+  also allowed when specifying patterns used in signature files.
+
 Changed Functionality
 ---------------------
 
+- The following executable names have changed (the old names will
+  continue to work, but emit a deprecation warning):
+
+  - ``bro`` is now ``zeek``
+
+  - ``bro-config`` is now ``zeek-config``
+
+  - ``broctl`` is now ``zeekctl``
+
+  - ``bro-cut`` is now ``zeek-cut``
+
+- BroControl has been completely renamed to ZeekControl.  Many installation
+  directories and files with "broctl" in their name have been changed
+  to use "zeekctl" instead.  It's expected this has been done in a way
+  that's backwards compatible with previous Bro installations.  E.g.
+  if you made customizations to the ``broctl.cfg`` file of a previous
+  installation, installing the newer Zeek version over it will retain that
+  file and even symlink the new ``zeekctl.cfg`` to it.
+
 - ``$prefix/share/bro/site/local.bro`` has been renamed to
-  ``local.zeek``.  If you have made customizations to that file, it
+  ``local.zeek``.  If you have a ``local.bro`` file from a previous
-  will no longer be loaded by default by BroControl (ZeekControl),
+  installation, possibly with customizations made to it, the new
-  but you can simply copy it to ``local.zeek`.  You may also want to
+  version of Zeek will install a ``local.zeek`` file that is a symlink
-  remove old ``local.bro`` files to avoid potential confusion.
+  to the pre-existing ``local.bro``.  In that case, you may want to
+  just copy ``local.bro`` into the new ``local.zeek`` location to
+  avoid confusion, but things are otherwise meant to work properly
+  without intervention.
 
 - All scripts ending in ``.bro`` that ship with the Zeek source tree have
   been renamed to ``.zeek``.
@@ -176,20 +205,122 @@ Changed Functionality
   and aren't counted as true gaps.
 
 - The Broxygen component, which is used to generate our Doxygen-like
-  scripting API documentation has been renamed to Zeexygen.  This likely has
+  scripting API documentation has been renamed to Zeekygen.  This likely has
   no breaking or visible changes for most users, except in the case one
   used it to generate their own documentation via the ``--broxygen`` flag,
-  which is now named ``--zeexygen``.  Besides that, the various documentation
+  which is now named ``--zeekygen``.  Besides that, the various documentation
   in scripts has also been updated to replace Sphinx cross-referencing roles
   and directives like ":bro:see:" with ":zeek:zee:".
 
 Removed Functionality
 ---------------------
 
+- A number of functions that were deprecated in version 2.6 or below and completely
+  removed from this release. Most of the functions were used for the old communication
+  code.
+
+    - ``find_ip_addresses``
+    - ``cat_string_array``
+    - ``cat_string_array_n``
+    - ``complete_handshake``
+    - ``connect``
+    - ``decode_base64_custom``
+    - ``disconnect``
+    - ``enable_communication``
+    - ``encode_base64_custom``
+    - ``get_event_peer``
+    - ``get_local_event_peer``
+    - ``join_string_array``
+    - ``listen``
+    - ``merge_pattern``
+    - ``request_remote_events``
+    - ``request_remote_logs``
+    - ``request_remote_sync``
+    - ``resume_state_updates``
+    - ``send_capture_filter``
+    - ``send_current_packet``
+    - ``send_id``
+    - ``send_ping``
+    - ``set_accept_state``
+    - ``set_compression_level``
+    - ``sort_string_array``
+    - ``split1``
+    - ``split_all``
+    - ``split``
+    - ``suspend_state_updates``
+    - ``terminate_communication``
+    - ``split``
+    - ``send_state``
+    - ``checkpoint_state``
+    - ``rescan_state``
+
+- The following events were deprecated in version 2.6 or below and are completely
+  removed from this release:
+
+    - ``ssl_server_curve``
+    - ``dhcp_ack``
+    - ``dhcp_decline``
+    - ``dhcp_discover``
+    - ``dhcp_inform``
+    - ``dhcp_nak``
+    - ``dhcp_offer``
+    - ``dhcp_release``
+    - ``dhcp_request``
+    - ``remote_state_access_performed``
+    - ``remote_state_inconsistency``
+    - ``remote_connection_established``
+    - ``remote_connection_closed``
+    - ``remote_connection_handshake_done``
+    - ``remote_event_registered``
+    - ``remote_connection_error``
+    - ``remote_capture_filter``
+    - ``remote_log_peer``
+    - ``remote_log``
+    - ``finished_send_state``
+    - ``remote_pong``
+
+- The following types/records were deprecated in version 2.6 or below and are
+  removed from this release:
+
+    - ``peer_id``
+    - ``event_peer``
+
+- The following configuration options were deprecated in version 2.6 or below and are
+  removed from this release:
+
+    - ``max_remote_events_processed``
+    - ``forward_remote_events``
+    - ``forward_remote_state_changes``
+    - ``enable_syslog``
+    - ``remote_trace_sync_interval``
+    - ``remote_trace_sync_peers``
+    - ``remote_check_sync_consistency``
+
+- The following constants were used as part of deprecated functionality in version 2.6
+  or below and are removed from this release:
+
+    - ``PEER_ID_NONE``
+    - ``REMOTE_LOG_INFO``
+    - ``REMOTE_SRC_CHILD``
+    - ``REMOTE_SRC_PARENT``
+    - ``REMOTE_SRC_SCRIPT``
+
+- The deprecated script ``policy/protocols/smb/__load__.bro`` was removed.
+  Instead of ``@load policy/protocols/smb`` use ``@load base/protocols/smb``.
+
+- Broccoli, which had been deprecated in version 2.6 and was no longer built by default
+  was removed from the source tree.
+
+- Support for the &persistent and the &synchronized attributes, which were deprecated
+  in Bro 2.6, was removed. The ``-g`` command-line option (dump-config) which relied on
+  this functionality was also removed.
+
+- Removed the BroControl ``update`` command, which was deprecated in Bro 2.6.
+
 Deprecated Functionality
 ------------------------
 
-- The ``str_shell_escape` function is now deprecated, use ``safe_shell_quote``
+- The ``str_shell_escape`` function is now deprecated, use ``safe_shell_quote``
   instead.  The later will automatically return a value that is enclosed
   in double-quotes.
 
@@ -200,6 +331,11 @@ Deprecated Functionality
   such that existing code will not break, but will emit a deprecation
   warning.
 
+- The ``rotate_file``, ``rotate_file_by_name`` and ``calc_next_rotate`` functions
+  were marked as deprecated. These functions were used with the old pre-2.0 logging
+  framework and are no longer used. They also were marked as deprecated in their
+  documentation, however the functions themselves did not carry the deprecation marker.
+
 Bro 2.6
 =======
 

VERSION

@@ -1 +1 @@
-2.6-249
+2.6-311

aux/bifcl

@@ -1 +1 @@
-Subproject commit 1b5375e9f81ecec59f983e6abe86300c6bbbcb8f
+Subproject commit 7a375f0749f2bc28083863ff7ec44f3fba3510fa

aux/binpac

@@ -1 +1 @@
-Subproject commit 04c7e27a22491a91ee309877253da0922d0822bc
+Subproject commit 1446af96ea4b76cc7a837e06b2da021754dde6e8

aux/broccoli

@@ -1 +0,0 @@
-Subproject commit 8668422406cb74f4f0c574a0c9b6365a21f3e81a

aux/broctl

@@ -1 +0,0 @@
-Subproject commit 39ae4a469d6ae86c12b49020b361da4fcab24b5b

aux/broctl

@@ -0,0 +1 @@
+zeekctl

aux/broker

@@ -1 +1 @@
-Subproject commit 56408c5582c80db6774c8b25642149dfb542345a
+Subproject commit 53f7e0da11c4d6ce014f27ae4dcf807a651fb634

aux/zeek-aux

@@ -1 +1 @@
-Subproject commit ba482418c4e16551fd7b9128a4082348ef2842f0
+Subproject commit 117e8a550de1266e2d50428344caf858aab0485b

aux/zeekctl

@@ -0,0 +1 @@
+Subproject commit bbfcb91b077a8bc145e39d7c941c50ba62826070

configure

@@ -32,14 +32,14 @@ Usage: $0 [OPTION]... [VAR=VALUE]...
 
   Installation Directories:
     --prefix=PREFIX        installation directory [/usr/local/bro]
-    --scriptdir=PATH       root installation directory for Bro scripts
+    --scriptdir=PATH       root installation directory for Zeek scripts
                            [PREFIX/share/bro]
-    --localstatedir=PATH   when using BroControl, path to store log files
+    --localstatedir=PATH   when using ZeekControl, path to store log files
                            and run-time data (within log/ and spool/ subdirs)
                            [PREFIX]
-    --spooldir=PATH        when using BroControl, path to store run-time data
+    --spooldir=PATH        when using ZeekControl, path to store run-time data
                            [PREFIX/spool]
-    --logdir=PATH          when using BroControl, path to store log file
+    --logdir=PATH          when using ZeekControl, path to store log file
                            [PREFIX/logs]
     --conf-files-dir=PATH  config files installation directory [PREFIX/etc]
 
@@ -51,13 +51,12 @@ Usage: $0 [OPTION]... [VAR=VALUE]...
                            (automatically on when perftools is present on Linux)
     --enable-perftools-debug use Google's perftools for debugging
     --enable-jemalloc      link against jemalloc
-    --enable-broccoli      build or install the Broccoli library (deprecated)
+    --enable-static-broker build Broker statically (ignored if --with-broker is specified)
-    --enable-static-broker build broker statically (ignored if --with-broker is specified)
     --enable-static-binpac build binpac statically (ignored if --with-binpac is specified)
-    --disable-broctl       don't install Broctl
+    --disable-zeekctl      don't install ZeekControl
     --disable-auxtools     don't build or install auxiliary tools
     --disable-perftools    don't try to build with Google Perftools
-    --disable-python       don't try to build python bindings for broker
+    --disable-python       don't try to build python bindings for Broker
     --disable-broker-tests don't try to build Broker unit tests
 
   Required Packages in Non-Standard Locations:
@@ -66,13 +65,13 @@ Usage: $0 [OPTION]... [VAR=VALUE]...
     --with-pcap=PATH       path to libpcap install root
     --with-binpac=PATH     path to BinPAC executable
                            (useful for cross-compiling)
-    --with-bifcl=PATH      path to Bro BIF compiler executable
+    --with-bifcl=PATH      path to Zeek BIF compiler executable
                            (useful for cross-compiling)
     --with-flex=PATH       path to flex executable
     --with-bison=PATH      path to bison executable
     --with-python=PATH     path to Python executable
     --with-broker=PATH     path to Broker install root
-                           (Bro uses an embedded version by default)
+                           (Zeek uses an embedded version by default)
     --with-caf=PATH        path to C++ Actor Framework install root
                            (a Broker dependency that is embedded by default)
 
@@ -132,7 +131,7 @@ prefix=/usr/local/bro
 CMakeCacheEntries=""
 append_cache_entry CMAKE_INSTALL_PREFIX PATH   $prefix
 append_cache_entry BRO_ROOT_DIR         PATH   $prefix
-append_cache_entry PY_MOD_INSTALL_DIR   PATH   $prefix/lib/broctl
+append_cache_entry PY_MOD_INSTALL_DIR   PATH   $prefix/lib/zeekctl
 append_cache_entry BRO_SCRIPT_INSTALL_PATH STRING $prefix/share/bro
 append_cache_entry BRO_ETC_INSTALL_DIR  PATH   $prefix/etc
 append_cache_entry ENABLE_DEBUG         BOOL   false
@@ -140,9 +139,8 @@ append_cache_entry ENABLE_PERFTOOLS     BOOL   false
 append_cache_entry ENABLE_PERFTOOLS_DEBUG BOOL false
 append_cache_entry ENABLE_JEMALLOC      BOOL   false
 append_cache_entry BUILD_SHARED_LIBS    BOOL   true
-append_cache_entry INSTALL_BROCCOLI     BOOL   false
 append_cache_entry INSTALL_AUX_TOOLS    BOOL   true
-append_cache_entry INSTALL_BROCTL       BOOL   true
+append_cache_entry INSTALL_ZEEKCTL      BOOL   true
 append_cache_entry CPACK_SOURCE_IGNORE_FILES STRING
 append_cache_entry ENABLE_MOBILE_IPV6   BOOL   false
 append_cache_entry DISABLE_PERFTOOLS    BOOL   false
@@ -182,7 +180,7 @@ while [ $# -ne 0 ]; do
             prefix=$optarg
             append_cache_entry CMAKE_INSTALL_PREFIX PATH   $optarg
             append_cache_entry BRO_ROOT_DIR         PATH   $optarg
-            append_cache_entry PY_MOD_INSTALL_DIR   PATH   $optarg/lib/broctl
+            append_cache_entry PY_MOD_INSTALL_DIR   PATH   $optarg/lib/zeekctl
             ;;
         --scriptdir=*)
             append_cache_entry BRO_SCRIPT_INSTALL_PATH STRING $optarg
@@ -221,18 +219,14 @@ while [ $# -ne 0 ]; do
         --enable-jemalloc)
             append_cache_entry ENABLE_JEMALLOC     BOOL   true
             ;;
-        --enable-broccoli)
-            append_cache_entry DISABLE_RUBY_BINDINGS     BOOL   true
-            append_cache_entry INSTALL_BROCCOLI     BOOL   yes
-            ;;
         --enable-static-broker)
             append_cache_entry BUILD_STATIC_BROKER    BOOL    true
             ;;
         --enable-static-binpac)
             append_cache_entry BUILD_STATIC_BINPAC    BOOL    true
             ;;
-        --disable-broctl)
+        --disable-zeekctl)
-            append_cache_entry INSTALL_BROCTL       BOOL   false
+            append_cache_entry INSTALL_ZEEKCTL       BOOL   false
             ;;
         --disable-auxtools)
             append_cache_entry INSTALL_AUX_TOOLS    BOOL   false

doc

@@ -1 +1 @@
-Subproject commit 073bb08473b8172b8bb175e0702204f15f522392
+Subproject commit b5720567293c652233287a17cf781f6195073159

man/zeek.8

@@ -5,13 +5,13 @@ bro \- passive network traffic analyzer
 .B bro
 \/\fP [\fIoptions\fR] [\fIfile\fR ...]
 .SH DESCRIPTION
-Bro is primarily a security monitor that inspects all traffic on a link in
+Zeek is primarily a security monitor that inspects all traffic on a link in
-depth for signs of suspicious activity. More generally, however, Bro
+depth for signs of suspicious activity. More generally, however, Zeek
 supports a wide range of traffic analysis tasks even outside of the
 security domain, including performance measurements and helping with
 trouble-shooting.
 
-Bro comes with built-in functionality for a range of analysis and detection
+Zeek comes with built-in functionality for a range of analysis and detection
 tasks, including detecting malware by interfacing to external registries,
 reporting vulnerable versions of software seen on the network, identifying
 popular web applications, detecting SSH brute-forcing, validating SSL
@@ -36,9 +36,6 @@ augment loaded policies by given code
 \fB\-f\fR,\ \-\-filter <filter>
 tcpdump filter
 .TP
-\fB\-g\fR,\ \-\-dump\-config
-dump current config into .state dir
-.TP
 \fB\-h\fR,\ \-\-help|\-?
 command line help
 .TP
@@ -99,7 +96,7 @@ Record process status in file
 \fB\-W\fR,\ \-\-watchdog
 activate watchdog timer
 .TP
-\fB\-X\fR,\ \-\-zeexygen <cfgfile>
+\fB\-X\fR,\ \-\-zeekygen <cfgfile>
 generate documentation based on config file
 .TP
 \fB\-\-pseudo\-realtime[=\fR<speedup>]
@@ -111,12 +108,12 @@ load seeds from given file
 \fB\-\-save\-seeds\fR <file>
 save seeds to given file
 .TP
-The following option is available only when Bro is built with the \-\-enable\-debug configure option:
+The following option is available only when Zeek is built with the \-\-enable\-debug configure option:
 .TP
 \fB\-B\fR,\ \-\-debug <dbgstreams>
 Enable debugging output for selected streams ('-B help' for help)
 .TP
-The following options are available only when Bro is built with gperftools support (use the \-\-enable\-perftools and \-\-enable\-perftools\-debug configure options):
+The following options are available only when Zeek is built with gperftools support (use the \-\-enable\-perftools and \-\-enable\-perftools\-debug configure options):
 .TP
 \fB\-m\fR,\ \-\-mem-leaks
 show leaks
@@ -150,7 +147,7 @@ ASCII log file extension
 Output file for script execution statistics
 .TP
 .B BRO_DISABLE_BROXYGEN
-Disable Zeexygen (Broxygen) documentation support
+Disable Zeekygen (Broxygen) documentation support
 .SH AUTHOR
 .B bro
-was written by The Bro Project <info@bro.org>.
+was written by The Zeek Project <info@zeek.org>.

scripts/CMakeLists.txt

@@ -8,8 +8,27 @@ install(DIRECTORY ./ DESTINATION ${BRO_SCRIPT_INSTALL_PATH} FILES_MATCHING
         PATTERN "*.fp"
 )
 
-# Install all local* scripts as config files since they are meant to be
+if ( NOT BINARY_PACKAGING_MODE )
-# user modify-able.
+  # If the user has a local.bro file from a previous installation, prefer to
+  # symlink local.zeek to it to avoid breaking their custom configuration --
+  # because ZeekControl will now prefer to load local.zeek rather than local.bro
+  # and we're about to install a default version of local.zeek.
+
+  set(_local_bro_dst ${BRO_SCRIPT_INSTALL_PATH}/site/local.bro)
+  set(_local_zeek_dst ${BRO_SCRIPT_INSTALL_PATH}/site/local.zeek)
+
+  install(CODE "
+    if ( \"\$ENV{DESTDIR}\" STREQUAL \"\" )
+      if ( EXISTS \"${_local_bro_dst}\" AND NOT EXISTS \"${_local_zeek_dst}\" )
+        message(STATUS \"WARNING: installed ${_local_zeek_dst} as symlink to ${_local_bro_dst}\")
+        execute_process(COMMAND \"${CMAKE_COMMAND}\" -E create_symlink
+          \"${_local_bro_dst}\" \"${_local_zeek_dst}\")
+      endif ()
+    endif ()
+  ")
+endif ()
+
+# Install local script as a config file since it's meant to be modified directly.
 InstallPackageConfigFile(
     ${CMAKE_CURRENT_SOURCE_DIR}/site/local.zeek
     ${BRO_SCRIPT_INSTALL_PATH}/site

scripts/base/frameworks/analyzer/README

@@ -1,3 +1,3 @@
-The analyzer framework allows to dynamically enable or disable Bro's
+The analyzer framework allows to dynamically enable or disable Zeek's
 protocol analyzers, as well as to manage the well-known ports which
 automatically activate a particular analyzer for new connections.

scripts/base/frameworks/analyzer/main.zeek

@@ -1,4 +1,4 @@
-##! Framework for managing Bro's protocol analyzers.
+##! Framework for managing Zeek's protocol analyzers.
 ##!
 ##! The analyzer framework allows to dynamically enable or disable analyzers, as
 ##! well as to manage the well-known ports which automatically activate a
@@ -21,7 +21,7 @@ export {
 	global disable_all = F &redef;
 
 	## Enables an analyzer. Once enabled, the analyzer may be used for analysis
-	## of future connections as decided by Bro's dynamic protocol detection.
+	## of future connections as decided by Zeek's dynamic protocol detection.
 	##
 	## tag: The tag of the analyzer to enable.
 	##

scripts/base/frameworks/broker/README

@@ -1,2 +1,2 @@
-The Broker communication framework facilitates connecting to remote Bro
+The Broker communication framework facilitates connecting to remote Zeek
 instances to share state and transfer events.

scripts/base/frameworks/broker/main.zeek

@@ -32,27 +32,27 @@ export {
 	const disable_ssl = F &redef;
 
 	## Path to a file containing concatenated trusted certificates 
-	## in PEM format. If set, Bro will require valid certificates for
+	## in PEM format. If set, Zeek will require valid certificates for
 	## all peers.
 	const ssl_cafile = "" &redef;
 
 	## Path to an OpenSSL-style directory of trusted certificates.
-	## If set, Bro will require valid certificates for
+	## If set, Zeek will require valid certificates for
 	## all peers.
 	const ssl_capath = "" &redef;
 
 	## Path to a file containing a X.509 certificate for this
-	## node in PEM format. If set, Bro will require valid certificates for
+	## node in PEM format. If set, Zeek will require valid certificates for
 	## all peers.
 	const ssl_certificate = "" &redef;
 
 	## Passphrase to decrypt the private key specified by
-	## :zeek:see:`Broker::ssl_keyfile`. If set, Bro will require valid
+	## :zeek:see:`Broker::ssl_keyfile`. If set, Zeek will require valid
 	## certificates for all peers.
 	const ssl_passphrase = "" &redef;
 
 	## Path to the file containing the private key for this node's
-	## certificate. If set, Bro will require valid certificates for
+	## certificate. If set, Zeek will require valid certificates for
 	## all peers.
 	const ssl_keyfile = "" &redef;
 
@@ -61,6 +61,14 @@ export {
 	## control mechanisms).
 	const congestion_queue_size = 200 &redef;
 
+	## The max number of log entries per log stream to batch together when
+	## sending log messages to a remote logger.
+	const log_batch_size = 400 &redef;
+
+	## Max time to buffer log messages before sending the current set out as a
+	## batch.
+	const log_batch_interval = 1sec &redef;
+
 	## Max number of threads to use for Broker/CAF functionality.  The
 	## BRO_BROKER_MAX_THREADS environment variable overrides this setting.
 	const max_threads = 1 &redef;
@@ -339,7 +347,7 @@ export {
 	##        Peers advertise interest by registering a subscription to some
 	##        prefix of this topic name.
 	##
-	## ev: a Bro event value.
+	## ev: a Zeek event value.
 	##
 	## Returns: true if automatic event sending is now enabled.
 	global auto_publish: function(topic: string, ev: any): bool;

scripts/base/frameworks/broker/store.zeek

@@ -365,15 +365,15 @@ export {
 	# Data API               #
 	##########################
 
-	## Convert any Bro value to communication data.
+	## Convert any Zeek value to communication data.
 	##
 	## .. note:: Normally you won't need to use this function as data
-	##    conversion happens implicitly when passing Bro values into Broker
+	##    conversion happens implicitly when passing Zeek values into Broker
 	##    functions.
 	##
-	## d: any Bro value to attempt to convert (not all types are supported).
+	## d: any Zeek value to attempt to convert (not all types are supported).
 	##
-	## Returns: the converted communication data.  If the supplied Bro data
+	## Returns: the converted communication data.  If the supplied Zeek data
 	##          type does not support conversion to communication data, the
 	##          returned record's optional field will not be set.
 	global data: function(d: any): Broker::Data;

scripts/base/frameworks/cluster/README

@@ -1,2 +1,2 @@
 The cluster framework provides for establishing and controlling a cluster
-of Bro instances.
+of Zeek instances.

scripts/base/frameworks/cluster/main.zeek

@@ -1,6 +1,6 @@
-##! A framework for establishing and controlling a cluster of Bro instances.
+##! A framework for establishing and controlling a cluster of Zeek instances.
 ##! In order to use the cluster framework, a script named
-##! ``cluster-layout.zeek`` must exist somewhere in Bro's script search path
+##! ``cluster-layout.zeek`` must exist somewhere in Zeek's script search path
 ##! which has a cluster definition of the :zeek:id:`Cluster::nodes` variable.
 ##! The ``CLUSTER_NODE`` environment variable or :zeek:id:`Cluster::node`
 ##! must also be sent and the cluster framework loaded as a package like
@@ -178,7 +178,7 @@ export {
 	global is_enabled: function(): bool;
 
 	## This function can be called at any time to determine what type of
-	## cluster node the current Bro instance is going to be acting as.
+	## cluster node the current Zeek instance is going to be acting as.
 	## If :zeek:id:`Cluster::is_enabled` returns false, then
 	## :zeek:enum:`Cluster::NONE` is returned.
 	##
@@ -194,7 +194,7 @@ export {
 	## The cluster layout definition.  This should be placed into a filter
 	## named cluster-layout.zeek somewhere in the BROPATH.  It will be
 	## automatically loaded if the CLUSTER_NODE environment variable is set.
-	## Note that BroControl handles all of this automatically.
+	## Note that ZeekControl handles all of this automatically.
 	## The table is typically indexed by node names/labels (e.g. "manager"
 	## or "worker-1").
 	const nodes: table[string] of Node = {} &redef;
@@ -202,7 +202,7 @@ export {
 	## Indicates whether or not the manager will act as the logger and receive
 	## logs.  This value should be set in the cluster-layout.zeek script (the
 	## value should be true only if no logger is specified in Cluster::nodes).
-	## Note that BroControl handles this automatically.
+	## Note that ZeekControl handles this automatically.
 	const manager_is_logger = T &redef;
 
 	## This is usually supplied on the command line for each instance

scripts/base/frameworks/cluster/nodes/logger.zeek

@@ -1,7 +1,7 @@
-##! This is the core Bro script to support the notion of a cluster logger.
+##! This is the core Zeek script to support the notion of a cluster logger.
 ##!
-##! The logger is passive (other Bro instances connect to us), and once
+##! The logger is passive (other Zeek instances connect to us), and once
-##! connected the logger receives logs from other Bro instances.
+##! connected the logger receives logs from other Zeek instances.
 ##! This script will be automatically loaded if necessary based on the
 ##! type of node being started.
 
@@ -24,6 +24,3 @@ redef Log::default_mail_alarms_interval = 24 hrs;
 
 ## Use the cluster's archive logging script.
 redef Log::default_rotation_postprocessor_cmd = "archive-log";
-
-## We're processing essentially *only* remote events.
-redef max_remote_events_processed = 10000;

scripts/base/frameworks/cluster/nodes/manager.zeek

@@ -1,4 +1,4 @@
-##! This is the core Bro script to support the notion of a cluster manager.
+##! This is the core Zeek script to support the notion of a cluster manager.
 ##!
 ##! The manager is passive (the workers connect to us), and once connected
 ##! the manager registers for the events on the workers that are needed
@@ -21,6 +21,3 @@ redef Log::default_rotation_interval = 24 hrs;
 
 ## Use the cluster's delete-log script.
 redef Log::default_rotation_postprocessor_cmd = "delete-log";
-
-## We're processing essentially *only* remote events.
-redef max_remote_events_processed = 10000;

scripts/base/frameworks/cluster/nodes/proxy.zeek

@@ -1,14 +1,10 @@
-##! Redefines the options common to all proxy nodes within a Bro cluster.
+##! Redefines the options common to all proxy nodes within a Zeek cluster.
 ##! In particular, proxies are not meant to produce logs locally and they
 ##! do not forward events anywhere, they mainly synchronize state between
 ##! worker nodes.
 
 @prefixes += cluster-proxy
 
-## The proxy only syncs state; does not forward events.
-redef forward_remote_events = F;
-redef forward_remote_state_changes = T;
-
 ## Don't do any local logging.
 redef Log::enable_local_logging = F;
 

scripts/base/frameworks/cluster/nodes/worker.zeek

@@ -1,4 +1,4 @@
-##! Redefines some options common to all worker nodes within a Bro cluster.
+##! Redefines some options common to all worker nodes within a Zeek cluster.
 ##! In particular, worker nodes do not produce logs locally, instead they
 ##! send them off to a logger node for processing.
 

scripts/base/frameworks/cluster/pools.zeek

@@ -351,7 +351,7 @@ event zeek_init() &priority=-5
 		return;
 
 	# Sorting now ensures the node distribution process is stable even if
-	# there's a change in the order of time-of-registration between Bro runs.
+	# there's a change in the order of time-of-registration between Zeek runs.
 	sort(registered_pools, pool_sorter);
 
 	pool_eligibility[Cluster::WORKER] =

scripts/base/frameworks/cluster/setup-connections.zeek

@@ -44,7 +44,7 @@ function connect_peers_with_type(node_type: NodeType)
 
 event zeek_init() &priority=-10
 	{
-	if ( getenv("BROCTL_CHECK_CONFIG") != "" )
+	if ( getenv("ZEEKCTL_CHECK_CONFIG") != "" )
 		return;
 
 	local self = nodes[node];

scripts/base/frameworks/config/README

@@ -1,2 +1,2 @@
-The configuration framework provides a way to change the Bro configuration
+The configuration framework provides a way to change the Zeek configuration
 in "option" values at run-time.

scripts/base/frameworks/config/main.zeek

@@ -1,4 +1,4 @@
-##! The configuration framework provides a way to change Bro options
+##! The configuration framework provides a way to change Zeek options
 ##! (as specified by the "option" keyword) at runtime. It also logs runtime
 ##! changes to options to config.log.
 

scripts/base/frameworks/control/README

@@ -1,3 +1,3 @@
 The control framework provides the foundation for providing "commands"
-that can be taken remotely at runtime to modify a running Bro instance
+that can be taken remotely at runtime to modify a running Zeek instance
 or collect information from the running instance.

scripts/base/frameworks/control/main.zeek

@@ -1,12 +1,12 @@
 ##! The control framework provides the foundation for providing "commands"
-##! that can be taken remotely at runtime to modify a running Bro instance
+##! that can be taken remotely at runtime to modify a running Zeek instance
 ##! or collect information from the running instance.
 
 module Control;
 
 export {
 	## The topic prefix used for exchanging control messages via Broker.
-	const topic_prefix = "bro/control";
+	const topic_prefix = "zeek/control";
 
 	## Whether the controllee should call :zeek:see:`Broker::listen`.
 	## In a cluster, this isn't needed since the setup process calls it.
@@ -58,7 +58,7 @@ export {
 	## Returns the current net_stats.
 	global net_stats_response: event(s: string);
 
-	## Inform the remote Bro instance that it's configuration may have been
+	## Inform the remote Zeek instance that it's configuration may have been
 	## updated.
 	global configuration_update_request: event();
 	## This event is a wrapper and alias for the
@@ -68,7 +68,7 @@ export {
 	## Message in response to a configuration update request.
 	global configuration_update_response: event();
 
-	## Requests that the Bro instance begins shutting down.
+	## Requests that the Zeek instance begins shutting down.
 	global shutdown_request: event();
 	## Message in response to a shutdown request.
 	global shutdown_response: event();

scripts/base/frameworks/input/README

@@ -1,2 +1,2 @@
 The input framework provides a way to read previously stored data either as
-an event stream or into a Bro table.
+an event stream or into a Zeek table.

scripts/base/frameworks/input/main.zeek

@@ -1,5 +1,5 @@
 ##! The input framework provides a way to read previously stored data either
-##! as an event stream or into a Bro table.
+##! as an event stream or into a Zeek table.
 
 module Input;
 
@@ -55,7 +55,7 @@ export {
 	## abort. Defaults to false (abort).
 	const accept_unsupported_types = F &redef;
 
-	## A table input stream type used to send data to a Bro table.
+	## A table input stream type used to send data to a Zeek table.
 	type TableDescription: record {
 		# Common definitions for tables and events
 
@@ -112,7 +112,7 @@ export {
 		##
 		## The event is raised like if it had been declared as follows:
 		## error_ev: function(desc: TableDescription, message: string, level: Reporter::Level) &optional;
-		## The actual declaration uses the ``any`` type because of deficiencies of the Bro type system.
+		## The actual declaration uses the ``any`` type because of deficiencies of the Zeek type system.
 		error_ev: any &optional;
 
 		## A key/value table that will be passed to the reader.
@@ -121,7 +121,7 @@ export {
 		config: table[string] of string &default=table();
 	};
 
-	## An event input stream type used to send input data to a Bro event.
+	## An event input stream type used to send input data to a Zeek event.
 	type EventDescription: record {
 		# Common definitions for tables and events
 
@@ -166,7 +166,7 @@ export {
 		##
 		## The event is raised like it had been declared as follows:
 		## error_ev: function(desc: EventDescription, message: string, level: Reporter::Level) &optional;
-		## The actual declaration uses the ``any`` type because of deficiencies of the Bro type system.
+		## The actual declaration uses the ``any`` type because of deficiencies of the Zeek type system.
 		error_ev: any &optional;
 
 		## A key/value table that will be passed to the reader.

scripts/base/frameworks/input/readers/ascii.zeek

@@ -1,6 +1,6 @@
 ##! Interface for the ascii input reader.
 ##!
-##! The defaults are set to match Bro's ASCII output.
+##! The defaults are set to match Zeek's ASCII output.
 
 module InputAscii;
 

scripts/base/frameworks/logging/main.zeek

@@ -1,6 +1,6 @@
-##! The Bro logging interface.
+##! The Zeek logging interface.
 ##!
-##! See :doc:`/frameworks/logging` for an introduction to Bro's
+##! See :doc:`/frameworks/logging` for an introduction to Zeek's
 ##! logging framework.
 
 module Log;
@@ -84,13 +84,13 @@ export {
 		path: string;		##< Original path value.
 		open: time;		##< Time when opened.
 		close: time;		##< Time when closed.
-		terminating: bool;	##< True if rotation occured due to Bro shutting down.
+		terminating: bool;	##< True if rotation occured due to Zeek shutting down.
 	};
 
 	## Default rotation interval to use for filters that do not specify
 	## an interval. Zero disables rotation.
 	##
-	## Note that this is overridden by the BroControl LogRotationInterval
+	## Note that this is overridden by the ZeekControl LogRotationInterval
 	## option.
 	const default_rotation_interval = 0secs &redef;
 
@@ -108,7 +108,7 @@ export {
 	## Default alarm summary mail interval. Zero disables alarm summary
 	## mails.
 	##
-	## Note that this is overridden by the BroControl MailAlarmsInterval
+	## Note that this is overridden by the ZeekControl MailAlarmsInterval
 	## option.
 	const default_mail_alarms_interval = 0secs &redef;
 
@@ -219,7 +219,7 @@ export {
 		scope_sep: string &default=default_scope_sep;
 
 		## Default prefix for all extension fields. It's typically
-		## prudent to set this to something that Bro's logging
+		## prudent to set this to something that Zeek's logging
 		## framework can't normally write out in a field name.
 		ext_prefix: string &default=default_ext_prefix;
 

scripts/base/frameworks/netcontrol/README

@@ -1,3 +1,3 @@
-The NetControl framework provides a way for Bro to interact with networking
+The NetControl framework provides a way for Zeek to interact with networking
 hard- and software, e.g. for dropping and shunting IP addresses/connections,
 etc.

scripts/base/frameworks/netcontrol/drop.zeek

@@ -32,7 +32,7 @@ export {
 	type DropInfo: record {
 		## Time at which the recorded activity occurred.
 		ts: time		&log;
-		## ID of the rule; unique during each Bro run.
+		## ID of the rule; unique during each Zeek run.
 		rule_id: string  &log;
 		orig_h: addr 	&log;	##< The originator's IP address.
 		orig_p: port 	&log &optional;	##< The originator's port number.

scripts/base/frameworks/netcontrol/main.zeek

@@ -1,8 +1,8 @@
-##! Bro's NetControl framework.
+##! Zeek's NetControl framework.
 ##!
-##! This plugin-based framework allows to control the traffic that Bro monitors
+##! This plugin-based framework allows to control the traffic that Zeek monitors
 ##! as well as, if having access to the forwarding path, the traffic the network
-##! forwards. By default, the framework lets everything through, to both Bro
+##! forwards. By default, the framework lets everything through, to both Zeek
 ##! itself as well as on the network. Scripts can then add rules to impose
 ##! restrictions on entities, such as specific connections or IP addresses.
 ##!
@@ -291,7 +291,7 @@ export {
 	type Info: record {
 		## Time at which the recorded activity occurred.
 		ts: time		&log;
-		## ID of the rule; unique during each Bro run.
+		## ID of the rule; unique during each Zeek run.
 		rule_id: string  &log &optional;
 		## Type of the log entry.
 		category: InfoCategory	&log &optional;
@@ -632,7 +632,7 @@ event NetControl::init() &priority=-20
 		log_msg_no_plugin("waiting for plugins to initialize");
 	}
 
-# Low-level functions that only runs on the manager (or standalone) Bro node.
+# Low-level functions that only runs on the manager (or standalone) Zeek node.
 
 function activate_impl(p: PluginState, priority: int)
 	{

scripts/base/frameworks/netcontrol/plugin.zeek

@@ -74,7 +74,7 @@ export {
 	## Table for a plugin to store instance-specific configuration information.
 	##
 	## Note, it would be nicer to pass the Plugin instance to all the below, instead
-	## of this state table. However Bro's type resolver has trouble with refering to a
+	## of this state table. However Zeek's type resolver has trouble with refering to a
 	## record type from inside itself.
 	redef record PluginState += {
 		## The plugin that the state belongs to. (Defined separately

scripts/base/frameworks/netcontrol/plugins/packetfilter.zeek

@@ -1,5 +1,5 @@
 ##! NetControl plugin for the process-level PacketFilter that comes with
-##! Bro. Since the PacketFilter in Bro is quite limited in scope
+##! Zeek. Since the PacketFilter in Zeek is quite limited in scope
 ##! and can only add/remove filters for addresses, this is quite
 ##! limited in scope at the moment. 
 
@@ -13,7 +13,7 @@ export {
 }
 
 # Check if we can handle this rule. If it specifies ports or
-# anything Bro cannot handle, simply ignore it for now.
+# anything Zeek cannot handle, simply ignore it for now.
 function packetfilter_check_rule(r: Rule) : bool
 	{
 	if ( r$ty != DROP )

scripts/base/frameworks/netcontrol/shunt.zeek

@@ -7,7 +7,7 @@ module NetControl;
 export {
 	redef enum Log::ID += { SHUNT };
 
-	## Stops forwarding a uni-directional flow's packets to Bro.
+	## Stops forwarding a uni-directional flow's packets to Zeek.
 	##
 	## f: The flow to shunt.
 	##
@@ -21,7 +21,7 @@ export {
 	type ShuntInfo: record {
 		## Time at which the recorded activity occurred.
 		ts: time &log;
-		## ID of the rule; unique during each Bro run.
+		## ID of the rule; unique during each Zeek run.
 		rule_id: string  &log;
 		## Flow ID of the shunted flow.
 		f: flow_id &log;

scripts/base/frameworks/netcontrol/types.zeek

@@ -50,12 +50,12 @@ export {
 	## Type defining the target of a rule.
 	##
 	## Rules can either be applied to the forward path, affecting all network traffic, or
-	## on the monitor path, only affecting the traffic that is sent to Bro. The second
+	## on the monitor path, only affecting the traffic that is sent to Zeek. The second
-	## is mostly used for shunting, which allows Bro to tell the networking hardware that
+	## is mostly used for shunting, which allows Zeek to tell the networking hardware that
 	## it wants to no longer see traffic that it identified as benign.
 	type TargetType: enum {
 		FORWARD,	#< Apply rule actively to traffic on forwarding path.
-		MONITOR,	#< Apply rule passively to traffic sent to Bro for monitoring.
+		MONITOR,	#< Apply rule passively to traffic sent to Zeek for monitoring.
 	};
 
 	## Type of rules that the framework supports. Each type lists the extra

scripts/base/frameworks/notice/README

@@ -1,4 +1,4 @@
-The notice framework enables Bro to "notice" things which are odd or
+The notice framework enables Zeek to "notice" things which are odd or
 potentially bad, leaving it to the local configuration to define which
 of them are actionable.  This decoupling of detection and reporting allows
-Bro to be customized to the different needs that sites have.
+Zeek to be customized to the different needs that sites have.

scripts/base/frameworks/notice/actions/pp-alarms.zeek

@@ -14,7 +14,7 @@ export {
 	## Address to send the pretty-printed reports to. Default if not set is
 	## :zeek:id:`Notice::mail_dest`.
 	##
-	## Note that this is overridden by the BroControl MailAlarmsTo option.
+	## Note that this is overridden by the ZeekControl MailAlarmsTo option.
 	const mail_dest_pretty_printed = "" &redef;
 	## If an address from one of these networks is reported, we mark
 	## the entry with an additional quote symbol (i.e., ">"). Many MUAs

scripts/base/frameworks/notice/main.zeek

@@ -1,6 +1,6 @@
-##! This is the notice framework which enables Bro to "notice" things which
+##! This is the notice framework which enables Zeek to "notice" things which
 ##! are odd or potentially bad.  Decisions of the meaning of various notices
-##! need to be done per site because Bro does not ship with assumptions about
+##! need to be done per site because Zeek does not ship with assumptions about
 ##! what is bad activity for sites.  More extensive documentation about using
 ##! the notice framework can be found in :doc:`/frameworks/notice`.
 
@@ -189,26 +189,26 @@ export {
 
 	## Local system sendmail program.
 	##
-	## Note that this is overridden by the BroControl SendMail option.
+	## Note that this is overridden by the ZeekControl SendMail option.
 	option sendmail            = "/usr/sbin/sendmail";
 	## Email address to send notices with the
 	## :zeek:enum:`Notice::ACTION_EMAIL` action or to send bulk alarm logs
 	## on rotation with :zeek:enum:`Notice::ACTION_ALARM`.
 	##
-	## Note that this is overridden by the BroControl MailTo option.
+	## Note that this is overridden by the ZeekControl MailTo option.
 	const mail_dest           = ""                   &redef;
 
 	## Address that emails will be from.
 	##
-	## Note that this is overridden by the BroControl MailFrom option.
+	## Note that this is overridden by the ZeekControl MailFrom option.
-	option mail_from           = "Big Brother <bro@localhost>";
+	option mail_from           = "Zeek <zeek@localhost>";
 	## Reply-to address used in outbound email.
 	option reply_to            = "";
 	## Text string prefixed to the subject of all emails sent out.
 	##
-	## Note that this is overridden by the BroControl MailSubjectPrefix
+	## Note that this is overridden by the ZeekControl MailSubjectPrefix
 	## option.
-	option mail_subject_prefix = "[Bro]";
+	option mail_subject_prefix = "[Zeek]";
 	## The maximum amount of time a plugin can delay email from being sent.
 	const max_email_delay     = 15secs &redef;
 
@@ -390,7 +390,7 @@ event zeek_init() &priority=5
 	Log::create_stream(Notice::LOG, [$columns=Info, $ev=log_notice, $path="notice"]);
 
 	Log::create_stream(Notice::ALARM_LOG, [$columns=Notice::Info, $path="notice_alarm"]);
-	# If Bro is configured for mailing notices, set up mailing for alarms.
+	# If Zeek is configured for mailing notices, set up mailing for alarms.
 	# Make sure that this alarm log is also output as text so that it can
 	# be packaged up and emailed later.
 	if ( ! reading_traces() && mail_dest != "" )

scripts/base/frameworks/notice/weird.zeek

@@ -1,5 +1,5 @@
 ##! This script provides a default set of actions to take for "weird activity"
-##! events generated from Bro's event engine.  Weird activity is defined as
+##! events generated from Zeek's event engine.  Weird activity is defined as
 ##! unusual or exceptional activity that can indicate malformed connections,
 ##! traffic that doesn't conform to a particular protocol, malfunctioning
 ##! or misconfigured hardware, or even an attacker attempting to avoid/confuse

scripts/base/frameworks/openflow/consts.zeek

@@ -1,7 +1,7 @@
 ##! Constants used by the OpenFlow framework.
 
 # All types/constants not specific to OpenFlow will be defined here
-# until they somehow get into Bro.
+# until they somehow get into Zeek.
 
 module OpenFlow;
 
@@ -10,7 +10,7 @@ module OpenFlow;
 const COOKIE_BID_SIZE = 16777216;
 # start at bit 40 (1 << 40)
 const COOKIE_BID_START = 1099511627776;
-# bro specific cookie ID shall have the 42 bit set (1 << 42)
+# Zeek specific cookie ID shall have the 42 bit set (1 << 42)
 const BRO_COOKIE_ID = 4;
 # 8 bits group identifier
 const COOKIE_GID_SIZE = 256;
@@ -122,7 +122,7 @@ export {
 
 	## Return value for a cookie from a flow
 	## which is not added, modified or deleted
-	## from the bro openflow framework.
+	## from the Zeek openflow framework.
 	const INVALID_COOKIE = 0xffffffffffffffff;
 	# Openflow physical port definitions
 	## Send the packet out the input port. This

scripts/base/frameworks/openflow/main.zeek

@@ -1,4 +1,4 @@
-##! Bro's OpenFlow control framework.
+##! Zeek's OpenFlow control framework.
 ##!
 ##! This plugin-based framework allows to control OpenFlow capable
 ##! switches by implementing communication to an OpenFlow controller

scripts/base/frameworks/openflow/plugins/broker.zeek

@@ -61,8 +61,8 @@ function broker_flow_clear_fun(state: OpenFlow::ControllerState): bool
 
 function broker_init(state: OpenFlow::ControllerState)
 	{
-	Broker::peer(cat(state$broker_host), state$broker_port);
 	Broker::subscribe(state$broker_topic); # openflow success and failure events are directly sent back via the other plugin via broker.
+	Broker::peer(cat(state$broker_host), state$broker_port);
 	}
 
 event Broker::peer_added(endpoint: Broker::EndpointInfo, msg: string)

scripts/base/frameworks/openflow/plugins/log.zeek

@@ -1,5 +1,5 @@
 ##! OpenFlow plugin that outputs flow-modification commands
-##! to a Bro log file.
+##! to a Zeek log file.
 
 @load base/frameworks/openflow
 @load base/frameworks/logging

scripts/base/frameworks/packet-filter/README

@@ -1 +1 @@
-The packet filter framework supports how Bro sets its BPF capture filter.
+The packet filter framework supports how Zeek sets its BPF capture filter.

scripts/base/frameworks/packet-filter/cluster.zeek

@@ -4,11 +4,11 @@
 
 module PacketFilter;
 
-event remote_connection_handshake_done(p: event_peer) &priority=3
+event Cluster::hello(name: string, id: string) &priority=-3
 	{
 	if ( Cluster::local_node_type() == Cluster::WORKER &&
-	     p$descr in Cluster::nodes && 
+	     name in Cluster::nodes &&
-	     Cluster::nodes[p$descr]$node_type == Cluster::MANAGER )
+	     Cluster::nodes[name]$node_type == Cluster::MANAGER )
 		{
 		# This ensures that a packet filter is installed and logged
 		# after the manager connects to us.

scripts/base/frameworks/packet-filter/main.zeek

@@ -1,7 +1,7 @@
-##! This script supports how Bro sets its BPF capture filter.  By default
+##! This script supports how Zeek sets its BPF capture filter.  By default
-##! Bro sets a capture filter that allows all traffic.  If a filter
+##! Zeek sets a capture filter that allows all traffic.  If a filter
 ##! is set on the command line, that filter takes precedence over the default
-##! open filter and all filters defined in Bro scripts with the
+##! open filter and all filters defined in Zeek scripts with the
 ##! :zeek:id:`capture_filters` and :zeek:id:`restrict_filters` variables.
 
 @load base/frameworks/notice

scripts/base/frameworks/packet-filter/netstats.zeek

@@ -1,5 +1,5 @@
 ##! This script reports on packet loss from the various packet sources.
-##! When Bro is reading input from trace files, this script will not
+##! When Zeek is reading input from trace files, this script will not
 ##! report any packet loss statistics.
 
 @load base/frameworks/notice

scripts/base/frameworks/reporter/main.zeek

@@ -27,9 +27,9 @@ export {
 		## terminate program execution.
 		level:    Level  &log;
 		## An info/warning/error message that could have either been
-		## generated from the internal Bro core or at the scripting-layer.
+		## generated from the internal Zeek core or at the scripting-layer.
 		message:  string &log;
-		## This is the location in a Bro script where the message originated.
+		## This is the location in a Zeek script where the message originated.
 		## Not all reporter messages will have locations in them though.
 		location: string &log &optional;
 	};

scripts/base/frameworks/signatures/README

@@ -1,4 +1,4 @@
 The signature framework provides for doing low-level pattern matching.  While
-signatures are not Bro's preferred detection tool, they sometimes come in
+signatures are not Zeek's preferred detection tool, they sometimes come in
 handy and are closer to what many people are familiar with from using
 other NIDS.

scripts/base/frameworks/signatures/main.zeek

@@ -1,6 +1,6 @@
 ##! Script level signature support.  See the
 ##! :doc:`signature documentation </frameworks/signatures>` for more
-##! information about Bro's signature engine.
+##! information about Zeek's signature engine.
 
 @load base/frameworks/notice
 

scripts/base/init-bare.zeek

@@ -113,7 +113,7 @@ type mime_match: record {
 ## :zeek:see:`file_magic`
 type mime_matches: vector of mime_match;
 
-## A connection's transport-layer protocol. Note that Bro uses the term
+## A connection's transport-layer protocol. Note that Zeek uses the term
 ## "connection" broadly, using flow semantics for ICMP and UDP.
 type transport_proto: enum {
     unknown_transport,	##< An unknown transport-layer protocol.
@@ -235,7 +235,7 @@ type icmp6_nd_option: record {
 ## A type alias for a vector of ICMPv6 neighbor discovery message options.
 type icmp6_nd_options: vector of icmp6_nd_option;
 
-# A DNS mapping between IP address and hostname resolved by Bro's internal
+# A DNS mapping between IP address and hostname resolved by Zeek's internal
 # resolver.
 #
 # .. zeek:see:: dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name
@@ -340,8 +340,8 @@ type endpoint: record {
 	l2_addr: string &optional;
 };
 
-## A connection. This is Bro's basic connection type describing IP- and
+## A connection. This is Zeek's basic connection type describing IP- and
-## transport-layer information about the conversation. Note that Bro uses a
+## transport-layer information about the conversation. Note that Zeek uses a
 ## liberal interpretation of "connection" and associates instances of this type
 ## also with UDP and ICMP flows.
 type connection: record {
@@ -353,7 +353,7 @@ type connection: record {
 	## interval between first and last data packet (low-level TCP details
 	## may adjust it somewhat in ambiguous cases).
 	duration: interval;
-	## The set of services the connection is using as determined by Bro's
+	## The set of services the connection is using as determined by Zeek's
 	## dynamic protocol detection. Each entry is the label of an analyzer
 	## that confirmed that it could parse the connection payload.  While
 	## typically, there will be at most one entry for each connection, in
@@ -362,8 +362,8 @@ type connection: record {
 	## the recorded services are independent of any transport-level protocols.
 	service: set[string];
 	history: string;	##< State history of connections. See *history* in :zeek:see:`Conn::Info`.
-	## A globally unique connection identifier. For each connection, Bro
+	## A globally unique connection identifier. For each connection, Zeek
-	## creates an ID that is very likely unique across independent Bro runs.
+	## creates an ID that is very likely unique across independent Zeek runs.
 	## These IDs can thus be used to tag and locate information associated
 	## with that connection.
 	uid: string;
@@ -390,7 +390,7 @@ option default_file_timeout_interval: interval = 2 mins;
 ## matching or later, will receive a copy of this buffer.
 option default_file_bof_buffer_size: count = 4096;
 
-## A file that Bro is analyzing.  This is Bro's type for describing the basic
+## A file that Zeek is analyzing.  This is Zeek's type for describing the basic
 ## internal metadata collected about a "file", which is essentially just a
 ## byte stream that is e.g. pulled from a network connection or possibly
 ## some other input source.
@@ -476,7 +476,7 @@ type SYN_packet: record {
 ##
 ## .. zeek:see:: get_net_stats
 type NetStats: record {
-	pkts_recvd:   count &default=0;	##< Packets received by Bro.
+	pkts_recvd:   count &default=0;	##< Packets received by Zeek.
 	pkts_dropped: count &default=0;	##< Packets reported dropped by the system.
 	## Packets seen on the link. Note that this may differ
 	## from *pkts_recvd* because of a potential capture_filter. See
@@ -484,7 +484,7 @@ type NetStats: record {
 	## packet capture system, this value may not be available and will then
 	## be always set to zero.
 	pkts_link:    count &default=0;
-	bytes_recvd:  count &default=0;	##< Bytes received by Bro.
+	bytes_recvd:  count &default=0;	##< Bytes received by Zeek.
 };
 
 type ConnStats: record {
@@ -512,16 +512,16 @@ type ConnStats: record {
 	killed_by_inactivity: count;
 };
 
-## Statistics about Bro's process.
+## Statistics about Zeek's process.
 ##
 ## .. zeek:see:: get_proc_stats
 ##
-## .. note:: All process-level values refer to Bro's main process only, not to
+## .. note:: All process-level values refer to Zeek's main process only, not to
 ##    the child process it spawns for doing communication.
 type ProcStats: record {
 	debug: bool;                  ##< True if compiled with --enable-debug.
 	start_time: time;             ##< Start time of process.
-	real_time: interval;          ##< Elapsed real time since Bro started running.
+	real_time: interval;          ##< Elapsed real time since Zeek started running.
 	user_time: interval;          ##< User CPU seconds.
 	system_time: interval;        ##< System CPU seconds.
 	mem: count;                   ##< Maximum memory consumed, in KB.
@@ -579,8 +579,8 @@ type FileAnalysisStats: record {
 	cumulative: count; ##< Cumulative number of files analyzed.
 };
 
-## Statistics related to Bro's active use of DNS.  These numbers are
+## Statistics related to Zeek's active use of DNS.  These numbers are
-## about Bro performing DNS queries on it's own, not traffic
+## about Zeek performing DNS queries on it's own, not traffic
 ## being seen.
 ##
 ## .. zeek:see:: get_dns_stats
@@ -735,7 +735,7 @@ type call_argument_vector: vector of call_argument;
 # dependent on the names remaining as they are now.
 
 ## Set of BPF capture filters to use for capturing, indexed by a user-definable
-## ID (which must be unique). If Bro is *not* configured with
+## ID (which must be unique). If Zeek is *not* configured with
 ## :zeek:id:`PacketFilter::enable_auto_protocol_capture_filters`,
 ## all packets matching at least one of the filters in this table (and all in
 ## :zeek:id:`restrict_filters`) will be analyzed.
@@ -775,35 +775,6 @@ type IPAddrAnonymizationClass: enum {
 	OTHER_ADDR,
 };
 
-## A locally unique ID identifying a communication peer. The ID is returned by
-## :zeek:id:`connect`.
-##
-## .. zeek:see:: connect
-type peer_id: count;
-
-## A communication peer.
-##
-## .. zeek:see:: complete_handshake disconnect finished_send_state
-##    get_event_peer get_local_event_peer remote_capture_filter
-##    remote_connection_closed remote_connection_error
-##    remote_connection_established remote_connection_handshake_done
-##    remote_event_registered remote_log_peer remote_pong
-##    request_remote_events request_remote_logs request_remote_sync
-##    send_capture_filter send_current_packet send_id send_ping send_state
-##    set_accept_state set_compression_level
-##
-## .. todo::The type's name is too narrow these days, should rename.
-type event_peer: record {
-	id: peer_id;	##< Locally unique ID of peer (returned by :zeek:id:`connect`).
-	host: addr;	##< The IP address of the peer.
-	## Either the port we connected to at the peer; or our port the peer
-	## connected to if the session is remotely initiated.
-	p: port;
-	is_local: bool;		##< True if this record describes the local process.
-	descr: string;		##< The peer's :zeek:see:`peer_description`.
-	class: string &optional;	##< The self-assigned *class* of the peer.
-};
-
 ## Deprecated.
 ##
 ## .. zeek:see:: rotate_file rotate_file_by_name rotate_interval
@@ -895,7 +866,7 @@ const mmdb_dir: string = "" &redef;
 
 ## Computed entropy values. The record captures a number of measures that are
 ## computed in parallel. See `A Pseudorandom Number Sequence Test Program
-## <http://www.fourmilab.ch/random>`_ for more information, Bro uses the same
+## <http://www.fourmilab.ch/random>`_ for more information, Zeek uses the same
 ## code.
 ##
 ## .. zeek:see:: entropy_test_add entropy_test_finish entropy_test_init find_entropy
@@ -1022,7 +993,7 @@ const tcp_max_above_hole_without_any_acks = 16384 &redef;
 
 ## If we've seen this much data without any of it being acked, we give up
 ## on that connection to avoid memory exhaustion due to buffering all that
-## stuff.  If set to zero, then we don't ever give up.  Ideally, Bro would
+## stuff.  If set to zero, then we don't ever give up.  Ideally, Zeek would
 ## track the current window on a connection and use it to infer that data
 ## has in fact gone too far, but for now we just make this quite beefy.
 ##
@@ -1817,7 +1788,7 @@ type gtp_delete_pdp_ctx_response_elements: record {
 	ext:   gtp_private_extension &optional;
 };
 
-# Prototypes of Bro built-in functions.
+# Prototypes of Zeek built-in functions.
 @load base/bif/bro.bif
 @load base/bif/stats.bif
 @load base/bif/reporter.bif
@@ -1830,13 +1801,13 @@ global log_file_name: function(tag: string): string &redef;
 ## Deprecated. This is superseded by the new logging framework.
 global open_log_file: function(tag: string): file &redef;
 
-## Specifies a directory for Bro to store its persistent state. All globals can
+## Specifies a directory for Zeek to store its persistent state. All globals can
 ## be declared persistent via the :zeek:attr:`&persistent` attribute.
 const state_dir = ".state" &redef;
 
 ## Length of the delays inserted when storing state incrementally. To avoid
 ## dropping packets when serializing larger volumes of persistent state to
-## disk, Bro interleaves the operation with continued packet processing.
+## disk, Zeek interleaves the operation with continued packet processing.
 const state_write_delay = 0.01 secs &redef;
 
 global done_with_network = F;
@@ -1897,7 +1868,7 @@ global secondary_filters: table[string] of event(filter: string, pkt: pkt_hdr)
 global discarder_maxlen = 128 &redef;
 
 ## Function for skipping packets based on their IP header. If defined, this
-## function will be called for all IP packets before Bro performs any further
+## function will be called for all IP packets before Zeek performs any further
 ## analysis. If the function signals to discard a packet, no further processing
 ## will be performed on it.
 ##
@@ -1913,7 +1884,7 @@ global discarder_maxlen = 128 &redef;
 global discarder_check_ip: function(p: pkt_hdr): bool;
 
 ## Function for skipping packets based on their TCP header. If defined, this
-## function will be called for all TCP packets before Bro performs any further
+## function will be called for all TCP packets before Zeek performs any further
 ## analysis. If the function signals to discard a packet, no further processing
 ## will be performed on it.
 ##
@@ -1931,7 +1902,7 @@ global discarder_check_ip: function(p: pkt_hdr): bool;
 global discarder_check_tcp: function(p: pkt_hdr, d: string): bool;
 
 ## Function for skipping packets based on their UDP header. If defined, this
-## function will be called for all UDP packets before Bro performs any further
+## function will be called for all UDP packets before Zeek performs any further
 ## analysis. If the function signals to discard a packet, no further processing
 ## will be performed on it.
 ##
@@ -1949,7 +1920,7 @@ global discarder_check_tcp: function(p: pkt_hdr, d: string): bool;
 global discarder_check_udp: function(p: pkt_hdr, d: string): bool;
 
 ## Function for skipping packets based on their ICMP header. If defined, this
-## function will be called for all ICMP packets before Bro performs any further
+## function will be called for all ICMP packets before Zeek performs any further
 ## analysis. If the function signals to discard a packet, no further processing
 ## will be performed on it.
 ##
@@ -1964,7 +1935,7 @@ global discarder_check_udp: function(p: pkt_hdr, d: string): bool;
 ##    Avoid using it.
 global discarder_check_icmp: function(p: pkt_hdr): bool;
 
-## Bro's watchdog interval.
+## Zeek's watchdog interval.
 const watchdog_interval = 10 sec &redef;
 
 ## The maximum number of timers to expire after processing each new
@@ -1973,10 +1944,6 @@ const watchdog_interval = 10 sec &redef;
 ## "process all expired timers with each new packet".
 const max_timer_expires = 300 &redef;
 
-## With a similar trade-off, this gives the number of remote events
-## to process in a batch before interleaving other activity.
-const max_remote_events_processed = 10 &redef;
-
 # These need to match the definitions in Login.h.
 #
 # .. zeek:see:: get_login_state
@@ -2744,7 +2711,7 @@ export {
 
 	## A set of file names used as named pipes over SMB. This
 	## only comes into play as a heuristic to identify named
-	## pipes when the drive mapping wasn't seen by Bro.
+	## pipes when the drive mapping wasn't seen by Zeek.
 	##
 	## .. zeek:see:: smb_pipe_connect_heuristic
 	const SMB::pipe_filenames: set[string] &redef;
@@ -3743,12 +3710,6 @@ global dns_skip_all_addl = T &redef;
 ## traffic and do not process it.  Set to 0 to turn off this functionality.
 global dns_max_queries = 25 &redef;
 
-## The address of the DNS resolver to use.  If not changed from the
-## unspecified address, ``[::]``, the first nameserver from /etc/resolv.conf
-## gets used (IPv6 is currently only supported if set via this option, not
-## when parsed from the file).
-const dns_resolver = [::] &redef;
-
 ## HTTP session statistics.
 ##
 ## .. zeek:see:: http_stats
@@ -4522,13 +4483,13 @@ export {
 	## The data from the ERROR_MSG message. See :rfc:`4120`.
 	type KRB::Error_Msg: record {
 		## Protocol version number (5 for KRB5)
-		pvno		: count;
+		pvno		: count &optional;
 		## The message type (30 for ERROR_MSG)
-		msg_type	: count;
+		msg_type	: count &optional;
 		## Current time on the client
 		client_time	: time &optional;
 		## Current time on the server
-		server_time	: time;
+		server_time	: time &optional;
 		## The specific error code
 		error_code	: count;
 		## Realm of the ticket
@@ -4536,9 +4497,9 @@ export {
 		## Name on the ticket
 		client_name	: string &optional;
 		## Realm of the service
-		service_realm	: string;
+		service_realm	: string &optional;
 		## Name of the service
-		service_name	: string;
+		service_name	: string &optional;
 		## Additional text to explain the error
 		error_text	: string &optional;
 		## Optional pre-authentication data
@@ -4572,25 +4533,25 @@ export {
 		## Optional pre-authentication data
 		pa_data			: vector of KRB::Type_Value &optional;
 		## Options specified in the request
-		kdc_options		: KRB::KDC_Options;
+		kdc_options		: KRB::KDC_Options &optional;
 		## Name on the ticket
 		client_name		: string &optional;
 
 		## Realm of the service
-		service_realm		: string;
+		service_realm		: string &optional;
 		## Name of the service
 		service_name		: string &optional;
 		## Time the ticket is good from
 		from			: time &optional;
 		## Time the ticket is good till
-		till			: time;
+		till			: time &optional;
 		## The requested renew-till time
 		rtime			: time &optional;
 
 		## A random nonce generated by the client
-		nonce			: count;
+		nonce			: count &optional;
 		## The desired encryption algorithms, in order of preference
-		encryption_types	: vector of count;
+		encryption_types	: vector of count &optional;
 		## Any additional addresses the ticket should be valid for
 		host_addrs		: vector of KRB::Host_Address &optional;
 		## Additional tickets may be included for certain transactions
@@ -4709,16 +4670,16 @@ const detect_filtered_trace = F &redef;
 ## .. zeek:see:: content_gap partial_connection
 const report_gaps_for_partial = F &redef;
 
-## Flag to prevent Bro from exiting automatically when input is exhausted.
+## Flag to prevent Zeek from exiting automatically when input is exhausted.
-## Normally Bro terminates when all packet sources have gone dry
+## Normally Zeek terminates when all packet sources have gone dry
-## and communication isn't enabled. If this flag is set, Bro's main loop will
+## and communication isn't enabled. If this flag is set, Zeek's main loop will
 ## instead keep idling until :zeek:see:`terminate` is explicitly called.
 ##
 ## This is mainly for testing purposes when termination behaviour needs to be
 ## controlled for reproducing results.
 const exit_only_after_terminate = F &redef;
 
-## The CA certificate file to authorize remote Bros/Broccolis.
+## The CA certificate file to authorize remote Zeeks/Broccolis.
 ##
 ## .. zeek:see:: ssl_private_key ssl_passphrase
 const ssl_ca_certificate = "<undefined>" &redef;
@@ -4729,17 +4690,17 @@ const ssl_ca_certificate = "<undefined>" &redef;
 const ssl_private_key = "<undefined>" &redef;
 
 ## The passphrase for our private key. Keeping this undefined
-## causes Bro to prompt for the passphrase.
+## causes Zeek to prompt for the passphrase.
 ##
 ## .. zeek:see:: ssl_private_key ssl_ca_certificate
 const ssl_passphrase = "<undefined>" &redef;
 
-## Default mode for Bro's user-space dynamic packet filter. If true, packets
+## Default mode for Zeek's user-space dynamic packet filter. If true, packets
 ## that aren't explicitly allowed through, are dropped from any further
 ## processing.
 ##
 ## .. note:: This is not the BPF packet filter but an additional dynamic filter
-##    that Bro optionally applies just before normal processing starts.
+##    that Zeek optionally applies just before normal processing starts.
 ##
 ## .. zeek:see:: install_dst_addr_filter install_dst_net_filter
 ##    install_src_addr_filter install_src_net_filter  uninstall_dst_addr_filter
@@ -4749,70 +4710,14 @@ const packet_filter_default = F &redef;
 ## Maximum size of regular expression groups for signature matching.
 const sig_max_group_size = 50 &redef;
 
-## Deprecated. No longer functional.
-const enable_syslog = F &redef;
-
 ## Description transmitted to remote communication peers for identification.
 const peer_description = "bro" &redef;
 
-## If true, broadcast events received from one peer to all other peers.
-##
-## .. zeek:see:: forward_remote_state_changes
-##
-## .. note:: This option is only temporary and will disappear once we get a
-##    more sophisticated script-level communication framework.
-const forward_remote_events = F &redef;
-
-## If true, broadcast state updates received from one peer to all other peers.
-##
-## .. zeek:see:: forward_remote_events
-##
-## .. note:: This option is only temporary and will disappear once we get a
-##    more sophisticated script-level communication framework.
-const forward_remote_state_changes = F &redef;
-
 ## The number of IO chunks allowed to be buffered between the child
-## and parent process of remote communication before Bro starts dropping
+## and parent process of remote communication before Zeek starts dropping
 ## connections to remote peers in an attempt to catch up.
 const chunked_io_buffer_soft_cap = 800000 &redef;
 
-## Place-holder constant indicating "no peer".
-const PEER_ID_NONE = 0;
-
-# Signature payload pattern types.
-# todo:: use enum to help autodoc
-# todo:: Still used?
-#const SIG_PATTERN_PAYLOAD = 0;
-#const SIG_PATTERN_HTTP = 1;
-#const SIG_PATTERN_FTP = 2;
-#const SIG_PATTERN_FINGER = 3;
-
-# Deprecated.
-# todo::Should use the new logging framework directly.
-const REMOTE_LOG_INFO = 1;	##< Deprecated.
-const REMOTE_LOG_ERROR = 2;	##< Deprecated.
-
-# Source of logging messages from the communication framework.
-# todo:: these should go into an enum to make them autodoc'able.
-const REMOTE_SRC_CHILD = 1;	##< Message from the child process.
-const REMOTE_SRC_PARENT = 2;	##< Message from the parent process.
-const REMOTE_SRC_SCRIPT = 3;	##< Message from a policy script.
-
-## Synchronize trace processing at a regular basis in pseudo-realtime mode.
-##
-## .. zeek:see:: remote_trace_sync_peers
-const remote_trace_sync_interval = 0 secs &redef;
-
-## Number of peers across which to synchronize trace processing in
-## pseudo-realtime mode.
-##
-## .. zeek:see:: remote_trace_sync_interval
-const remote_trace_sync_peers = 0 &redef;
-
-## Whether for :zeek:attr:`&synchronized` state to send the old value as a
-## consistency check.
-const remote_check_sync_consistency = F &redef;
-
 ## Reassemble the beginning of all TCP connections before doing
 ## signature matching. Enabling this provides more accurate matching at the
 ## expense of CPU cycles.
@@ -4825,7 +4730,7 @@ const remote_check_sync_consistency = F &redef;
 const dpd_reassemble_first_packets = T &redef;
 
 ## Size of per-connection buffer used for dynamic protocol detection. For each
-## connection, Bro buffers this initial amount of payload in memory so that
+## connection, Zeek buffers this initial amount of payload in memory so that
 ## complete protocol analysis can start even after the initial packets have
 ## already passed through (i.e., when a DPD signature matches only later).
 ## However, once the buffer is full, data is deleted and lost to analyzers that
@@ -4879,8 +4784,8 @@ const suppress_local_output = F &redef;
 ## .. zeek:see:: record_all_packets
 const trace_output_file = "";
 
-## If a trace file is given with ``-w``, dump *all* packets seen by Bro into it.
+## If a trace file is given with ``-w``, dump *all* packets seen by Zeek into it.
-## By default, Bro applies (very few) heuristics to reduce the volume. A side
+## By default, Zeek applies (very few) heuristics to reduce the volume. A side
 ## effect of setting this to true is that we can write the packets out before we
 ## actually process them, which can be helpful for debugging in case the
 ## analysis triggers a crash.
@@ -4901,7 +4806,7 @@ module JSON;
 export {
 	type TimestampFormat: enum {
 		## Timestamps will be formatted as UNIX epoch doubles.  This is
-		## the format that Bro typically writes out timestamps.
+		## the format that Zeek typically writes out timestamps.
 		TS_EPOCH,
 		## Timestamps will be formatted as unsigned integers that
 		## represent the number of milliseconds since the UNIX
@@ -4972,17 +4877,17 @@ export {
 module Reporter;
 export {
 	## Tunable for sending reporter info messages to STDERR.  The option to
-	## turn it off is presented here in case Bro is being run by some
+	## turn it off is presented here in case Zeek is being run by some
 	## external harness and shouldn't output anything to the console.
 	const info_to_stderr = T &redef;
 
 	## Tunable for sending reporter warning messages to STDERR.  The option
-	## to turn it off is presented here in case Bro is being run by some
+	## to turn it off is presented here in case Zeek is being run by some
 	## external harness and shouldn't output anything to the console.
 	const warnings_to_stderr = T &redef;
 
 	## Tunable for sending reporter error messages to STDERR.  The option to
-	## turn it off is presented here in case Bro is being run by some
+	## turn it off is presented here in case Zeek is being run by some
 	## external harness and shouldn't output anything to the console.
 	const errors_to_stderr = T &redef;
 }
@@ -5074,8 +4979,8 @@ export {
 module GLOBAL;
 
 ## Seed for hashes computed internally for probabilistic data structures. Using
-## the same value here will make the hashes compatible between independent Bro
+## the same value here will make the hashes compatible between independent Zeek
-## instances. If left unset, Bro will use a temporary local seed.
+## instances. If left unset, Zeek will use a temporary local seed.
 const global_hash_seed: string = "" &redef;
 
 ## Number of bits in UIDs that are generated to identify connections and
@@ -5084,7 +4989,7 @@ const global_hash_seed: string = "" &redef;
 const bits_per_uid: count = 96 &redef;
 
 ## Whether usage of the old communication system is considered an error or
-## not.  The default Bro configuration no longer works with the non-Broker
+## not.  The default Zeek configuration no longer works with the non-Broker
 ## communication system unless you have manually taken action to initialize
 ## and set up the old comm. system.  Deprecation warnings are still emitted
 ## when setting this flag, but they will not result in a fatal error.

scripts/base/init-default.zeek

@@ -1,5 +1,5 @@
 ##! This script loads everything in the base/ script directory.  If you want
-##! to run Bro without all of these scripts loaded by default, you can use
+##! to run Zeek without all of these scripts loaded by default, you can use
 ##! the ``-b`` (``--bare-mode``) command line argument.  You can also copy the
 ##! "@load" lines from this script to your own script to load only the scripts
 ##! that you actually want.

scripts/base/misc/find-checksum-offloading.zeek

@@ -50,7 +50,7 @@ event ChecksumOffloading::check()
 			bad_checksum_msg += "UDP";
 			}
 
-		local message = fmt("Your %s invalid %s checksums, most likely from NIC checksum offloading.  By default, packets with invalid checksums are discarded by Bro unless using the -C command-line option or toggling the 'ignore_checksums' variable.  Alternatively, disable checksum offloading by the network adapter to ensure Bro analyzes the actual checksums that are transmitted.", packet_src, bad_checksum_msg);
+		local message = fmt("Your %s invalid %s checksums, most likely from NIC checksum offloading.  By default, packets with invalid checksums are discarded by Zeek unless using the -C command-line option or toggling the 'ignore_checksums' variable.  Alternatively, disable checksum offloading by the network adapter to ensure Zeek analyzes the actual checksums that are transmitted.", packet_src, bad_checksum_msg);
 		Reporter::warning(message);
 		done = T;
 		}

scripts/base/misc/find-filtered-trace.zeek

@@ -2,7 +2,7 @@
 ##! control packets (e.g. it's been filtered to contain only SYN/FIN/RST
 ##! packets and no content).  On finding such a trace, a warning is
 ##! emitted that suggests toggling the :zeek:see:`detect_filtered_trace`
-##! option may be desired if the user does not want Bro to report
+##! option may be desired if the user does not want Zeek to report
 ##! missing TCP segments.
 
 module FilteredTraceDetection;
@@ -45,5 +45,5 @@ event zeek_done()
 		return;
 
 	if ( ! saw_tcp_conn_with_data )
-		Reporter::warning("The analyzed trace file was determined to contain only TCP control packets, which may indicate it's been pre-filtered.  By default, Bro reports the missing segments for this type of trace, but the 'detect_filtered_trace' option may be toggled if that's not desired.");
+		Reporter::warning("The analyzed trace file was determined to contain only TCP control packets, which may indicate it's been pre-filtered.  By default, Zeek reports the missing segments for this type of trace, but the 'detect_filtered_trace' option may be toggled if that's not desired.");
 	}

scripts/base/misc/version.zeek

@@ -1,4 +1,4 @@
-##! Provide information about the currently running Bro version.
+##! Provide information about the currently running Zeek version.
 ##! The most convenient way to access this are the Version::number
 ##! and Version::info constants.
 
@@ -8,12 +8,12 @@
 module Version;
 
 export {
-	## A type exactly describing a Bro version
+	## A type exactly describing a Zeek version
 	type VersionDescription: record {
 		## Number representing the version which can be used for easy comparison.
 		## The format of the number is ABBCC with A being the major version,
 		## bb being the minor version (2 digits) and CC being the patchlevel (2 digits).
-		## As an example, Bro 2.4.1 results in the number 20401.
+		## As an example, Zeek 2.4.1 results in the number 20401.
 		version_number: count;
 		## Major version number (e.g. 2 for 2.5)
 		major: count;
@@ -23,7 +23,7 @@ export {
 		patch: count;
 		## Commit number for development versions, e.g. 12 for 2.4-12. 0 for non-development versions
 		commit: count;
-		## If set to true, the version is a beta build of Bro
+		## If set to true, the version is a beta build of Zeek
 		beta: bool;
 		## If set to true, the version is a debug build
 		debug: bool;
@@ -33,12 +33,12 @@ export {
 
 	## Parse a given version string.
 	##
-	## version_string: Bro version string.
+	## version_string: Zeek version string.
 	##
 	## Returns: `VersionDescription` record.
 	global parse: function(version_string: string): VersionDescription;
 
-	## Test if the current running version of Bro is greater or equal to the given version
+	## Test if the current running version of Zeek is greater or equal to the given version
 	## string.
 	##
 	## version_string: Version to check against the current running version.
@@ -74,13 +74,13 @@ function parse(version_string: string): VersionDescription
 	}
 
 export {
-	## version number of the currently running version of Bro as a numeric representation.
+	## version number of the currently running version of Zeek as a numeric representation.
 	## The format of the number is ABBCC with A being the major version,
 	## bb being the minor version (2 digits) and CC being the patchlevel (2 digits).
-	## As an example, Bro 2.4.1 results in the number 20401
+	## As an example, Zeek 2.4.1 results in the number 20401
 	const number = Version::parse(bro_version())$version_number;
 
-	## `VersionDescription` record pertaining to the currently running version of Bro.
+	## `VersionDescription` record pertaining to the currently running version of Zeek.
 	const info = Version::parse(bro_version());
 }
 

scripts/base/protocols/conn/main.zeek

@@ -112,7 +112,7 @@ export {
 		## w       packet with a zero window advertisement
 		## i       inconsistent packet (e.g. FIN+RST bits set)
 		## q       multi-flag packet (SYN+FIN or SYN+RST bits set)
-		## ^       connection direction was flipped by Bro's heuristic
+		## ^       connection direction was flipped by Zeek's heuristic
 		## ======  ====================================================
 		##
 		## If the event comes from the originator, the letter is in

scripts/base/protocols/dhcp/main.zeek

@@ -138,7 +138,7 @@ function join_data_expiration(t: table[count] of Info, idx: count): interval
 	# If a message hasn't been seen in the past 5 seconds or the
 	# total time watching has been more than the maximum time
 	# allowed by the configuration then log this data and expire it.
-	# Also, if Bro is shutting down.
+	# Also, if Zeek is shutting down.
 	if ( (now - info$last_message_ts) > 5sec ||
 	     (now - info$ts) > max_txid_watch_time ||
 	     bro_is_terminating() )

scripts/base/protocols/dns/main.zeek

@@ -116,7 +116,7 @@ export {
 	## Give up trying to match pending DNS queries or replies for a given
 	## query/transaction ID once this number of unmatched queries or replies
 	## is reached (this shouldn't happen unless either the DNS server/resolver
-	## is broken, Bro is not seeing all the DNS traffic, or an AXFR query
+	## is broken, Zeek is not seeing all the DNS traffic, or an AXFR query
 	## response is ongoing).
 	option max_pending_msgs = 50;
 
@@ -561,7 +561,7 @@ event connection_state_remove(c: connection) &priority=-5
 	if ( ! c?$dns_state )
 		return;
 
-	# If Bro is expiring state, we should go ahead and log all unmatched
+	# If Zeek is expiring state, we should go ahead and log all unmatched
 	# queries and replies now.
 	if( c$dns_state?$pending_query )
 		Log::write(DNS::LOG, c$dns_state$pending_query);

scripts/base/protocols/krb/main.zeek

@@ -118,7 +118,9 @@ event krb_error(c: connection, msg: Error_Msg) &priority=5
 		c$krb$client = fmt("%s%s", msg?$client_name ? msg$client_name + "/" : "",
 		                           msg?$client_realm ? msg$client_realm : "");
 
+	if ( msg?$service_name )
 		c$krb$service    = msg$service_name;
+
 	c$krb$success    = F;
 	c$krb$error_code = msg$error_code;
 
@@ -139,17 +141,24 @@ event krb_as_request(c: connection, msg: KDC_Request) &priority=5
 		return;
 
 	c$krb$request_type = "AS";
-	c$krb$client       = fmt("%s/%s", msg?$client_name ? msg$client_name : "", msg$service_realm);
+
+	c$krb$client       = fmt("%s/%s", msg?$client_name ? msg$client_name : "",
+	                                  msg?$service_realm ? msg$service_realm : "");
+
 	if ( msg?$service_name )
 		c$krb$service      = msg$service_name;
 
 	if ( msg?$from )
 		c$krb$from = msg$from;
+	if ( msg?$till )
 		c$krb$till = msg$till;
 
+	if ( msg?$kdc_options )
+		{
 		c$krb$forwardable = msg$kdc_options$forwardable;
 		c$krb$renewable   = msg$kdc_options$renewable;
 		}
+	}
 
 event krb_as_response(c: connection, msg: KDC_Response) &priority=5
 	{
@@ -188,11 +197,15 @@ event krb_tgs_request(c: connection, msg: KDC_Request) &priority=5
 		c$krb$service = msg$service_name;
 	if ( msg?$from ) 
 		c$krb$from = msg$from;
+	if ( msg?$till )
 		c$krb$till = msg$till;
 
+	if ( msg?$kdc_options )
+		{
 		c$krb$forwardable = msg$kdc_options$forwardable;
 		c$krb$renewable   = msg$kdc_options$renewable;
 		}
+	}
 
 event krb_tgs_response(c: connection, msg: KDC_Response) &priority=5
 	{

scripts/base/utils/active-http.zeek

@@ -78,7 +78,7 @@ function request2curl(r: Request, bodyfile: string, headersfile: string): string
 
 function request(req: Request): ActiveHTTP::Response
 	{
-	local tmpfile     = "/tmp/bro-activehttp-" + unique_id("");
+	local tmpfile     = "/tmp/zeek-activehttp-" + unique_id("");
 	local bodyfile    = fmt("%s_body", tmpfile);
 	local headersfile = fmt("%s_headers", tmpfile);
 

scripts/base/utils/addrs.zeek

@@ -1,31 +1,67 @@
 ##! Functions for parsing and manipulating IP and MAC addresses.
 
 # Regular expressions for matching IP addresses in strings.
-const ipv4_addr_regex = /[[:digit:]]{1,3}\.[[:digit:]]{1,3}\.[[:digit:]]{1,3}\.[[:digit:]]{1,3}/;
-const ipv6_8hex_regex = /([0-9A-Fa-f]{1,4}:){7}[0-9A-Fa-f]{1,4}/;
-const ipv6_compressed_hex_regex = /(([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4})*)?)::(([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4})*)?)/;
-const ipv6_hex4dec_regex = /(([0-9A-Fa-f]{1,4}:){6,6})([0-9]+)\.([0-9]+)\.([0-9]+)\.([0-9]+)/;
-const ipv6_compressed_hex4dec_regex = /(([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4})*)?)::(([0-9A-Fa-f]{1,4}:)*)([0-9]+)\.([0-9]+)\.([0-9]+)\.([0-9]+)/;
 
-# These are commented out until patterns can be constructed this way at init time.
+const ipv4_decim = /[0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5]/;
-#const ipv6_addr_regex = ipv6_8hex_regex |
-#                        ipv6_compressed_hex_regex |
-#                        ipv6_hex4dec_regex |
-#                        ipv6_compressed_hex4dec_regex;
-#const ip_addr_regex = ipv4_addr_regex | ipv6_addr_regex;
 
-const ipv6_addr_regex =
+const ipv4_addr_regex = ipv4_decim & /\./ & ipv4_decim & /\./ & ipv4_decim & /\./ & ipv4_decim;
-    /([0-9A-Fa-f]{1,4}:){7}[0-9A-Fa-f]{1,4}/ |
-    /(([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4})*)?)::(([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4})*)?)/ | # IPv6 Compressed Hex
-    /(([0-9A-Fa-f]{1,4}:){6,6})([0-9]+)\.([0-9]+)\.([0-9]+)\.([0-9]+)/ | # 6Hex4Dec
-    /(([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4})*)?)::(([0-9A-Fa-f]{1,4}:)*)([0-9]+)\.([0-9]+)\.([0-9]+)\.([0-9]+)/; # CompressedHex4Dec
 
-const ip_addr_regex =
+const ipv6_hextet = /[0-9A-Fa-f]{1,4}/;
-    /[[:digit:]]{1,3}\.[[:digit:]]{1,3}\.[[:digit:]]{1,3}\.[[:digit:]]{1,3}/ |
+
-    /([0-9A-Fa-f]{1,4}:){7}[0-9A-Fa-f]{1,4}/ |
+const ipv6_8hex_regex = /([0-9A-Fa-f]{1,4}:){7}/ & ipv6_hextet;
-    /(([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4})*)?)::(([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4})*)?)/ | # IPv6 Compressed Hex
+
-    /(([0-9A-Fa-f]{1,4}:){6,6})([0-9]+)\.([0-9]+)\.([0-9]+)\.([0-9]+)/ | # 6Hex4Dec
+const ipv6_hex4dec_regex = /([0-9A-Fa-f]{1,4}:){6}/ & ipv4_addr_regex;
-    /(([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4})*)?)::(([0-9A-Fa-f]{1,4}:)*)([0-9]+)\.([0-9]+)\.([0-9]+)\.([0-9]+)/; # CompressedHex4Dec
+
+const ipv6_compressed_lead_hextets0 = /::([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){0,6})?/;
+
+const ipv6_compressed_lead_hextets1 = /[0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){0}::([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){0,5})?/;
+
+const ipv6_compressed_lead_hextets2 = /[0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){1}::([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){0,4})?/;
+
+const ipv6_compressed_lead_hextets3 = /[0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){2}::([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){0,3})?/;
+
+const ipv6_compressed_lead_hextets4 = /[0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){3}::([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){0,2})?/;
+
+const ipv6_compressed_lead_hextets5 = /[0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){4}::([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){0,1})?/;
+
+const ipv6_compressed_lead_hextets6 = /[0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){5}::([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){0,0})?/;
+
+const ipv6_compressed_lead_hextets7 = /[0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){6}::/;
+
+const ipv6_compressed_hex_regex = ipv6_compressed_lead_hextets0 |
+                                  ipv6_compressed_lead_hextets1 |
+                                  ipv6_compressed_lead_hextets2 |
+                                  ipv6_compressed_lead_hextets3 |
+                                  ipv6_compressed_lead_hextets4 |
+                                  ipv6_compressed_lead_hextets5 |
+                                  ipv6_compressed_lead_hextets6 |
+                                  ipv6_compressed_lead_hextets7;
+
+const ipv6_compressed_hext4dec_lead_hextets0 = /::([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){0,4})?/ & ipv4_addr_regex;
+
+const ipv6_compressed_hext4dec_lead_hextets1 = /[0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){0}::([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){0,3})?/ & ipv4_addr_regex;
+
+const ipv6_compressed_hext4dec_lead_hextets2 = /[0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){1}::([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){0,2})?/ & ipv4_addr_regex;
+
+const ipv6_compressed_hext4dec_lead_hextets3 = /[0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){2}::([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){0,1})?/ & ipv4_addr_regex;
+
+const ipv6_compressed_hext4dec_lead_hextets4 = /[0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){3}::([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){0,0})?/ & ipv4_addr_regex;
+
+const ipv6_compressed_hext4dec_lead_hextets5 = /[0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){4}::/ & ipv4_addr_regex;
+
+const ipv6_compressed_hex4dec_regex = ipv6_compressed_hext4dec_lead_hextets0 |
+                                      ipv6_compressed_hext4dec_lead_hextets1 |
+                                      ipv6_compressed_hext4dec_lead_hextets2 |
+                                      ipv6_compressed_hext4dec_lead_hextets3 |
+                                      ipv6_compressed_hext4dec_lead_hextets4 |
+                                      ipv6_compressed_hext4dec_lead_hextets5;
+
+const ipv6_addr_regex = ipv6_8hex_regex |
+                        ipv6_compressed_hex_regex |
+                        ipv6_hex4dec_regex |
+                        ipv6_compressed_hex4dec_regex;
+
+const ip_addr_regex = ipv4_addr_regex | ipv6_addr_regex;
 
 ## Checks if all elements of a string array are a valid octet value.
 ##
@@ -44,67 +80,6 @@ function has_valid_octets(octets: string_vec): bool
 	return T;
 	}
 
-## Checks if a string appears to be a valid IPv4 or IPv6 address.
-##
-## ip_str: the string to check for valid IP formatting.
-##
-## Returns: T if the string is a valid IPv4 or IPv6 address format.
-function is_valid_ip(ip_str: string): bool
-	{
-	local octets: string_vec;
-	if ( ip_str == ipv4_addr_regex )
-		{
-		octets = split_string(ip_str, /\./);
-		if ( |octets| != 4 )
-			return F;
-
-		return has_valid_octets(octets);
-		}
-	else if ( ip_str == ipv6_addr_regex )
-		{
-		if ( ip_str == ipv6_hex4dec_regex ||
-		     ip_str == ipv6_compressed_hex4dec_regex )
-			{
-			# the regexes for hybrid IPv6-IPv4 address formats don't for valid
-			# octets within the IPv4 part, so do that now
-			octets = split_string(ip_str, /\./);
-			if ( |octets| != 4 )
-				return F;
-
-			# get rid of remaining IPv6 stuff in first octet
-			local tmp = split_string(octets[0], /:/);
-			octets[0] = tmp[|tmp| - 1];
-
-			return has_valid_octets(octets);
-			}
-		else
-			{
-			# pure IPv6 address formats that only use hex digits don't need
-			# any additional checks -- the regexes should be complete
-			return T;
-			}
-		}
-	return F;
-	}
-
-## Extracts all IP (v4 or v6) address strings from a given string.
-##
-## input: a string that may contain an IP address anywhere within it.
-##
-## Returns: an array containing all valid IP address strings found in *input*.
-function find_ip_addresses(input: string): string_array &deprecated
-	{
-	local parts = split_string_all(input, ip_addr_regex);
-	local output: string_array;
-
-	for ( i in parts )
-		{
-		if ( i % 2 == 1 && is_valid_ip(parts[i]) )
-			output[|output|] = parts[i];
-		}
-	return output;
-	}
-
 ## Extracts all IP (v4 or v6) address strings from a given string.
 ##
 ## input: a string that may contain an IP address anywhere within it.

scripts/base/utils/geoip-distance.zeek

@@ -1,7 +1,7 @@
 ##! Functions to calculate distance between two locations, based on GeoIP data.
 
 ## Returns the distance between two IP addresses using the haversine formula,
-## based on GeoIP database locations.  Requires Bro to be built with GeoIP.
+## based on GeoIP database locations.  Requires Zeek to be built with GeoIP.
 ##
 ## a1: First IP address.
 ##

scripts/base/utils/json.zeek

@@ -1,9 +1,9 @@
-##! Functions to assist with generating JSON data from Bro data scructures.
+##! Functions to assist with generating JSON data from Zeek data scructures.
 # We might want to implement this in core somtime, this looks... hacky at best.
 
 @load base/utils/strings
 
-## A function to convert arbitrary Bro data into a JSON string.
+## A function to convert arbitrary Zeek data into a JSON string.
 ##
 ## v: The value to convert to JSON.  Typically a record.
 ##

scripts/base/utils/patterns.zeek

@@ -9,7 +9,7 @@ module GLOBAL;
 ## ss: a set of strings to OR together.
 ##
 ## pat: the pattern containing a "~~"  in it.  If a literal backslash is
-##      included, it needs to be escaped with another backslash due to Bro's
+##      included, it needs to be escaped with another backslash due to Zeek's
 ##      string parsing reducing it to a single backslash upon rendering.
 ##
 ## Returns: the input pattern with "~~" replaced by OR'd elements of input set.

scripts/base/utils/site.zeek

@@ -17,7 +17,7 @@ export {
 		[::1]/128,
 	};
 
-	## Networks that are considered "local".  Note that BroControl sets
+	## Networks that are considered "local".  Note that ZeekControl sets
 	## this automatically.
 	option local_nets: set[subnet] = {};
 

scripts/base/utils/strings.zeek

@@ -1,5 +1,5 @@
 ##! Functions to assist with small string analysis and manipulation that can
-##! be implemented as Bro functions and don't need to be implemented as built-in
+##! be implemented as Zeek functions and don't need to be implemented as built-in
 ##! functions.
 
 ## Returns true if the given string is at least 25% composed of 8-bit

scripts/policy/frameworks/control/controllee.zeek

@@ -1,11 +1,11 @@
 ##! The controllee portion of the control framework.  Load this script if remote
-##! runtime control of the Bro process is desired.
+##! runtime control of the Zeek process is desired.
 ##!
 ##! A controllee only needs to load the controllee script in addition
 ##! to the specific analysis scripts desired.  It may also need a node
 ##! configured as a controller node in the communications nodes configuration::
 ##!
-##!     bro <scripts> frameworks/control/controllee
+##!     zeek <scripts> frameworks/control/controllee
 
 @load base/frameworks/control
 @load base/frameworks/broker

scripts/policy/frameworks/control/controller.zeek

@@ -1,10 +1,10 @@
 ##! This is a utility script that implements the controller interface for the
-##! control framework.  It's intended to be run to control a remote Bro
+##! control framework.  It's intended to be run to control a remote Zeek
 ##! and then shutdown.
 ##!
 ##! It's intended to be used from the command line like this::
 ##!
-##!     bro <scripts> frameworks/control/controller Control::host=<host_addr> Control::host_port=<host_port> Control::cmd=<command> [Control::arg=<arg>]
+##!     zeek <scripts> frameworks/control/controller Control::host=<host_addr> Control::host_port=<host_port> Control::cmd=<command> [Control::arg=<arg>]
 
 @load base/frameworks/control
 @load base/frameworks/broker

scripts/policy/frameworks/packet-filter/shunt.zeek

@@ -4,18 +4,18 @@
 module PacketFilter;
 
 export {
-	## The maximum number of BPF based shunts that Bro is allowed to perform.
+	## The maximum number of BPF based shunts that Zeek is allowed to perform.
 	const max_bpf_shunts = 100 &redef;
 
 	## Call this function to use BPF to shunt a connection (to prevent the
-	## data packets from reaching Bro).  For TCP connections, control
+	## data packets from reaching Zeek).  For TCP connections, control
-	## packets are still allowed through so that Bro can continue logging
+	## packets are still allowed through so that Zeek can continue logging
 	## the connection and it can stop shunting once the connection ends.
 	global shunt_conn: function(id: conn_id): bool;
 
 	## This function will use a BPF expression to shunt traffic between
 	## the two hosts given in the `conn_id` so that the traffic is never
-	## exposed to Bro's traffic processing.
+	## exposed to Zeek's traffic processing.
 	global shunt_host_pair: function(id: conn_id): bool;
 
 	## Remove shunting for a host pair given as a `conn_id`.  The filter

scripts/policy/integration/barnyard2/main.zeek

@@ -1,4 +1,4 @@
-##! This script lets Barnyard2 integrate with Bro.  It receives alerts from
+##! This script lets Barnyard2 integrate with Zeek.  It receives alerts from
 ##! Barnyard2 and logs them.  In the future it will do more correlation
 ##! and derive new notices from the alerts.
 
@@ -20,7 +20,7 @@ export {
 	
 	## This can convert a Barnyard :zeek:type:`Barnyard2::PacketID` value to
 	## a :zeek:type:`conn_id` value in the case that you might need to index 
-	## into an existing data structure elsewhere within Bro.
+	## into an existing data structure elsewhere within Zeek.
 	global pid2cid: function(p: PacketID): conn_id;
 }
 

scripts/policy/integration/collective-intel/README

@@ -1,4 +1,4 @@
 The scripts in this module are for deeper integration with the
-Collective Intelligence Framework (CIF) since Bro's Intel framework
+Collective Intelligence Framework (CIF) since Zeek's Intel framework
 doesn't natively behave the same as CIF nor does it store and maintain
 the same data in all cases.

scripts/policy/integration/collective-intel/main.zeek

@@ -3,7 +3,7 @@
 
 module Intel;
 
-## These are some fields to add extended compatibility between Bro and the
+## These are some fields to add extended compatibility between Zeek and the
 ## Collective Intelligence Framework.
 redef record Intel::MetaData += {
 	## Maps to the Impact field in the Collective Intelligence Framework.

scripts/policy/misc/capture-loss.zeek

@@ -25,7 +25,7 @@ export {
 		ts:           time     &log;
 		## The time delay between this measurement and the last.
 		ts_delta:     interval &log;
-		## In the event that there are multiple Bro instances logging
+		## In the event that there are multiple Zeek instances logging
 		## to the same host, this distinguishes each peer with its
 		## individual name.
 		peer:         string   &log;

scripts/policy/misc/dump-events.zeek

@@ -1,6 +1,6 @@
-##! This script dumps the events that Bro raises out to standard output in a
+##! This script dumps the events that Zeek raises out to standard output in a
 ##! readable form. This is for debugging only and allows to understand events and
-##! their parameters as Bro processes input. Note that it will show only events
+##! their parameters as Zeek processes input. Note that it will show only events
 ##! for which a handler is defined.
 
 module DumpEvents;

scripts/policy/misc/load-balancing.zeek

@@ -1,5 +1,5 @@
-##! This script implements the "Bro side" of several load balancing
+##! This script implements the "Zeek side" of several load balancing
-##! approaches for Bro clusters.
+##! approaches for Zeek clusters.
 
 @load base/frameworks/cluster
 @load base/frameworks/packet-filter

scripts/policy/misc/profiling.zeek

@@ -1,4 +1,4 @@
-##! Turns on profiling of Bro resource consumption.
+##! Turns on profiling of Zeek resource consumption.
 
 module Profiling;
 

scripts/policy/misc/stats.zeek

@@ -100,7 +100,7 @@ event check_stats(then: time, last_ns: NetStats, last_cs: ConnStats, last_ps: Pr
 	local ds = get_dns_stats();
 
 	if ( bro_is_terminating() )
-		# No more stats will be written or scheduled when Bro is
+		# No more stats will be written or scheduled when Zeek is
 		# shutting down.
 		return;
 

scripts/policy/protocols/conn/known-hosts.zeek

@@ -1,4 +1,4 @@
-##! This script logs hosts that Bro determines have performed complete TCP 
+##! This script logs hosts that Zeek determines have performed complete TCP
 ##! handshakes and logs the address once per day (by default).  The log that 
 ##! is output provides an easy way to determine a count of the IP addresses in
 ##! use on a network per day.
@@ -22,7 +22,7 @@ export {
 	};
 
 	## Toggles between different implementations of this script.
-	## When true, use a Broker data store, else use a regular Bro set
+	## When true, use a Broker data store, else use a regular Zeek set
 	## with keys uniformly distributed over proxy nodes in cluster
 	## operation.
 	const use_host_store = T &redef;

scripts/policy/protocols/conn/known-services.zeek

@@ -28,7 +28,7 @@ export {
 	};
 
 	## Toggles between different implementations of this script.
-	## When true, use a Broker data store, else use a regular Bro set
+	## When true, use a Broker data store, else use a regular Zeek set
 	## with keys uniformly distributed over proxy nodes in cluster
 	## operation.
 	const use_service_store = T &redef;

scripts/policy/protocols/dhcp/deprecated_events.zeek

@@ -1,272 +0,0 @@
-##! Bro 2.6 removed certain DHCP events, but scripts in the Bro
-##! ecosystem are still relying on those events. As a transition, this
-##! script will handle the new event, and generate the old events,
-##! which are marked as deprecated.  Note: This script should be
-##! removed in the next Bro version after 2.6.
-
-@load base/protocols/dhcp
-
-## A DHCP message.
-##
-## .. note:: This type is included to support the deprecated events dhcp_ack,
-##           dhcp_decline, dhcp_discover, dhcp_inform, dhcp_nak, dhcp_offer,
-##           dhcp_release and dhcp_request and is thus similarly deprecated
-##           itself. Use :zeek:see:`dhcp_message` instead.
-##
-## .. zeek:see:: dhcp_message dhcp_ack dhcp_decline dhcp_discover
-##              dhcp_inform dhcp_nak dhcp_offer dhcp_release dhcp_request
-type dhcp_msg: record {
-	op: count;      ##< Message OP code. 1 = BOOTREQUEST, 2 = BOOTREPLY
-	m_type: count;  ##< The type of DHCP message.
-	xid: count;     ##< Transaction ID of a DHCP session.
-	h_addr: string; ##< Hardware address of the client.
-	ciaddr: addr;   ##< Original IP address of the client.
-	yiaddr: addr;   ##< IP address assigned to the client.
-};
-
-## A list of router addresses offered by a DHCP server.
-##
-## .. note:: This type is included to support the deprecated events dhcp_ack
-##           and dhcp_offer and is thus similarly deprecated
-##           itself. Use :zeek:see:`dhcp_message` instead.
-##
-## .. zeek:see:: dhcp_message dhcp_ack dhcp_offer
-type dhcp_router_list: table[count] of addr;
-
-## Generated for DHCP messages of type *DHCPDISCOVER* (client broadcast to locate
-## available servers).
-##
-## c: The connection record describing the underlying UDP flow.
-##
-## msg: The parsed type-independent part of the DHCP message.
-##
-## req_addr: The specific address requested by the client.
-##
-## host_name: The value of the host name option, if specified by the client.
-##
-## .. zeek:see:: dhcp_message dhcp_discover dhcp_offer dhcp_request
-##              dhcp_decline dhcp_ack dhcp_nak dhcp_release dhcp_inform
-##
-## .. note:: This event has been deprecated, and will be removed in the next version.
-##    Use dhcp_message instead.
-##
-## .. note:: Bro does not support broadcast packets (as used by the DHCP
-##    protocol). It treats broadcast addresses just like any other and
-##    associates packets into transport-level flows in the same way as usual.
-##
-global dhcp_discover: event(c: connection, msg: dhcp_msg, req_addr: addr, host_name: string) &deprecated;
-
-## Generated for DHCP messages of type *DHCPOFFER* (server to client in response
-## to DHCPDISCOVER with offer of configuration parameters).
-##
-## c: The connection record describing the underlying UDP flow.
-##
-## msg: The parsed type-independent part of the DHCP message.
-##
-## mask: The subnet mask specified by the message.
-##
-## router: The list of routers specified by the message.
-##
-## lease: The least interval specified by the message.
-##
-## serv_addr: The server address specified by the message.
-##
-## host_name: Optional host name value. May differ from the host name requested
-##            from the client.
-##
-## .. zeek:see:: dhcp_message dhcp_discover dhcp_request dhcp_decline
-##              dhcp_ack dhcp_nak dhcp_release dhcp_inform
-##
-## .. note:: This event has been deprecated, and will be removed in the next version.
-##    Use dhcp_message instead.
-##
-## .. note:: Bro does not support broadcast packets (as used by the DHCP
-##    protocol). It treats broadcast addresses just like any other and
-##    associates packets into transport-level flows in the same way as usual.
-##
-global dhcp_offer: event(c: connection, msg: dhcp_msg, mask: addr, router: dhcp_router_list, lease: interval, serv_addr: addr, host_name: string) &deprecated;
-
-## Generated for DHCP messages of type *DHCPREQUEST* (Client message to servers either
-## (a) requesting offered parameters from one server and implicitly declining offers
-## from all others, (b) confirming correctness of previously allocated address after,
-## e.g., system reboot, or (c) extending the lease on a particular network address.)
-##
-## c: The connection record describing the underlying UDP flow.
-##
-## msg: The parsed type-independent part of the DHCP message.
-##
-## req_addr: The client address specified by the message.
-##
-## serv_addr: The server address specified by the message.
-##
-## host_name: The value of the host name option, if specified by the client.
-##
-## .. zeek:see:: dhcp_message dhcp_discover dhcp_offer dhcp_decline
-##    	       dhcp_ack dhcp_nak dhcp_release dhcp_inform
-##
-## .. note:: This event has been deprecated, and will be removed in the next version.
-##    Use dhcp_message instead.
-##
-## .. note:: Bro does not support broadcast packets (as used by the DHCP
-##    protocol). It treats broadcast addresses just like any other and
-##    associates packets into transport-level flows in the same way as usual.
-##
-global dhcp_request: event(c: connection, msg: dhcp_msg, req_addr: addr, serv_addr: addr, host_name: string) &deprecated;
-
-## Generated for DHCP messages of type *DHCPDECLINE* (Client to server indicating
-## network address is already in use).
-##
-## c: The connection record describing the underlying UDP flow.
-##
-## msg: The parsed type-independent part of the DHCP message.
-##
-## host_name: Optional host name value.
-##
-## .. zeek:see:: dhcp_message dhcp_discover dhcp_offer dhcp_request
-##              dhcp_ack dhcp_nak dhcp_release dhcp_inform
-##
-## .. note:: This event has been deprecated, and will be removed in the next version.
-##    Use dhcp_message instead.
-##
-## .. note:: Bro does not support broadcast packets (as used by the DHCP
-##    protocol). It treats broadcast addresses just like any other and
-##    associates packets into transport-level flows in the same way as usual.
-##
-global dhcp_decline: event(c: connection, msg: dhcp_msg, host_name: string) &deprecated;
-
-## Generated for DHCP messages of type *DHCPACK* (Server to client with configuration
-## parameters, including committed network address).
-##
-## c: The connection record describing the underlying UDP flow.
-##
-## msg: The parsed type-independent part of the DHCP message.
-##
-## mask: The subnet mask specified by the message.
-##
-## router: The list of routers specified by the message.
-##
-## lease: The least interval specified by the message.
-##
-## serv_addr: The server address specified by the message.
-##
-## host_name: Optional host name value. May differ from the host name requested
-##            from the client.
-##
-## .. zeek:see:: dhcp_message dhcp_discover dhcp_offer dhcp_request
-##              dhcp_decline dhcp_nak dhcp_release dhcp_inform
-##
-## .. note:: This event has been deprecated, and will be removed in the next version.
-##    Use dhcp_message instead.
-##
-global dhcp_ack: event(c: connection, msg: dhcp_msg, mask: addr, router: dhcp_router_list, lease: interval, serv_addr: addr, host_name: string) &deprecated;
-
-## Generated for DHCP messages of type *DHCPNAK* (Server to client indicating client's
-## notion of network address is incorrect (e.g., client has moved to new subnet) or
-## client's lease has expired).
-##
-## c: The connection record describing the underlying UDP flow.
-##
-## msg: The parsed type-independent part of the DHCP message.
-##
-## host_name: Optional host name value.
-##
-## .. zeek:see:: dhcp_message dhcp_discover dhcp_offer dhcp_request
-##              dhcp_decline dhcp_ack dhcp_release dhcp_inform
-##
-## .. note:: This event has been deprecated, and will be removed in the next version.
-##    Use dhcp_message instead.
-##
-## .. note:: Bro does not support broadcast packets (as used by the DHCP
-##    protocol). It treats broadcast addresses just like any other and
-##    associates packets into transport-level flows in the same way as usual.
-##
-global dhcp_nak: event(c: connection, msg: dhcp_msg, host_name: string) &deprecated;
-
-## Generated for DHCP messages of type *DHCPRELEASE* (Client to server relinquishing
-## network address and cancelling remaining lease).
-##
-## c: The connection record describing the underlying UDP flow.
-##
-## msg: The parsed type-independent part of the DHCP message.
-##
-## host_name: The value of the host name option, if specified by the client.
-##
-## .. zeek:see:: dhcp_message dhcp_discover dhcp_offer dhcp_request
-##              dhcp_decline dhcp_ack dhcp_nak dhcp_inform
-##
-## .. note:: This event has been deprecated, and will be removed in the next version.
-##    Use dhcp_message instead.
-##
-global dhcp_release: event(c: connection, msg: dhcp_msg, host_name: string) &deprecated;
-
-## Generated for DHCP messages of type *DHCPINFORM* (Client to server, asking only for
-## local configuration parameters; client already has externally configured network
-## address).
-##
-## c: The connection record describing the underlying UDP flow.
-##
-## msg: The parsed type-independent part of the DHCP message.
-##
-## host_name: The value of the host name option, if specified by the client.
-##
-## .. zeek:see:: dhcp_message dhcp_discover dhcp_offer dhcp_request
-##              dhcp_decline dhcp_ack dhcp_nak dhcp_release
-##
-## .. note:: This event has been deprecated, and will be removed in the next version.
-##    Use dhcp_message instead.
-##
-## .. note:: Bro does not support broadcast packets (as used by the DHCP
-##    protocol). It treats broadcast addresses just like any other and
-##    associates packets into transport-level flows in the same way as usual.
-##
-global dhcp_inform: event(c: connection, msg: dhcp_msg, host_name: string) &deprecated;
-
-event dhcp_message(c: connection, is_orig: bool, msg: DHCP::Msg, options: DHCP::Options)
-	{
-	local old_msg: dhcp_msg = [$op=msg$op, $m_type=msg$m_type, $xid=msg$xid,
-	                           $h_addr=msg$chaddr, $ciaddr=msg$ciaddr, $yiaddr=msg$yiaddr];
-
-	local routers = dhcp_router_list();
-
-	if ( options?$routers )
-		for ( i in options$routers )
-			routers[|routers|] = options$routers[i];
-
-	# These fields are technically optional, but aren't listed as such in the event.
-	# We give it some defaults in order to suppress errors.
-	local ar = ( options?$addr_request ) ? options$addr_request : 0.0.0.0;
-	local hn = ( options?$host_name ) ? options$host_name : "";
-	local le = ( options?$lease ) ? options$lease : 0 secs;
-	local sm = ( options?$subnet_mask ) ? options$subnet_mask : 255.255.255.255;
-	local sa = ( options?$serv_addr ) ? options$serv_addr : 0.0.0.0;
-
-	switch ( DHCP::message_types[msg$m_type] ) {
-	case "DISCOVER":
-		event dhcp_discover(c, old_msg, ar, hn);
-		break;
-	case "OFFER":
-		event dhcp_offer(c, old_msg, sm, routers, le, sa, hn);
-		break;
-	case "REQUEST":
-		event dhcp_request(c, old_msg, ar, sa, hn);
-		break;
-	case "DECLINE":
-		event dhcp_decline(c, old_msg, hn);
-		break;
-	case "ACK":
-		event dhcp_ack(c, old_msg, sm, routers, le, sa, hn);
-		break;
-	case "NAK":
-		event dhcp_nak(c, old_msg, hn);
-		break;
-	case "RELEASE":
-		event dhcp_release(c, old_msg, hn);
-		break;
-	case "INFORM":
-		event dhcp_inform(c, old_msg, hn);
-		break;
-	default:
-		# This isn't a weird, it's just a DHCP message type the old scripts don't handle
-		break;
-		}
-	}

scripts/policy/protocols/smb/__load__.zeek

@@ -1,3 +0,0 @@
-@deprecated "Use '@load base/protocols/smb' instead"
-
-@load base/protocols/smb

scripts/policy/protocols/smtp/detect-suspicious-orig.zeek

@@ -10,7 +10,7 @@ export {
 
 	## Places where it's suspicious for mail to originate from represented
 	## as all-capital, two character country codes (e.g., US).  It requires
-	## Bro to be built with GeoIP support.
+	## Zeek to be built with GeoIP support.
 	option suspicious_origination_countries: set[string] = {};
 	option suspicious_origination_networks: set[subnet] = {};
 

scripts/policy/protocols/smtp/software.zeek

@@ -26,7 +26,7 @@ export {
 	};
 	
 	## Assuming that local mail servers are more trustworthy with the
-	## headers they insert into message envelopes, this default makes Bro
+	## headers they insert into message envelopes, this default makes Zeek
 	## not attempt to detect software in inbound message bodies.  If mail
 	## coming in from external addresses gives incorrect data in
 	## the Received headers, it could populate your SOFTWARE logging stream

scripts/policy/protocols/ssl/known-certs.zeek

@@ -32,7 +32,7 @@ export {
 	option cert_tracking = LOCAL_HOSTS;
 
 	## Toggles between different implementations of this script.
-	## When true, use a Broker data store, else use a regular Bro set
+	## When true, use a Broker data store, else use a regular Zeek set
 	## with keys uniformly distributed over proxy nodes in cluster
 	## operation.
 	const use_cert_store = T &redef;

scripts/policy/protocols/ssl/validate-certs.zeek

@@ -34,7 +34,7 @@ export {
 		&read_expire=5mins &redef;
 
 	## Use intermediate CA certificate caching when trying to validate
-	## certificates. When this is enabled, Bro keeps track of all valid
+	## certificates. When this is enabled, Zeek keeps track of all valid
 	## intermediate CA certificates that it has seen in the past. When
 	## encountering a host certificate that cannot be validated because
 	## of missing intermediate CA certificate, the cached list is used

scripts/policy/protocols/ssl/validate-sct.zeek

@@ -34,7 +34,7 @@ export {
 		logid: string;
 		## The timestamp at which this SCT was issued measured since the
 		## epoch (January 1, 1970, 00:00), ignoring leap seconds, in
-		## milliseconds. Not converted to a Bro timestamp because we need
+		## milliseconds. Not converted to a Zeek timestamp because we need
 		## the exact value for validation.
 		timestamp: count;
 		## The signature algorithm used for this sct.

scripts/test-all-policy.zeek

@@ -1,4 +1,4 @@
-# This file loads ALL policy scripts that are part of the Bro distribution.
+# This file loads ALL policy scripts that are part of the Zeek distribution.
 # 
 # This is rarely makes sense, and is for testing only.
 # 
@@ -63,7 +63,6 @@
 @load protocols/conn/mac-logging.zeek
 @load protocols/conn/vlan-logging.zeek
 @load protocols/conn/weirds.zeek
-#@load protocols/dhcp/deprecated_events.zeek
 @load protocols/dhcp/msg-orig.zeek
 @load protocols/dhcp/software.zeek
 @load protocols/dhcp/sub-opts.zeek
@@ -84,7 +83,6 @@
 @load protocols/modbus/track-memmap.zeek
 @load protocols/mysql/software.zeek
 @load protocols/rdp/indicate_ssl.zeek
-#@load protocols/smb/__load__.zeek
 @load protocols/smb/log-cmds.zeek
 @load protocols/smtp/blocklists.zeek
 @load protocols/smtp/detect-suspicious-orig.zeek

scripts/zeekygen/README

@@ -1,4 +1,4 @@
 This package is loaded during the process which automatically generates
-reference documentation for all Zeek scripts (i.e. "Zeexygen").  Its only
+reference documentation for all Zeek scripts (i.e. "Zeekygen").  Its only
 purpose is to provide an easy way to load all known Zeek scripts plus any
 extra scripts needed or used by the documentation process.

scripts/zeekygen/__load__.zeek

@@ -6,8 +6,6 @@
 @load frameworks/control/controller.zeek
 @load frameworks/files/extract-all-files.zeek
 @load policy/misc/dump-events.zeek
-@load policy/protocols/dhcp/deprecated_events.zeek
-@load policy/protocols/smb/__load__.zeek
 
 @load ./example.zeek