start reworking interface of software framework. working apart from detect-webapps.bro, which direcly manipulates a no longer available interface...

scripts/policy/protocols/ftp/software.bro

@@ -21,7 +21,6 @@ event ftp_request(c: connection, command: string, arg: string) &priority=4
 	{
 	if ( command == "CLNT" )
 		{
-		local si = Software::parse(arg, c$id$orig_h, FTP_CLIENT);
-		Software::found(c$id, si);
+		Software::found([$id=c$id, $banner=arg, $host=c$id$orig_h, $sw_type=FTP_CLIENT]);
 		}
 	}

scripts/policy/protocols/http/software-browser-plugins.bro

@@ -26,8 +26,7 @@ event http_header(c: connection, is_orig: bool, name: string, value: string) &pr
 			# Flash doesn't include it's name so we'll add it here since it 
 			# simplifies the version parsing.
 			value = cat("Flash/", value);
-			local flash_version = Software::parse(value, c$id$orig_h, BROWSER_PLUGIN);
-			Software::found(c$id, flash_version);
+			Software::found([$id=c$id, $banner=flash_version, $host=c$id$orig_h, $sw_type=BROWSER_PLUGIN]);
 			}
 		}
 	else
@@ -54,7 +53,7 @@ event log_http(rec: Info)
 			local plugins = split(sw, /[[:blank:]]*;[[:blank:]]*/);
 			
 			for ( i in plugins )
-				Software::found(rec$id, Software::parse(plugins[i], rec$id$orig_h, BROWSER_PLUGIN));
+				Software::found([$id=rec$id, $banner=plugins[i], $host=rec$id$orig_h, $sw_type=BROWSER_PLUGIN]);
 			}
 		}
-	}
+	}

scripts/policy/protocols/http/software.bro

@@ -20,18 +20,18 @@ event http_header(c: connection, is_orig: bool, name: string, value: string) &pr
 	if ( is_orig )
 		{
 		if ( name == "USER-AGENT" && ignored_user_agents !in value )
-			Software::found(c$id, Software::parse(value, c$id$orig_h, BROWSER));
+			Software::found([$id=c$id, $banner=value, $host=c$id$orig_h, $sw_type=BROWSER]);
 		}
 	else
 		{
 		if ( name == "SERVER" )
-			Software::found(c$id, Software::parse_with_port(value, c$id$resp_h, c$id$resp_p, SERVER));
+			Software::found([$id=c$id, $banner=value, $host=c$id$resp_h, $host_p=c$id$resp_p, $sw_type=SERVER]);
 		else if ( name == "X-POWERED-BY" )
-			Software::found(c$id, Software::parse_with_port(value, c$id$resp_h, c$id$resp_p, APPSERVER));
+			Software::found([$id=c$id, $banner=value, $host=c$id$resp_h, $host_p=c$id$resp_p, $sw_type=APPSERVER]);
 		else if ( name == "MICROSOFTSHAREPOINTTEAMSERVICES" )
 			{
 			value = cat("SharePoint/", value);
-			Software::found(c$id, Software::parse_with_port(value, c$id$resp_h, c$id$resp_p, APPSERVER));
+			Software::found([$id=c$id, $banner=value, $host=c$id$resp_h, $host_p=c$id$resp_p, $sw_type=APPSERVER]);
 			}
 		}
 	}

scripts/policy/protocols/smtp/software.bro

@@ -75,8 +75,7 @@ event log_smtp(rec: Info)
 		if ( addr_matches_host(rec$id$orig_h,
 		                       detect_clients_in_messages_from) )
 			{
-			local s = Software::parse(rec$user_agent, client_ip, s_type);
-			Software::found(rec$id, s);
+			Software::found([$id=rec$id, $banner=rec$user_agent, $host=client_ip, $sw_type=s_type]);
 			}
 		}
 	}

scripts/policy/protocols/ssh/software.bro

@@ -16,14 +16,12 @@ event ssh_client_version(c: connection, version: string) &priority=4
 	{
 	# Get rid of the protocol information when passing to the software framework.
 	local cleaned_version = sub(version, /^SSH[0-9\.\-]+/, "");
-	local si = Software::parse(cleaned_version, c$id$orig_h, CLIENT);
-	Software::found(c$id, si);
+	Software::found([$id=c$id, $banner=cleaned_version, $host=c$id$orig_h, $sw_type=CLIENT]);
 	}
 
 event ssh_server_version(c: connection, version: string) &priority=4
 	{
 	# Get rid of the protocol information when passing to the software framework.
 	local cleaned_version = sub(version, /SSH[0-9\.\-]{2,}/, "");
-	local si = Software::parse_with_port(cleaned_version, c$id$resp_h, c$id$resp_p, SERVER);
-	Software::found(c$id, si);
+	Software::found([$id=c$id, $banner=cleaned_version, $host=c$id$resp_h, $host_p=c$id$resp_p, $sw_type=SERVER]);
 	}